Hacker's Account of How He Took Down Hacking Team's Servers (softpedia.com)

← Back to Stories (view on slashdot.org)

Hacker's Account of How He Took Down Hacking Team's Servers (softpedia.com)

Posted by EditorDavid on Sunday April 17, 2016 @04:30AM from the in-your-base dept.

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.

70 comments

Min score:

Reason:

Sort:

MongoDBs by Anonymous Coward · 2016-04-17 05:35 · Score: 1

FYI MongoDB databases with no passwords have exposed details of 191 million US voters. But those were probably set up by unskilled admins. A mistake like this from a company called "Hacking Team" is irony at its finest
1. Re:MongoDBs by Anonymous Coward · 2016-04-17 05:58 · Score: 5, Insightful
  
  sigh, MongoDB.
  On install
  1. no authentication, no passwords
  2. default read access to everything for any user
  3. no granularity.
  4. data sent in the clear
  5. no encryption
  6. binds to all available interfaces
  It's like we've learned nothing
2. Re:MongoDBs by JustAnotherOldGuy · 2016-04-17 06:15 · Score: 5, Interesting
  
  sigh, MongoDB.
  On install
  1. no authentication, no passwords
  2. default read access to everything for any user
  3. no granularity.
  4. data sent in the clear
  5. no encryption
  6. binds to all available interfaces
  If I didn't know better (and I don't) it would seem that one of MongoDB's design goals was "easy to hack right out of the box".
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
3. Re:MongoDBs by golgotha007 · 2016-04-17 07:11 · Score: 1
  
  MongoDB was designed to be configured and used out of the box by developers, not security minded folks like sysadmins or system architects (devops).
4. Re:MongoDBs by Viol8 · 2016-04-17 07:41 · Score: 4, Informative
  
  7. Unholy mash up of Javascript and bespoke query language to operate on the data and administer the DB.
  8. Max size limit of data in a key-value that can be indexed
  9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.
5. Re:MongoDBs by golgotha007 · 2016-04-17 07:54 · Score: 2
  
  >> 8. Max size limit of data in a key-value that can be indexed,
  If you're wanting to store large blobs over 16MB in size, then use something like GridFS, which breaks up large blobs into smaller ones for easy storage.
  >> 9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.
  It depends on what you're wanting to do. Replica Sets are good for redundancy while sharding is ideal for large amounts of data that should be partitioned across many servers. Using a combination of the two does require some architect work, however.
6. Re:MongoDBs by AlphaBro · 2016-04-17 14:49 · Score: 3, Insightful
  
  If you perceive developers as not being security minded, the ones you've encountered aren't very good. Developers are the first line of defense as their actions dictate what vulnerabilities are present in the software they're developing. A good software developer knows far, far more about software security than most sys admins because sys admins generally don't need to understand the nuances of vulnerabilities. In short, they only need to understand the threat, not the technical details about the vuln.
  
  Think about it this way: developers are making the security patches you apply.
7. Re:MongoDBs by AlphaBro · 2016-04-17 14:50 · Score: 2
  
  And to expand on this, some developers that are especially skilled at security develop specialized software known as exploits. ;)
8. Re:MongoDBs by Anonymous Coward · 2016-04-17 16:44 · Score: 0
  
  A good software developer knows far, far more about software security than most sys admins because sys admins generally don't need to understand the nuances of vulnerabilities.
  As a sysadmin, truth.
  However:
  
  If you perceive developers as not being security minded, the ones you've encountered aren't very good.
  Exactly. A supermajority of developers are shit at what they do.
  (To be fair, so is a supermajority of sysadmins and/or operations people.)
9. Re:MongoDBs by Anonymous Coward · 2016-04-17 17:44 · Score: 0
  
  So your idea of "hacking" is "do what it lets you do out of the box".
10. Re:MongoDBs by golgotha007 · 2016-04-17 19:02 · Score: 1
  
