Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
| How the Hack [12] Went Down Attack Diagram of Hacking Team highlighting major steps Fisher started by analyzing the target. Fisher recognized that spear-phishing was risky. "I didn't want to try to spear phish Hacking Team, as their whole business is helping governments spear phish their opponents, so they'd be much more likely to recognize and investigate a spear phishing attempt." Early analysis showed the Hacking Team's network appeared to be hardened and to have a small attack surface. Initial analysis revealed an updated version of Joomla!, a mail server, a couple of routers, a VPN appliance, and a spam filter. Gaining initial access was not straightforward. Attacking Joomla! with an exploit or zero-day, or attacking an embedded device with a yet to be determined path seemed the best option for initial access. After a few weeks of development, a successful zero-day exploit was created for an unnamed embedded device. This zero-day provided root access to the device and was used as the initial entry point. Internal enumeration was performed after this initial access. The enumeration revealed a MongoDB instance that required no authentication. This database provided access to an audio recording that was part of an audio spying application. These recordings were interesting but not detrimental. Fisher wanted to damage this company and expose them for involvement is something more severe than selling spying software. Further exploration led to the identification of this damaging information. The significant data was found in an unsecured iSCSI server that contained backup VMware .vmdk files and other beneficial information. Eventually, administrative level password hashes were dumped from the backups. Many of the administrative password hashes were successfully cracked. These passwords allowed access to other systems including an email server. PowerShell was used to access and download current emails. More than 1 million emails were downloaded. In total, Phineas Fisher was in the Hacking Team network for about six weeks and spent about hours moving and stealing data. The attack was primarily politically motivated. This example is almost identical to that of a Red Team engagement. An intelligent actor analyzed a target to determine the best path forward, crafted a custom attack, elevated privileges, identified information, and stole sensitive data. Additional References. How Hacking Team got hacked, http://arstechnica.com/security/2016/04/how- hacking-team-got-hacked-phineas-phisher/. 2. The Vigilante Who Hacked Hacking Team Explains How He Did It, http://motherboard.vice.com/read/the-vigilante-who-hacked-hacking-team- explains-how-he-did-it. Analyzing the TTPs described in the Hacking Team attack is a great way to understand how areal threat attacks a target. Analysis can be used to validate TTPs plans or to learn new techniques that can be applied to future engagements. Although this was an illegal attack against a company, it provided useful insights into how a threat thinks and acts. A simple threat profile can be developed to provide a general description of the threat using the |