There’s a saying that nothing on the Internet should be trusted — at least without verification. So it’s up to you to decide if a recent entry on Pastebin by a person claiming to be responsible for the data breach at Hacking Team and explaining how it was done is true.
At least one security Web site say it’s essential reading for CISOs. Without being able to verify the identity and author of the post I won’t go that far, which is why I’m not including a link to the piece. But the story does make sense and part of it is worth infosec teams thinking about.
Hacking Team, you’ll recall, is an Italian company that sells security monitoring solutions to law enforcement agencies — and, allegedly, some unsavoury governments — including tools for taking advantage of software vulnerabilities. Last year unknown person or persons got into its network and leaked several hundred gigabytes of data, including alleged internal e-mails, invoices, and source code, and a number of zero-day vulnerabilities the company had discovered that presumably could be used against criminals.
The Pastebin author’s account is that Hacking Team was attacked to end it’s “human rights abuses.” The end of the story is that he/she gained access to the unencrypted password list of users — including the domain administrator whose password was P4ssword.
But the intrusion was started with the attacker looking for a zero-day exploit in an embedded device. After two weeks of work reverse engineering, a remote root exploit was created. “I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device,” writes the author. “The backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities.”
Once inside the attacker scanned the network and discovered a vulnerability where it would least be expected: Insecure backups on iSCSI devices, which were supposed to be on a separate network, but nmap found a few in their subnetwork. Some computer skills were needed to mount the backups from a VPS. Once there the attacker found (unencrypted) backups from virtual machines and found the password list, which led to the opening of the Exchange server and staff communications.
I’ve simplified the process, but the point I got out of it is infosec teams need to be more imaginative if they want to secure their enterprises.
As for whether the story is true, a hacker who sees himself as a white knight might indeed post such a detailed account. Or, if you’re a conspiracy buff, an intelligence agency might spread the story to warn CISOs to be more careful.
Either way, it’s worth thinking about