  It really depends on what exactly we're talking about. In this case, the parent is speaking specifically around the configuration and deployment of MongoDB, and my response is that a SecDevOps architect is going to a much better job in the design, configuration and security than your standard developer with such a product. Keep in mind that security doesn't just focus on keeping the baddies away, it also includes high availability for services and ensuring data integrity.
  It's true that many devs are security minded, however in my experience, many are not. As a SecDevOps architect, security comes first in every design and configuration. This includes pentesting, static code analysis and much more.
  Devs are typically focused on function and deliverables, which generally means that security takes a backseat. In cases where a startup is rushing a product to market, security is often never considered at all.
11. Re:MongoDBs by Viol8 · 2016-04-17 20:42 · Score: 1
  
  If only it were 16MB. Apparently the max size that can be indexed is 8K!
12. Re:MongoDBs by Anonymous Coward · 2016-04-18 00:25 · Score: 0
  
  sigh, MongoDB.
  On install
  1. no authentication, no passwords
  2. default read access to everything for any user
  3. no granularity.
  4. data sent in the clear
  5. no encryption
  6. binds to all available interfaces
  It's like we've learned nothing
  MongoDB forces you to think about security issues from the outset and add those protections via various packages. It is much better than someone assuming their database is secure due to their own ignorance of reality. No technology can protect a developer / administrator from their own incompetence.
13. Re:MongoDBs by shuying · 2016-04-18 14:34 · Score: 1
  
  sigh, MongoDB. On install 1. no authentication, no passwords 2. default read access to everything for any user 3. no granularity. 4. data sent in the clear 5. no encryption 6. binds to all available interfaces
  It's like we've learned nothing
  MongoDB forces you to think about security issues from the outset and add those protections via various packages. It is much better than someone assuming their database is secure due to their own ignorance of reality. No technology can protect a developer / administrator from their own incompetence.
  You must be kidding, right?
14. Re:MongoDBs by JustAnotherOldGuy · 2016-04-18 16:24 · Score: 1
  
  So your idea of "hacking" is "do what it lets you do out of the box".
  No. Perhaps I should clarify; I probably should have said, "easy to be hacked right out of the box", or "dreadfully insecure right out of the box".
  If you think that "no authentication, no passwords" and "default read access to everything for any user" as the default state upon installation is a good thing, then you might want to learn a little bit about web security.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Re:Pastebin! For realzs!!1 by Anonymous Coward · 2016-04-17 05:40 · Score: 1

Pasting to PasteBin with Tor is the same thing as pasting to GhostBin. Also, it was on GhostBin initially, but in Spanish. Apparently the hacker is from a Spanish-speaking country. Someone translated his text, and then the hacker corrected the translation, and repasted it to PasteBin.
Just jail'im by Anonymous Coward · 2016-04-17 05:43 · Score: 0

Call it hacker, guilty by definition. Doesn't matter what he did really. "Hacker"==GUILTY.
And screw softpedia for the vapid clickbait-y crap it keeps spewing.
Wow by Anonymous Coward · 2016-04-17 05:49 · Score: 0

This is great
Nothing but Net by Anonymous Coward · 2016-04-17 05:50 · Score: 0

swish
woosh
Re:Pastebin! For realzs!!1 by K.+S.+Kyosuke · 2016-04-17 06:11 · Score: 4, Funny

"Exit node"? Is that how young people call it today? We used to say "watch your ass".

--
Ezekiel 23:20
Fascinating by JustAnotherOldGuy · 2016-04-17 06:14 · Score: 5, Interesting

I read the whole account, and although I by no means understood everything, it was a fascinating read.
It appears that almost any route into a system will lead to more exploitable routes, and those lead to even more, and so on, until you're basically free to roam at will, read and change key files, install all the backdoors you like, and so on. He basically ended up with an embarrassment of riches, so to speak, with as much (or likely more) access than all of the legit admins combined.
It would appear that truly locking down a large, complex network is next to impossible- there are so many moving parts and so many places to prod and poke that sooner or later, someone will find that one little vulnerability that opens the door.
It's hard not to admire someone with skills and the persistence it took to do this.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Fascinating by Anonymous Coward · 2016-04-17 06:55 · Score: 0
  
