Hacking the Hackers


With almost one year passing since the time of his, the hacker known as Phineas Fisher, has revealed some of the information behind the Hacking Team data breach. He has published a step-by-step explanation on how he breached the their servers. He posted a PasteBin last month showing how the attack unfolded, the tools he used, and provides a tutorial for those who want to become top-level hackers (or people who just want to understand how to better protect their networks).

The hacker revealed that the entry point into Hacking Team’s infrastructure was a zero-day root exploit in an embedded device deployed inside the target corporate network. He has declined to name the name and purpose of the embedded device, but he wrote and deployed a backdoor to the firmware of the vulnerable embedded device and waited for the exploited software to tell him when the network was ready for attack.

He says he spent a lot of time scanning the company’s network and even exposed a vulnerability in the Hacking Team’s Joomla-based frontend website, discovered issues with their email server and couple of routers, and even some issues with a few VPN appliances. Despite the large attack surface, he concluded that the zero-day exploit he identified in the embedded device was much more reliable for further attacks. He also discovered a couple of vulnerable MongoDB databases that target administrators failed to password protect. He was able to discover details about their backup system and even the network backups themselves from this database. The jackpot was a backup of the Exchange email server, from there he extracted their BES (BlackBerry Enterprise Server ) administrator account password, which was still valid.

HACKINGTEAM  BESAdmin       bes32678!!!
HACKINGTEAM  Administrator  uu8dd8ndd12!
HACKINGTEAM  c.pozzi        P4ssword      <---- lol great sysadmin
HACKINGTEAM  m.romeo        ioLK/(90
HACKINGTEAM  l.guerra       4luc@=.=
HACKINGTEAM  d.martinez     W4tudul3sp
HACKINGTEAM  g.russo        GCBr0s0705!
HACKINGTEAM  a.scarafile    Cd4432996111
HACKINGTEAM  r.viscardi     Ht2015!
HACKINGTEAM  a.mino         A!e$$andra
HACKINGTEAM  m.bettini      Ettore&Bella0314
HACKINGTEAM  m.luppi        Blackou7
HACKINGTEAM  s.gallucci     1S9i8m4o!
HACKINGTEAM  d.milan        set!dob66
HACKINGTEAM  w.furlan       Blu3.B3rry!
HACKINGTEAM  d.romualdi     Rd13136f@#
HACKINGTEAM  l.invernizzi   L0r3nz0123!
HACKINGTEAM  e.ciceri       2O2571&2E
HACKINGTEAM  e.rabe         erab@4HT!

Then he was able to use this account to get the domain administrator account and start his major attack. By reading all the emails he discovered that there was another hidden network inside the company’s infrastructure, where the Hacking Team kept the source code of their RCS (Remote Control System) surveillance software.

With the Domain Admin password, I have access to the email, the heart of the
company. Since with each step I take there’s a chance of being detected, I
start downloading their email before continuing to explore. PowerShell makes
it easy [1]. Curiously, I found a bug with PowerShell’s date handling. After
downloading the emails, it took me another couple weeks to get access to the
source code and everything else, so I returned every now and then to download
the new emails. The server was Italian, with dates in the format
day/month/year. I used:

-ContentFilter {(Received -ge ’05/06/2015′) -or (Sent -ge ’05/06/2015′)}

with New-MailboxExportRequest to download the new emails (in this case all
mail since June 5). The problem is it says the date is invalid if you
try a day larger than 12 (I imagine because in the US the month comes first
and you can’t have a month above 12). It seems like Microsoft’s engineers only
test their software with their own locale.

You can see the order of the attack and the tools used on the PasteBin posting, which makes for some very interesting reading.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s