Paleontology is the scientific study of the life of long-extinct animals. Paleontologists hypothesize about the behavior of the different species of dinosaurs, sometimes based on a few collected fossils and bones. We can only imagine how much more they were able to learn if they had a chance to observe some living herds of dinosaurs.
Incident Response (IR) is the cyber equivalent of paleontology. In most cases, IR experts are called long after the breach had occurred. They find themselves searching for tiny forensic cyber “bones” and then try to glue them together in order to reassemble the threat actor doings on the victim’s environment.
This is what is so unique in the recently published report on the Hacking Team breach, written by the threat actor itself. It’s a very unique, publicly available, firsthand account of the attacker side of a targeted attack. Therefore, this report should be analyzed thoroughly as it serves an unparalleled learning opportunity for the security community.
Hacking Team Breach in a Nutshell
According to Hacking Team‘s own website the company’s mission is to “provide effective, easy-to-use offensive [cyber] technology to the worldwide law enforcement and intelligence communities.”
On July 5, 2015, the Hacking Team’s Twitter account was compromised to publish an announcement of a data breach against Hacking Team’s computer systems. The initial message read, “Since we have nothing to hide, we’re publishing all our e-mails, files, and source code …” and provided links to over 400 gigabytes of data, including alleged internal e-mails, invoices, and source code.
The breach had a great negative impact on the Hacking team’s business as it exposed some highly confidential business information on Hacking Team’s relationship with its customers, along with financial data and sensitive Intellectual Property such as the Zero-day vulnerabilities used by company to infect its customers’ targets.
The Devil is in the details
The attackers’ report sheds light on their specific Tactics, Techniques and Procedures (TTPs):
- External network Reconnaissance: The attacker discovered internet facing network devices, including a vulnerable embedded network device
- Internal network access: The attacker exploited a zero-day vulnerability in an embedded network device to update its firmware. The updated firmware included:
- A backdoor that enabled the attacker to access hacking team internal network with no need to re-use the zero-day vulnerability each time.
- Various hacking tools, allowing the attacker to further attack the internal network. Most notably, the inclusion of a SOCKS proxy allowed the attacker to launch internal network attacks from tools hosted on a computer in the internet.
- Internal Network Reconnaissance: Using the NMAP scanner (one of the tools in the updated firmware) attackers found a Network-attached storage (NAS) server, which allowed an unauthenticated access to its contents.
- Compromised credentials: With its SOCKS proxy, the attacker was able to remotely load the disk of the Exchange email server backed up on NAS server. In the safety of its external machine the attacker analyzed the disk using some forensic tools to discover a password of a domain user, which is a local administrator on the Exchange Server.
- Domain admin compromised credentials: With the compromised local administrator credentials the attacker was able to logon to the Exchange server, and download all emails. Using the Mimikatz tool, the attacker was able to extract additional credentials from the Exchange server memory, including the domain admin credentials (depicted below).
Figure 1 Compromised Credentials found on the Exchange Server
- Domain dominance: Using the domain admin credentials the attacker was able to extract additional keys from the Active Directory (AD) server, including the powerful KRBTGT key to gain persistence over the victim’s domain. Additionally, the attacker abused the Group Policy central configuration mechanism, served from the AD server, in order to weaken a specific computer firewall configuration.
- Lateral movement: with the omnipotent Domain Admin credentials the attacker was able to remotely (via SOCKS proxy) copy all machines hard disks.
However, Hacking Team’s source code resided on a segregated network. Therefore, the attacker needed to move to the computer of the network admin that had access to it. Using the WMI protocol (after disabling restrictive personal firewall settings with a rogue Group Policy update) the attacker gained access to that computer and obtained access to the source code.
- Exfiltration: The attacker sent the data through the internet, as the network admin machine was directly connected to the internet.
Figure 2 Attackers Posted Screenshots on the Hacking Team’s Hijacked Twitter Account, Depicting the Network Admin Desktop During Exfiltration
- Assume breach: Once more we are reminded that defenders need to develop an “assume breach” mentality. Perimeter defenses will always fail in the case of a dedicated attacker – every embedded device, server, application, end point or user is an attack surface. Eventually one of them will have a vulnerability or be misconfigured.
Therefore, companies must rebalance their security portfolio to put emphasis on their internal network defense.
- Attackers Modus Operandi is to use compromised credentials: The attackers used compromised credentials to gain network persistence and move laterally within the network to reach to their destination from the initial infection point. Therefore, the defensive side needs to focus on protecting the identity of its users and other accounts (computers, services, etc.). Such protection can be applied by detecting anomalous usage of accounts and applying Multi-Factor Authentication (MFA).
- Attackers Modus Operandi is NOT to use malware: Throughout their report, the attackers emphasize they refrain from leaving marks on disk. To do so, they:
- Operate from the memory of rarely bootable servers to achieve disk-less persistency.
- Install the exploit on embedded network device that cannot be scanned by traditional anti-malware solutions
- Use internal network proxies to host their tools over the internet, away from the reach of anti-malware solutions and tunnel their attack through the network.
- Protecting the Identity Management (IDM) system is pivotal: By using compromised Domain Administrator credentials, the attackers accessed the victim’s IDM system, Active Directory, to obtain additional keys, including the powerful KRBTGT key to gain persistence over the victim’s domain. With the same compromised credentials, attackers abused the Group Policy central configuration mechanism, served from the AD server, in order to weaken a specific computer configuration. Therefore, the defensive side must not only keep their Active Directory hygiene by regular patching and hardening, but also consider its monitoring. This is prudent guidance to follow for any identity management system, not limited to Active Directory.
- Cloud migration: Some of the attack avenues exploited by the attacker, could have been blocked with some proper configuration and patching. However, migrating to a properly managed cloud based Service (SaaS) can relieve IT from taking care of such chores, reduce the organization’s attack surface and thus improve its security posture. It would have been much more difficult access the backups and the server infrastructure which would helped prevent this breach.
Senior Security Research Manager