  It confirms what I knew for a while now. If you get targeted by a professional, and you have anything online, anything at all you've lost.
  He took his time to reverse engineer firmware and create a new exploit. From a embedded device he had a persistent backdoor into their network. How do you stop a person like this apart from going offline completely?
2. Re:Fascinating by E-Rock · 2016-04-17 07:01 · Score: 5, Insightful
  
  Seems like this was a hard shell, gooey center setup. So once he got in, he found the mis-configured iSCSI, and then the game was over.
  Really drives home that you need layers in place to block/detect lateral movement.
3. Re:Fascinating by Anonymous Coward · 2016-04-17 07:07 · Score: 1
  
  >How do you stop a person like this apart from going offline completely?
  Don't be a shit-heel and make yourself a target for hacktivists
4. Re:Fascinating by Anonymous Coward · 2016-04-17 07:13 · Score: 0
  
  And when a shit-heel pays a black hat for access into your infrastructure?
5. Re:Fascinating by Anonymous Coward · 2016-04-17 07:22 · Score: 0
  
  And why would a shit-heel pay a black hat for access into the infrastructure of an anonymous coward?
6. Re:Fascinating by sumdumass · 2016-04-17 08:46 · Score: 2
  
  This anonymous coward you speak of must have some worth and a plan. I see him all the time either adding maddening insight to conversations or what seems to be intentionally derailing them with idiocy that is almost unbelievable.
  So the question should be, with that much power in play, why wouldn't someone want to hack the anonymous coward and discover the secrets to his fortune.
7. Re:Fascinating by Anonymous Coward · 2016-04-17 09:11 · Score: 0
  
  It appears that almost any route into a system will lead to more exploitable routes,
  
  Yes. The basic failed model of modern cyber-security is the model of a perimeter. That approach kinda-sorta sometimes for the physical world, but fails time and time again in the electronic one. There's simply too many ways in, and too many things that could be exploited.
  Once in, escalating privileges is considerably easier, as seen in the post.
8. Re:Fascinating by Qzukk · 2016-04-17 09:55 · Score: 3, Interesting
  
  Setting aside this particular hack, *most* "hacks" are simply scattershot: if it costs $X of effort to break into a computer, as long as one out of every N computers gets you something worth N*X, the question is why not?
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
9. Re: Fascinating by Anonymous Coward · 2016-04-17 10:19 · Score: 0
  
  Or an ass on the inside
  Seriously, an anti hacking group running Windows? Asking for it.
10. Re: Fascinating by Anonymous Coward · 2016-04-17 16:37 · Score: 0
  
  Yes, because you never have to test your trojan, and every sales guy and what not is uber l33t and runzors Ubuntu yo
11. Re: Fascinating by Anonymous Coward · 2016-04-17 17:58 · Score: 0
  
  Their problem was having a centralized intertwined system. Only the devs should have had possible access to the source. But they had a centralized admin scenario.
12. Re: Fascinating by E-Rock · 2016-04-17 18:50 · Score: 4, Informative
  
  You may want to read the write up. Windows had nothing to do with this hack. He created his own 0day against an internet facing appliance. He doesn't name it, but that his follow-up step was to install some additional Unix utilities, we know it was a *nix box. Then he found that their iSCSI network wasn't properly segmented away from the user network, and there was no authentication configured. That's a human error.
13. Re:Fascinating by stealth_finger · 2016-04-17 23:11 · Score: 1
  
  And why would a shit-heel pay a black hat for access into the infrastructure of an anonymous coward?
  I want to find who this AC is. There will be a substantial reward, any takers?
  
