Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker's Account of How He Took Down Hacking Team's Servers (softpedia.com)

Posted by EditorDavid on from the in-your-base dept.

An anonymous reader writes: FinFisher, the hacker that broke into Italian firm Hacking Team, has published a step-by-step account of how he carried out the attacks, what tools he used, and what he learned from scouting HackingTeam's network. Published on PasteBin, the attack's timeline reveals he entered their network through a zero-day exploit in an (unnamed) embedded device, accessed a MongoDB database that had no password, discovered backups in the database, found a BES admin password in the backups, and eventually got admin access to the Windows Domain Server. From here, it was easy to reach into their email server and steal all the company's emails, and later access Git repos and steal the source code of their surveillance software.

10 of 70 comments (clear)

  1. Re:MongoDBs by Anonymous Coward · · Score: 5, Insightful

    sigh, MongoDB.
    On install
    1. no authentication, no passwords
    2. default read access to everything for any user
    3. no granularity.
    4. data sent in the clear
    5. no encryption
    6. binds to all available interfaces

    It's like we've learned nothing

  2. Re:Pastebin! For realzs!!1 by K.+S.+Kyosuke · · Score: 4, Funny

    "Exit node"? Is that how young people call it today? We used to say "watch your ass".

    --
    Ezekiel 23:20
  3. Fascinating by JustAnotherOldGuy · · Score: 5, Interesting

    I read the whole account, and although I by no means understood everything, it was a fascinating read.

    It appears that almost any route into a system will lead to more exploitable routes, and those lead to even more, and so on, until you're basically free to roam at will, read and change key files, install all the backdoors you like, and so on. He basically ended up with an embarrassment of riches, so to speak, with as much (or likely more) access than all of the legit admins combined.

      It would appear that truly locking down a large, complex network is next to impossible- there are so many moving parts and so many places to prod and poke that sooner or later, someone will find that one little vulnerability that opens the door.

    It's hard not to admire someone with skills and the persistence it took to do this.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Fascinating by E-Rock · · Score: 5, Insightful

      Seems like this was a hard shell, gooey center setup. So once he got in, he found the mis-configured iSCSI, and then the game was over.

      Really drives home that you need layers in place to block/detect lateral movement.

    2. Re: Fascinating by E-Rock · · Score: 4, Informative

      You may want to read the write up. Windows had nothing to do with this hack. He created his own 0day against an internet facing appliance. He doesn't name it, but that his follow-up step was to install some additional Unix utilities, we know it was a *nix box. Then he found that their iSCSI network wasn't properly segmented away from the user network, and there was no authentication configured. That's a human error.

  4. Re:MongoDBs by JustAnotherOldGuy · · Score: 5, Interesting

    sigh, MongoDB.
    On install
    1. no authentication, no passwords
    2. default read access to everything for any user
    3. no granularity.
    4. data sent in the clear
    5. no encryption
    6. binds to all available interfaces

    If I didn't know better (and I don't) it would seem that one of MongoDB's design goals was "easy to hack right out of the box".

    --
    Just cruising through this digital world at 33 1/3 rpm...
  5. Here's the breakdown of vulnerabilities: by golgotha007 · · Score: 4, Insightful

    The main weaknesses found are: unpatched network appliance exposed to public, services on deep network layers exposed to less secure subnets, using mongo with no authentication, passwords in plaintext found in backups, weak, bruteforcable passwords across the board, no password rotation in place and unpatched windows boxes.

  6. Re:MongoDBs by Viol8 · · Score: 4, Informative

    7. Unholy mash up of Javascript and bespoke query language to operate on the data and administer the DB.

    8. Max size limit of data in a key-value that can be indexed

    9. Replica set or sharding , which is better? Who knows. Administering both at the same time requires a bottle of whisky and/or prozac on standby.

  7. Re:FinFisher by radicimo · · Score: 5, Interesting

    It's likely that the same person who took down FinFisher took down HT. Maybe he adopted the name FinFisher as a badge of honor? Here's an example of his previous writing. http://0x27.me/HackBack/0x00.t...

    --
    100 REM PISS OFF CODE FASCISTS 200 GOTO 100
  8. Re:And he had to go and ruin it right at the end.. by Required+Snark · · Score: 5, Insightful
    I have a counter proposal: pull your head out of your ass before you lay into someone else.

    When you client list is oriented towards repressive regimes that suppress dissent using tactics like torture and murder, it's not just "These guys just sell the software, they don't use it". It's like knowingly selling blood diamonds. There is no plausible deniability. The business model is based on violence and killing.

    They are in the same category as drug cartels or the pirates of West Africa. The only difference is that Hacking Team has a veneer of legitimacy, and they also sell to first world countries like the US and Germany. Frankly I expect that "legitimate" governments abuse this software to engage in illegal acts both at home and all over the world.

    Pulling the "shades of grey" argument in this case is utter bullshit. We know who they are, we know what they do, and we know who they work for. They have chosen to work for some of the worst governments on the planet. They have no excuse.

    And if you had any doubts about the political motivation of Hacking Team, the emails revealed

    Vincenzetti, the CEO, liked to end his emails with the fascist slogan "boia chi molla".

    That translates as "death to traitors".

    --
    Why is Snark Required?