The hacker responsible for bringing pwnage pain to the Hacking Team last July has published an in-depth “DIY guide” for how he pulled it off. It’s a detailed, really great read.
The hacker is none other than Phones Fisher. He runs the @GammaGroupPR Twitter account, now referred to as “Hack Back,” and previously leaked FinFisher spyware documents, including details such as which antivirus solutions could detect Gamma International’s surveillance malware.
On Friday, Phineas Fisher tweeted a link to his original post, which is in Spanish, giving a technical blow-by-blow on the tools he used and how he breached the Hacking Team’s system. On Saturday, he tweeted a link to an English translation.
He makes no bones about it; he’s a black hat hacker. Phineas Fisher wrote, “You used to have to sneak into offices to leak documents. You used to need a gun to rob a bank. Now you can do both from bed with a laptop in hand.”
After giving tips on how to avoid being caught and sent to prison, such as encrypt your hard drive, “use a virtual machine with all traffic routed through Tor” and “don’t connect directly to Tor,” he described how he uses Tor to protect his anonymity while connecting to the infrastructure he uses for hacking.
Phineas Fisher credited “hardworking Russians” for developing exploits that have already compromised “almost all of the Fortune 500 networks.” Hacking Team, however, had not been.
A discussion on Hacker News suggested that law enforcement might use the hacker’s post—dialect, spelling, phrases or other “strong markers”—to attempt to identify him. Then again, Phineas Fisher might have crafted the document in a style that is not his usual type. That’s exactly what he said he did when he hacked The Hacking Team.
I didn’t want to make the police’s work any easier by relating my hack of Hacking Team with other hacks I’ve done or with names I use in my day-to-day work as a blackhat hacker. So, I used new servers and domain names, registered with new emails and payed for with new bitcoin addresses. Also, I only used tools that are publicly available, or things that I wrote specifically for this attack, and I changed my way of doing some things to not leave my usual forensic footprint.
Under technical exploitation, Phineas Fisher explained that his reconnaissance into the Hacking Team revealed three choices to hack the company. He could “look for a zero-day in Joomla, look for a zero-day in Postfix or look for a zero-day in one of the embedded devices.” He added, “A zero-day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.” He did not detail that vulnerability, since it still hasn’t been patched, but he did point to sources for finding such vulnerabilities.
Phineas Fisher did a lot of testing on his zero-day “backdoored firmware” before deploying it. Once he did, he said, “Although it was fun to listen to recordings and see webcam images of Hacking Team developing their malware, it wasn't very useful. Their insecure backups were the vulnerability that opened their doors.”
He discovered several vulnerabilities, such as an unprotected MongoDB, which is where Hacking Team’s Remote Control Software audio is stored. He noted, “The audio folder in the torrent came from this. They were spying on themselves without meaning to.”
Eventually, he went after the Exchange email server and mounted the backup. This was where he found a working BlackBerry Enterprise Service admin password. Then with access to the Domain Admin server, he had the passwords for users.
The fact that Hacking Team’s Christian Pozzi used “P4ssword” was pointed out as “lol great sysadmin.” Phineas Fisher goes into a lot more depth, adding how he included the Pozzi material “in the leak as a false clue, and to laugh at him. The reality is that Mimikatz and keyloggers view all passwords equally.”
After reading the company’s emails, he discovered the company’s GitLab server. He used a password reset option to gain access into that server, as well as the Hacking Team’s Twitter account.
Despite the massive pwnage, the Hacking Team is still around; however, it did recently lose its global export license. After giving his detailed account of how he hacked the company, Phineas Fisher concluded:
That’s all it takes to take down a company and stop their human rights abuses. That’s the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million-dollar company. Hacking gives the underdog a chance to fight and win.
To the self-described black hat, “leaking documents, expropriating money from banks and working to secure the computers of ordinary people is ethical hacking.” Phineas Fisher dedicated his guide “to the victims of the raid on Armando Diaz school and to all those who have had their blood spilled by Italian fascists.”