  --
  Wanna buy a shirt?
  https://www.redbubble.com/people/stealthfinger/shop?asc=u
14. Re: Fascinating by Anonymous Coward · 2016-04-18 06:26 · Score: 0
  
  So developers will take care of their entire development insfrastructure?
  Backups, network configuration, server provisioning, etc.
  Not likely here.
15. Re:Fascinating by Anonymous Coward · 2016-04-18 12:25 · Score: 0
  
  Air gap might help. They can be bridged, but then you are really getting to government level.
Tragedy by Anonymous Coward · 2016-04-17 06:18 · Score: 0

The real shame here is that our governments are forking over millions in pork spending to skiddies like "Hacking Team" who don't even follow basic security practices, like setting a PW on your DB.
Re:Pastebin! For realzs!!1 by Anonymous Coward · 2016-04-17 06:36 · Score: 0

I've never seen a software ever decline in trustability so fast as Tor in the past year. Nice job FBI
FinFisher by Anonymous Coward · 2016-04-17 06:46 · Score: 2, Interesting

FinFisher, the hacker that broke into Italian firm Hacking Team
I'm pretty sure FinFisher is the name of a competitor of Hacking Team, not the name of the hacker who broke into Hacking Team's network.
1. Re:FinFisher by radicimo · 2016-04-17 07:58 · Score: 5, Interesting
  
  It's likely that the same person who took down FinFisher took down HT. Maybe he adopted the name FinFisher as a badge of honor? Here's an example of his previous writing. http://0x27.me/HackBack/0x00.t...
  
  --
  100 REM PISS OFF CODE FASCISTS 200 GOTO 100
2. Re:FinFisher by zedaroca · 2016-04-17 17:17 · Score: 1
  
  FinFisher is an old moniker, he changed to PhineasFisher.
  Indeed, he is the hacker that did the FinFisher hack. Here is an "interview" about the HT hack that confirms his identity.
Here's the breakdown of vulnerabilities: by golgotha007 · 2016-04-17 07:10 · Score: 4, Insightful

The main weaknesses found are: unpatched network appliance exposed to public, services on deep network layers exposed to less secure subnets, using mongo with no authentication, passwords in plaintext found in backups, weak, bruteforcable passwords across the board, no password rotation in place and unpatched windows boxes.
1. Re:Here's the breakdown of vulnerabilities: by Anonymous Coward · 2016-04-17 07:16 · Score: 0
  
  0day. No patch. L2Read.
2. Re:Here's the breakdown of vulnerabilities: by Anonymous Coward · 2016-04-17 14:44 · Score: 0
  
  The network appliance was patched but he developed his own 0-day.....
Also, unauthenticated iSCSI by Lev_Arris · 2016-04-17 07:44 · Score: 3, Interesting

The linked article doesn't mention this but the way FinFisher got into the Backup server was by simply mounting its iSCSI volumes which required no authentication at all. (Technically, the iSCSI targets were supposed to be on a separate network, but it turns out you could still get at them from the main network.)
The lesson there: It doesn't matter which network the service is in, turn on authentication!
And he had to go and ruin it right at the end... by Viol8 · 2016-04-17 07:49 · Score: 1, Flamebait

... by getting on his cross, polishing his halo and talk about "stopping their human rights abuses". Oh get over yourself son. The world isn't black and white, its shades of grey. The quicker you learn that fact the sooner you can pull that rod out of your arse. These guys just sell the software, they don't use it. If you really want to sort out human rights abuses there are plenty of governments and islamic terrorist networks you can try and hack. Though the latter might actually involve real personal danger, which is where most keyboard warriors draw the line.
Don't know where to paste BINs... by Anonymous Coward · 2016-04-17 08:15 · Score: 0

MongoDB only pawn in game of IT
Re: What's with the "steal"? by Anonymous Coward · 2016-04-17 08:19 · Score: 0

I've always thought of stealing as "taking something without permission". I've never considered it "taking the one thing without permission". Whether it's some or all of something doesn't stop it from being theft.
...spying on themselves without meaning to. by Anonymous Coward · 2016-04-17 08:28 · Score: 0

I could help laughing loudly at that...
Re:What's with the "steal"? by Anonymous Coward · 2016-04-17 08:36 · Score: 0

