Hacking Team Postmortem

Uploaded on 2016-05-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies. Nine months ago, their world was rocked after someone infiltrated nearly 400GB of data form their network, including source code and contracts.

How to respond to ransomware threats:

The irony is that Hacking Team developed tools that enabled hostile governments to do the exact things that were done to them, so many in the security industry experienced no small amount of schadenfreude at their expense. Over the weekend, the person responsible for the Hacking Team data breach, Phineas Fisher, outlined the hack from start to finish.

To be clear, what happened to Hacking Team is a classic example of a targeted attack. Few organizations could outlast an attacker with knowledge, time, and resources. At the same time, the way Hacking Team managed and developed their network did them no favors.

Fisher took the time to reverse engineer some firmware in an embedded device and develop a new exploit. This Zero-Day vulnerability enabled persistent access, because he used it once (and only once) to plant a backdoor into the network.

Ultimately, a poorly configured iSCSI was Hacking Teams downfall, but there were other issues too – such as services deep within the network exposed to less secure subnets, MongoDB instances with no authentication, backups that had passwords stored in plaintext, as well as weak passwords everywhere – including on critical systems.

So what are some takeaways form the post-hack outline? Sarah Clarke, from infospectives.co.uk, shared some of her thoughts on the matter, including the fact that everyone's threat level just went up a bit.

"Despite being almost a decade away from the network coalface, I, without much trouble, and a little help from my friends, could do everything listed. What will stop me is fear of prosecution, ethics, and a strong analytical ability to see short, medium, long-term implications," she said.

If your organisation faced a similar attack, what would common enterprise monitoring tools spot, if configured correctly? What amendments to IDS/IPS, log monitoring, vulnerability scanning, pen test scoping, SIEM alerting, or alert analysis need to be made or augmented?

Andy Settle, head of special investigations for Austin-based Forcepoint, had some additional thoughts, which are below.

"The attack was targeted and had every intention of getting in. This type of threat needs to be addressed by asking 'when?' and not simply 'if?' Once inside the company network, the hacker managed to traverse the company infrastructure with little difficulty," he said.

"Protecting the soft-skinned inner workings of an organizational infrastructure is equally important. Minimizing the services within a company network is just as essential to minimizing those presented to the outside world."

Firewall logs can give advanced warning of these types of attacks. Network mapping, port scanning and enumeration may well be countered by the firewall and Intrusion Prevention Devices (IPS) but to not monitor and assess the data they produce is to lose the Indicators & Warnings (I&Ws) that could indicate that something was likely to happen.

Updates & Patching:
"There should be no surprise that updates and patching are essential. [Phineas Fisher] was able to exploit a known vulnerability within the network management system Nagios. Interestingly, the attacker became aware of the Nagios system only after they "spied" on the sysadmins," Settle explained.

Separation of Networks:
This attack was possible because backup and management networks that should have been segregated were not. Separation of operational and management networks is a useful technique for protecting infrastructure, especially when the management network requires administrative privileges. In this attack, [Phineas Fisher] was able to interrogate and dump the email server backup images.

Watch and Protect the Privileged:
We often say that one of the greatest challenges is monitoring those with privileged accounts. Many organizations, especially government related require security clearances to protect from the insider threat. However, what this incident teaches us that once in, the bad guys make a beeline for the sysadmins to monitor their activities in order to gain greater knowledge and understanding of the company and its infrastructure.

"There is somewhat of a mind-set change here, should we not be monitoring the privileged users and their workstations? Not because we do not trust them, but for their own protection and to ensure they are too are not being watched by network sniffers, key-loggers etc.?" he added.

Egress Monitoring:
"One final observation is that a lot of data was ex-filtrated. Why was this not noticed? This is hardly uncommon in attacks where intellectual property is the target. Implementing a Data Theft or Data Loss Prevention (DTP/DLP) solution and monitoring will lessen the likelihood and potential impact of this type of attack," Settle said.

CSO

« As Pentagon Dawdles, Silicon Valley Sells It’s Hottest Technology Abroad
Ransomware Everywhere: What’s The Technology Behind It? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Get Cyber Safe

Get Cyber Safe

Get Cyber Safe is a national public awareness campaign created to educate Canadians about Internet security and the simple steps they can take to protect themselves online.

Rollbar

Rollbar

Rollbar is a full-stack error monitoring platform for web and mobile applications. We help developers find and fix bugs fast. Built by developers for developers.

Cyber Base

Cyber Base

Cyber Base is an Information Technology company based in Uganda providing software and hardware solutions to clients.

Callsign

Callsign

Callsign’s mission is to seamlessly power the identification of every web, mobile and physical interaction.

DFI

DFI

DFI is a global leading provider of high-performance computing technology across multiple embedded industries.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Stellar Cyber

Stellar Cyber

Stellar Cyber makes Open XDR, the only comprehensive security platform providing maximum protection of applications and data wherever they reside.

InfoLock

InfoLock

Infolock are experts in data governance, providing consulting and advisory services that help organizations effectively secure, manage, and optimize their data.

cleverDome

cleverDome

cleverDome has created the first community built and proven model that redefines the standards for protecting the most confidential data and information of consumers in the cloud.

BaaSid

BaaSid

BaaSid is next generation security technology for data security & security authentication based on De-centralized & Blockchain.

GISEC Global

GISEC Global

GISEC Global provides vendors and companies from around the world with access to lucrative opportunity to capitalize on what's set to become one of the world's booming markets.

aFFirmFirst

aFFirmFirst

aFFirmFirst is a unique software solution offering a simple yet effective way for businesses to protect and control their online images and logo, as well as allowing one-click website verification.

LOCH Technologies

LOCH Technologies

LOCH Wireless Machine Vision platform delivers next generation cybersecurity, performance monitoring, and cost management for all 5G and for broad-spectrum IoT, IoMT and OT wireless environments.

Omnex

Omnex

Omnex provides consulting and training services in Quality, Environmental, and Health and Safety standards-based management systems including Automotive Cybersecurity.

Screwloose IT

Screwloose IT

Screwloose IT are a national provider of information technology services. We specialise in managed IT, cloud services, cyber security, website design and digital marketing for businesses of all sizes.

Twine Security

Twine Security

Twine is pioneering the creation of AI digital cybersecurity employees to help improve efficiency for cybersecurity teams.