Cybereason - behind the HackingTeam infection server
-
Upload
amit-serper -
Category
Technology
-
view
2.947 -
download
1
Transcript of Cybereason - behind the HackingTeam infection server
© 2015 Cybereason Inc. All rights reserved.
The ]HackingTeam[ incident
Alex Frazer & Amit Serper
with
© 2015 Cybereason Inc. All rights reserved.
Amit Serper
• Senior security researcher @ Cybereason• Malware research• Researching attack methodologies on Windows, Linux
and OSX (which is garbage)• Writing ugly yet functional POC code that does evil stuff
and sometimes work• ~9 Years @ Israeli govt.
• Security Research
• Musician, Drummer @ Long day (facebook.com/longdayofficial)
• Contact: [email protected], @0xamit
© 2015 Cybereason Inc. All rights reserved.
• Security researcher @ Cybereason• Malware simulation development• Advanced windows security research• Metasploit development/customization
• ~ 12 Years IT Consulting & Project Management• Network Architecture & Design• App Dev• Database Design & Management• System Architecture
• American (tomorrow will be an Israeli) • Contact: [email protected], @awfrazer
Alex Frazer
© 2015 Cybereason Inc. All rights reserved.
Our goals for this evening:
1. Who/what are the hacking team?
2. The leak - What happened there?
3. Interesting stuff we found
4. How were the HackingTeam tools used for an attack operation
5. Demo
6. Beer (which you can actually drink right now…)
© 2015 Cybereason Inc. All rights reserved.
Background
• Alberto Ornaghi and Marco Valleri created some tools, the mostnoticeable of them was EtterCap (MITM tool).
• Italian police used EtterCap to monitor and record skype calls.• Italian police Asked Ornaghi and Valleri to develop the software further –
HackingTeam was born!
© 2015 Cybereason Inc. All rights reserved.
Background
• Alberto Ornaghi and Marco Valleri created some tools, the mostnoticeable of them was EtterCap (MITM tool).
• Italian police used EtterCap to monitor and record skype calls.• Italian police Asked Ornaghi and Valleri to develop the software further –
HackingTeam was born!
© 2015 Cybereason Inc. All rights reserved.
Exploits – what are they?
An exploit is a way of manipulating a program to run a piece of code it wasn’t supposed to run in the first place.
© 2015 Cybereason Inc. All rights reserved.
Background (continued)Hacking team:• Italian “cyber” solution vendor
• Offensive & Defensive (pen-testing) solutions• Wrote exploits and purchased them from third parties• Provided services to a lot of agencies, governments,
regimes and even private corporations – Some of them are conspicuous
• Created the RCS (Remote Control System) which we are going to discuss today
© 2015 Cybereason Inc. All rights reserved.
The Hacking Team story…• HackingTeam is breached in the beginning of July• Website hacked and defaced• HackingTeam’s own twitter account (@hackingteam) is
hacked and used to post a link to a 400+ GB torrent file with all of their data!
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved.
• Inside that torrent file was a treasure:• All of the exchange server data• All of the RCS installers + manuals + source code• Important and private documents• Screenshots from employees machines• All of the GIT repository• Pirated software and pirated versions of Operating
systems• 3 full server images! (Windows Attack server,
Android attack server and the helpdesk support server)
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
Around 21:00 on July 5th we realized that this is a disaster for the HackingTeam
The story continues…
© 2015 Cybereason Inc. All rights reserved.
But for us…
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
HT had some “interesting” clients
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Wait… 400 Gigabytes?!
The story continues…
© 2015 Cybereason Inc. All rights reserved.
How did it happen?
The story continues…
© 2015 Cybereason Inc. All rights reserved.
Don’t they have security people?
The story continues…
© 2015 Cybereason Inc. All rights reserved.
Meet mr Christian Pozzi
© 2015 Cybereason Inc. All rights reserved.
Damage control…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
The story continues…
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
The story continues…
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
The story continues…
© 2015 Cybereason Inc. All rights reserved.
What is RCS ?
© 2015 Cybereason Inc. All rights reserved.
Remote Control System
© 2015 Cybereason Inc. All rights reserved.
Powerful spying tool
© 2015 Cybereason Inc. All rights reserved.
It allows the attacker to have TOTAL control
© 2015 Cybereason Inc. All rights reserved.
Cross-Platform
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved.
Agent Modules
• Screenshots• Collection of skype calls
• File transfer• Bitcoin data exfiltration
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Agent Modules
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Agent Modules
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Agent Modules
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Building An Agent
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Building An Agent
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Anonymization
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
System Information
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Scalable Architecture
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Campaign FlowRCS User Decides to
Create New Campaign
RCS User creates RCS Agent for Campaign
RCS User Opens Support Ticket with Hacking Team
To Generate Campaign Payload
RCS User Decides Infection Vector
Web/Network Injection Vector
Write Agent to UEFI Firmware
Physical Vector
Target Device
Device Type
Persistence Vector
DesktopDeploy APK on Device
Mobile Device
Write Agent Installer to U3 Device
U3 USB
Bootable USB/CD/DVD
Offline Install
Hosted Exploit?