From here, it was easy to reach into their email server and steal all the company's emails
Aren't we reminded, over and over, that the terms like "steal" (and "theft") apply only to tangible things? But not to, for example, music and video files?
Nope. Those examples are refuting equivocation - using the word "steal" or "theft" loosely and then drawing inferences as though they were strictly-correct usages of the words. This is simple a straightforward case of the word "steal" being used in a loose, borderline-metaphorical sense with no such conflation.
Re:And he had to go and ruin it right at the end.. by Anonymous Coward · 2016-04-17 09:28 · Score: 0

They sell software to despots and authoritarian regimes. Some of their customers are subject to export bans. I think he might be on to something with the human rights abuses rather than just preaching from the pulpit.
There was a talk at chaos communication congress in 2013 that had the subject of private companies creating hacking/surveillance tools for
See https://youtu.be/Y1aU3uw1QnA?t=24m38s (The time starts at the segment dealing with hacking team, the first half of the talk primarily deals with Fin Fisher, another company in the same niche). The list of some of their more worrying clients is detailed at around 32:30.
Re:And he had to go and ruin it right at the end.. by Anonymous Coward · 2016-04-17 09:33 · Score: 0

Dammit, slashdot ate my edit (I failed the captcha because it was unreadable and had to copy+paste it). Middle paragraph should say:
There was a talk at chaos communication congress in 2013 that had the subject of private companies creating hacking/surveillance tools for law enforcement and governments.
Re:What's with the "steal"? by Anonymous Coward · 2016-04-17 09:41 · Score: 1

Stealing something from someone requires that it be in that victim's possession.
Before you go all NUH UH!!1!11!one on me, please do keep in mind that the federal government's standard excuse for nearly all of its metadata collection as well as their other, more flagrant, violations of the 4th Amendment basically boils down to a belief if its not in your personal possession it's not yours.
Re:And he had to go and ruin it right at the end.. by Anonymous Coward · 2016-04-17 09:46 · Score: 0

These guys just sell the software, they don't use it.

What a load of horseshit. They sell software to repressive governments to spy on honest people like independent journalists. The world is black and white along with grey too. HT is mostly black with a little bit of grey, and not much white.
If you want to say you approve of this kind of fascist bullshit, fine. But this isn't a matter of black and white, it's a matter of what kind of world you want to live in.
Re:And he had to go and ruin it right at the end.. by Required+Snark · 2016-04-17 12:22 · Score: 5, Insightful

I have a counter proposal: pull your head out of your ass before you lay into someone else.
When you client list is oriented towards repressive regimes that suppress dissent using tactics like torture and murder, it's not just "These guys just sell the software, they don't use it". It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing.
They are in the same category as drug cartels or the pirates of West Africa. The only difference is that Hacking Team has a veneer of legitimacy, and they also sell to first world countries like the US and Germany. Frankly I expect that "legitimate" governments abuse this software to engage in illegal acts both at home and all over the world.
Pulling the "shades of grey" argument in this case is utter bullshit. We know who they are, we know what they do, and we know who they work for. They have chosen to work for some of the worst governments on the planet. They have no excuse.
And if you had any doubts about the political motivation of Hacking Team, the emails revealed

Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla".
That translates as "death to traitors".

--
Why is Snark Required?
So, what to do about it. by aberglas · 2016-04-17 12:45 · Score: 1, Insightful

That is a deep observation.
How do we build secure systems? Patching up all the thousands of holes one by one is not a solution.
Certainly, penetration testing needs to be carried out from inside the fire wall.
But beyond that, the only solution I see is a focus on simplicity. That means less features, but implemented with a view that the code can be understood.
Not using the C/++ programming language would remove about half the vulnerabilities, fat chance of that happening though.
What is not the solution is a Windows operating system that is riddled with hundreds of deamons that nobody really understands and takes minutes to shut down (let alone fully boot).
So how do we go beyond patch Tuesday and arrive at something that is secure by design?
1. Re:So, what to do about it. by JustAnotherOldGuy · 2016-04-17 13:07 · Score: 1
  
