Hacking Team Postmortem

Uploaded on 2016-05-18 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies. Nine months ago, their world was rocked after someone infiltrated nearly 400GB of data form their network, including source code and contracts.

How to respond to ransomware threats:

The irony is that Hacking Team developed tools that enabled hostile governments to do the exact things that were done to them, so many in the security industry experienced no small amount of schadenfreude at their expense. Over the weekend, the person responsible for the Hacking Team data breach, Phineas Fisher, outlined the hack from start to finish.

To be clear, what happened to Hacking Team is a classic example of a targeted attack. Few organizations could outlast an attacker with knowledge, time, and resources. At the same time, the way Hacking Team managed and developed their network did them no favors.

Fisher took the time to reverse engineer some firmware in an embedded device and develop a new exploit. This Zero-Day vulnerability enabled persistent access, because he used it once (and only once) to plant a backdoor into the network.

Ultimately, a poorly configured iSCSI was Hacking Teams downfall, but there were other issues too – such as services deep within the network exposed to less secure subnets, MongoDB instances with no authentication, backups that had passwords stored in plaintext, as well as weak passwords everywhere – including on critical systems.

So what are some takeaways form the post-hack outline? Sarah Clarke, from infospectives.co.uk, shared some of her thoughts on the matter, including the fact that everyone's threat level just went up a bit.

"Despite being almost a decade away from the network coalface, I, without much trouble, and a little help from my friends, could do everything listed. What will stop me is fear of prosecution, ethics, and a strong analytical ability to see short, medium, long-term implications," she said.

If your organisation faced a similar attack, what would common enterprise monitoring tools spot, if configured correctly? What amendments to IDS/IPS, log monitoring, vulnerability scanning, pen test scoping, SIEM alerting, or alert analysis need to be made or augmented?

Andy Settle, head of special investigations for Austin-based Forcepoint, had some additional thoughts, which are below.

"The attack was targeted and had every intention of getting in. This type of threat needs to be addressed by asking 'when?' and not simply 'if?' Once inside the company network, the hacker managed to traverse the company infrastructure with little difficulty," he said.

"Protecting the soft-skinned inner workings of an organizational infrastructure is equally important. Minimizing the services within a company network is just as essential to minimizing those presented to the outside world."

Firewall logs can give advanced warning of these types of attacks. Network mapping, port scanning and enumeration may well be countered by the firewall and Intrusion Prevention Devices (IPS) but to not monitor and assess the data they produce is to lose the Indicators & Warnings (I&Ws) that could indicate that something was likely to happen.

Updates & Patching:
"There should be no surprise that updates and patching are essential. [Phineas Fisher] was able to exploit a known vulnerability within the network management system Nagios. Interestingly, the attacker became aware of the Nagios system only after they "spied" on the sysadmins," Settle explained.

Separation of Networks:
This attack was possible because backup and management networks that should have been segregated were not. Separation of operational and management networks is a useful technique for protecting infrastructure, especially when the management network requires administrative privileges. In this attack, [Phineas Fisher] was able to interrogate and dump the email server backup images.

Watch and Protect the Privileged:
We often say that one of the greatest challenges is monitoring those with privileged accounts. Many organizations, especially government related require security clearances to protect from the insider threat. However, what this incident teaches us that once in, the bad guys make a beeline for the sysadmins to monitor their activities in order to gain greater knowledge and understanding of the company and its infrastructure.

"There is somewhat of a mind-set change here, should we not be monitoring the privileged users and their workstations? Not because we do not trust them, but for their own protection and to ensure they are too are not being watched by network sniffers, key-loggers etc.?" he added.

Egress Monitoring:
"One final observation is that a lot of data was ex-filtrated. Why was this not noticed? This is hardly uncommon in attacks where intellectual property is the target. Implementing a Data Theft or Data Loss Prevention (DTP/DLP) solution and monitoring will lessen the likelihood and potential impact of this type of attack," Settle said.

CSO

« As Pentagon Dawdles, Silicon Valley Sells It’s Hottest Technology Abroad
Ransomware Everywhere: What’s The Technology Behind It? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

GovCERT.HK

GovCERT.HK

GovCERT.HK is the Government Computer Emergency Response Team for Hong Kong.

Gatewatcher

Gatewatcher

Gatewatcher is a digital breach detection platform targeting crafted attacks and protecting organizations against advanced cyber threats.

Information and Communication Technology Authority (ICT Authority) - Kenya

Information and Communication Technology Authority (ICT Authority) - Kenya

The ICT Authority is responsible for enforcing ICT standards in Government and ensuring information security.

CyberArts

CyberArts

CyberArts is founded on the belief that every single organization deserves and requires the creme de la creme when there is a need for Cyber services.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Nakivo

Nakivo

NAKIVO is dedicated to delivering the ultimate backup, ransomware protection and disaster recovery solution for virtual, physical, cloud and SaaS environments.

Security BSides

Security BSides

Security BSides is the first grass roots, DIY, open security conference in the world!. BSides is a community-driven framework for building events for and by information security community members.

Global Incubator Network Austria (GIN Austria)

Global Incubator Network Austria (GIN Austria)

GIN Austria is the connecting link between Austrian and international startups, investors, incubators and accelerators with a focus on selected hotspots in Asia.

ERI

ERI

ERI is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States.

TAV Technologies

TAV Technologies

TAV Technologies is a provider of technology services to the aviation industry in areas including airport infrastructure systems, digital transformation and cybersecurity.

Mitnick Security

Mitnick Security

Mitnick Security is a leading global provider of information security consulting and training services.

Torq

Torq

Torq's no-code automation modernizes how security & operations teams work with easy workflow building, limitless integrations and numerous pre-built templates.

Quantropi

Quantropi

Quantropi is bound to be the standard for quantum-secure data communications – forever unbreakable, no matter what.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.

Ekinops

Ekinops

Ekinops is a leading provider of open, trusted and innovative network connectivity solutions to service providers around the world.

Forsyte IT Solutions

Forsyte IT Solutions

Forsyte Guardian 365 provides 24x7x365 personalized protection to keep your most valuable assets safe.