Almost a year after carrying out his attacks, the hacker behind the Hacking Team data breach has published a step-by-step explainer on how he breached the company’s servers and stole all their data.
Known as FinFisher or Phineas Fisher, the hacker posted a PasteBin over the weekend, in which he reveals how the attack unfolded, the tools he used, and provided a tutorial for h@ckZ0r wannabees who want to enter the world of top-level hacking.
Since the whole exposé is quite a long read, we’re going to provide a summary, but we recommend checking out FinFisher’s post for the finer tips on various hacking techniques and pen-testing tools.
Zero-day exploit in an embedded device was initial entry point
The hacker revealed that the entry point into Hacking Team’s infrastructure was a zero-day root exploit in an embedded device deployed inside the company’s corporate network. He declined to name the exact nature and purpose of the embedded device.
FinFisher says he spent a lot of time scanning the company’s network and even exposed a vulnerability in the Hacking Team’s Joomla-based frontend website, discovered issues with their email server, a couple of routers, and some VPN appliances. Despite the large attack surface, he concluded that the zero-day exploit he identified was much more reliable for further attacks.
After writing and deploying a backdoored firmware to the vulnerable embedded device, he then waited, listening to internal traffic, scanning and mapping the local infrastructure.
MongoDB databases left without authentication strike again!
This is how he discovered a couple of vulnerable MongoDB databases that Hacking Team’s admins failed to protect with a password. Here he found details about the company’s backup system and the backups themselves.
The most precious backup was of the Exchange email server, from where he extracted the BES (BlackBerry Enterprise Server ) admin account password, which was still valid.
This password allowed FinFisher to escalate his access by hacking the company’s Domain Admin server, from where he extracted the passwords for all the company’s users.
Since there was a chance he’d get caught at any point, the first thing the hacker did was to use Windows Powershell and quickly exfiltrate the data found in the company’s email server, which he regularly scraped for new emails every time he came back to their network in the following weeks.
Apr 17, 2016 12:50 GMT · By Catalin Cimpanu