  How do we build secure systems? Patching up all the thousands of holes one by one is not a solution.
  To be frank, I'm not sure there is a solution. Complex systems are, well, complex...and complexity almost invariably leads to mistakes. (Heh, ask me how I know...)
  But I don't see how something like a network can ever be reliably secured....too many different bits of this and that to keep track of, patch, upgrade, etc etc. Things can be secured to a point, sure, but in real life all that stuff changes over time and it seems impossible to me to ever keep up with it 100%.
  You may have a team of 20 top-notch sysadmins locking stuff down, but there may be 10,000 hackers trying to break in...at some point one of them is going to find a flaw. The sysadmins have to on top of their game 100% of the time, but the bad guys only have to get lucky once. The game seems to be heavily weighted towards the hackers, especially in the long run.
  The idea of keeping things simple is a good one, but probably not a practical approach. For example, how simple can you make an enterprise network? My guess is that the answer is "not very".
  Windows is definitely a problem, but I think these problems are inherent in any OS, any network, any complex system. There may not actually be a good solution.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
Re:And he had to go and ruin it right at the end.. by zedaroca · 2016-04-17 17:51 · Score: 1

By publishing their source code he protected journalists and activists that were being targeted by the governments you talked about, at least temporarily with the AV updates, and further by exposing the fact that they were selling to sanctioned countries.
Your "shades of gray" BS doesn't apply here. One thing is to sell a weapon, another is to sell a weapon to a known murderer. Do you think there should be no problems on selling uranium to NK? It's just selling, not using...
It makes much more sense to cut the weapons used by the governments and terrorists than to let them weaponize themselves. That's why sanctions exist.
You are completely clueless if you think hacking criminal corporations that do business with governments doesn't involve real personal danger.
Re:And he had to go and ruin it right at the end.. by Viol8 · 2016-04-17 20:47 · Score: 2

"pull your head out of your ass before you lay into someone else. "
I don't own a donkey and if I did I wouldn't put my head up its arse.
"It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing. "
Bollocks - its based on money. Its no different to selling weapons. I'm sure this company would have no problem selling to you if you stump up the cash. I'm not going to pretend they're saints, but they're not the cartoon evil people would love these sorts of companies to be either.
Re:And he had to go and ruin it right at the end.. by Anonymous Coward · 2016-04-17 23:05 · Score: 0

> If you really want to sort out human rights abuses there are plenty of governments and islamic terrorist networks you can try and hack
Like Israel and Saudi Arabia. :)
Re:And he had to go and ruin it right at the end.. by stealth_finger · 2016-04-17 23:20 · Score: 2

"It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing. "
Bollocks - its based on money. Its no different to selling weapons. I'm sure this company would have no problem selling to you if you stump up the cash. I'm not going to pretend they're saints, but they're not the cartoon evil people would love these sorts of companies to be either.
Say you're an arms dealer, selling to the national army of Bulgaria is one thing, selling to Boko Haram, completely different.

--
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
Re:And he had to go and ruin it right at the end.. by Viol8 · 2016-04-18 00:52 · Score: 1

So do you have any evidence this company has told to terrorist organisations then? If so please share, i'm sure many law enforcement agencies would love to know.
Re:And he had to go and ruin it right at the end.. by stealth_finger · 2016-04-18 02:23 · Score: 1

No, I was just making the point that the morality of selling something is just as much who you sell to as what you sell. These people sold to despotic governments for spying on their own people. The guy in TFA provided the evidence of that. Please try to keep up instead of moving goalposts.

--
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
FBI by Anonymous Coward · 2016-04-18 04:51 · Score: 0

This is exactly why the FBI (or CIA or NSA) should not be allowed to hide 0-day exploits from manufacturers. Everyone's security is at risk, even the FBI/CIA/NSA who could get stung by the very 0-days they don't report...
hacker for hire by Anonymous Coward · 2016-04-22 03:42 · Score: 0

Do you require the services of an unethical/ethical hacker?..contact leehacks92@gmail.com.They specialize in all sorts of hacking,he helped me hack into my Gf's phone.He's very discreet and reliable,tell him Jason sent you..