No
Deploy To Customer VPS
No
HackingTeam Deploys to own VPS
Yes
Targeting Method
QR Code Accessed by Target
QR Code
Link Presented as SMS to Target
SMS
Use Network Injector?
HTML
Yes
Exploit Page Delivered to Target
Network Injection Type
Modified [Melted] Binary Delivered to
Target
Binary
Link Presented to Target through E-mail
Spearfishing E-mail
Scout Agent Installed on Target
Scout Communicates with C2 Server via
Anonymizer
Machine Analysis
Uninstall
Virtualization/Blacklisted ProgramIndications Present
Upgrade to Soldier
Unsafe Environment(Analysis Tools, A/V, etc)
Upgrade to Elite
Safe to Install
© 2015 Cybereason Inc. All rights reserved.
RCS User Decides to Create New Campaign
RCS User creates RCS Agent for Campaign
RCS User Opens Support Ticket with Hacking Team
To Generate Campaign Payload
RCS User Decides Infection Vector
Web/Network Injection Vector
Write Agent to UEFI Firmware
Physical Vector
Target Device
Device Type
Persistence Vector
DesktopDeploy APK on Device
Mobile Device
Write Agent Installer to U3 Device
U3 USB
Bootable USB/CD/DVD
Offline Install
Hosted Exploit?
No
Deploy To Customer VPS
No
HackingTeam Deploys to own VPS
Yes
Targeting Method
QR Code Accessed by Target
QR Code
Link Presented as SMS to Target
SMS
Use Network Injector?
HTML
Yes
Exploit Page Delivered to Target
Network Injection Type
Modified [Melted] Binary Delivered to
Target
Binary
Link Presented to Target through E-mail
Spearfishing E-mail
Scout Agent Installed on Target
Scout Communicates with C2 Server via
Anonymizer
Machine Analysis
Uninstall
Virtualization/Blacklisted ProgramIndications Present
Upgrade to Soldier
Unsafe Environment(Analysis Tools, A/V, etc)
Upgrade to Elite
Safe to Install
© 2015 Cybereason Inc. All rights reserved.
Let’s talk about the Network Injector
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Meet RCS
Every infection target (customer) has an ID.
© 2015 Cybereason Inc. All rights reserved.
This is what a hosted infection link looks like:http://46.38.63.194/docs/iAj3Ip/qieex.html
Meet RCS
© 2015 Cybereason Inc. All rights reserved.
This is where the fun starts…
Meet RCS
© 2015 Cybereason Inc. All rights reserved.
Meet RCS
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Adwords?
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
HackingTeam delivered 2 exploits.
© 2015 Cybereason Inc. All rights reserved.
CVE-2015-5119 – Flash use-after-free vulnerability in the ByteArray class in the AS3 implementation of
FlashPlayerFor code execution
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Let’s look at some of the files
© 2015 Cybereason Inc. All rights reserved.
PHP is used for Browscap and for the rest of the webserver related stuff (target fingerprinting)
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Python is used for all of the ‘heavy lifting’
Xp_filter.py
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Chrome_non_chrome_filter.py
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
But wait… privesc_filter.py?
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Again, news buzzwords. ‘news’ is the priv_esc exploit + the RCS agent
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
News file descrambled and decrypted
© 2015 Cybereason Inc. All rights reserved.
CVE-2015-2426 – Buffer underflow in atmfd.dll, Windows Adobe Type Manager Library.
For privilege escalation
© 2015 Cybereason Inc. All rights reserved.
mynewsfeeds.info
With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
112 Jerusalem St., Tel Aviv
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved.
There is a logic here
© 2015 Cybereason Inc. All rights reserved. With courtesy of Hacking Team
© 2015 Cybereason Inc. All rights reserved.
Mod ReWrite RegEx Match /docs/[a-zA-Z0-9]{6}/
Infections Left = 0
Return 404
Is Campaign Expired?
Process Invalid
No
Yes
Yes
Yes
No
UserAgent Filter Match
No
No
Log Valid
Yes
Log Invalid
Infect
Potential Victim
© 2015 Cybereason Inc. All rights reserved.
© 2015 Cybereason Inc. All rights reserved.
Android 4.x Remote Infection
© 2015 Cybereason Inc. All rights reserved.
Demo
© 2015 Cybereason Inc. All rights reserved.
Questions
www.cybereason.com
© 2015 Cybereason Inc. All rights reserved.
you.Thank
Amit Serper:[email protected]@0xamit
Alex Frazer:[email protected]@awfrazer
Contact Us