Cybereason - behind the HackingTeam infection server

© 2015 Cybereason Inc. All rights reserved.

The ]HackingTeam[ incident

Alex Frazer & Amit Serper

with


Amit Serper

• Senior security researcher @ Cybereason• Malware research• Researching attack methodologies on Windows, Linux

and OSX (which is garbage)• Writing ugly yet functional POC code that does evil stuff

and sometimes work• ~9 Years @ Israeli govt.

• Security Research

• Musician, Drummer @ Long day (facebook.com/longdayofficial)

• Contact: [email protected], @0xamit


• Security researcher @ Cybereason• Malware simulation development• Advanced windows security research• Metasploit development/customization

• ~ 12 Years IT Consulting & Project Management• Network Architecture & Design• App Dev• Database Design & Management• System Architecture

• American (tomorrow will be an Israeli) • Contact: [email protected], @awfrazer

Alex Frazer


Our goals for this evening:

1. Who/what are the hacking team?

2. The leak - What happened there?

3. Interesting stuff we found

4. How were the HackingTeam tools used for an attack operation

5. Demo

6. Beer (which you can actually drink right now…)


Background

• Alberto Ornaghi and Marco Valleri created some tools, the mostnoticeable of them was EtterCap (MITM tool).

• Italian police used EtterCap to monitor and record skype calls.• Italian police Asked Ornaghi and Valleri to develop the software further –

HackingTeam was born!


Exploits – what are they?

An exploit is a way of manipulating a program to run a piece of code it wasn’t supposed to run in the first place.


Background (continued)Hacking team:• Italian “cyber” solution vendor

• Offensive & Defensive (pen-testing) solutions• Wrote exploits and purchased them from third parties• Provided services to a lot of agencies, governments,

regimes and even private corporations – Some of them are conspicuous

• Created the RCS (Remote Control System) which we are going to discuss today


The Hacking Team story…• HackingTeam is breached in the beginning of July• Website hacked and defaced• HackingTeam’s own twitter account (@hackingteam) is

hacked and used to post a link to a 400+ GB torrent file with all of their data!


• Inside that torrent file was a treasure:• All of the exchange server data• All of the RCS installers + manuals + source code• Important and private documents• Screenshots from employees machines• All of the GIT repository• Pirated software and pirated versions of Operating

systems• 3 full server images! (Windows Attack server,

Android attack server and the helpdesk support server)

The story continues…


Around 21:00 on July 5th we realized that this is a disaster for the HackingTeam



But for us…



HT had some “interesting” clients



Wait… 400 Gigabytes?!



How did it happen?



Don’t they have security people?



Meet mr Christian Pozzi


Damage control…



With courtesy of Hacking Team


What is RCS ?


Remote Control System


Powerful spying tool


It allows the attacker to have TOTAL control


Cross-Platform


Agent Modules

• Screenshots• Collection of skype calls

• File transfer• Bitcoin data exfiltration



Agent Modules



Building An Agent



Anonymization



System Information



Scalable Architecture



Campaign FlowRCS User Decides to

Create New Campaign

RCS User creates RCS Agent for Campaign

RCS User Opens Support Ticket with Hacking Team

To Generate Campaign Payload

RCS User Decides Infection Vector

Web/Network Injection Vector

Write Agent to UEFI Firmware

Physical Vector

Target Device

Device Type

Persistence Vector

DesktopDeploy APK on Device

Mobile Device

Write Agent Installer to U3 Device

U3 USB

Bootable USB/CD/DVD

Offline Install

Hosted Exploit?

No

Deploy To Customer VPS

No

HackingTeam Deploys to own VPS

Yes

Targeting Method

QR Code Accessed by Target

QR Code

Link Presented as SMS to Target

SMS

Use Network Injector?

HTML

Yes

Exploit Page Delivered to Target

Network Injection Type

Modified [Melted] Binary Delivered to

Target

Binary

Link Presented to Target through E-mail

Spearfishing E-mail

Scout Agent Installed on Target

Scout Communicates with C2 Server via

Anonymizer

Machine Analysis

Uninstall

Virtualization/Blacklisted ProgramIndications Present

Upgrade to Soldier

Unsafe Environment(Analysis Tools, A/V, etc)

Upgrade to Elite

Safe to Install


RCS User Decides to Create New Campaign

RCS User creates RCS Agent for Campaign

RCS User Opens Support Ticket with Hacking Team

To Generate Campaign Payload

RCS User Decides Infection Vector

Web/Network Injection Vector

Write Agent to UEFI Firmware

Physical Vector

Target Device

Device Type

Persistence Vector

DesktopDeploy APK on Device

Mobile Device

Write Agent Installer to U3 Device

U3 USB

Bootable USB/CD/DVD

Offline Install

Hosted Exploit?

No

Deploy To Customer VPS

No

HackingTeam Deploys to own VPS

Yes

Targeting Method

QR Code Accessed by Target

QR Code

Link Presented as SMS to Target

SMS

Use Network Injector?

HTML

Yes

Exploit Page Delivered to Target

Network Injection Type

Modified [Melted] Binary Delivered to

Target

Binary

Link Presented to Target through E-mail

Spearfishing E-mail

Scout Agent Installed on Target

Scout Communicates with C2 Server via

Anonymizer

Machine Analysis

Uninstall

Virtualization/Blacklisted ProgramIndications Present

Upgrade to Soldier

Unsafe Environment(Analysis Tools, A/V, etc)

Upgrade to Elite

Safe to Install


Let’s talk about the Network Injector


Meet RCS

Every infection target (customer) has an ID.


This is what a hosted infection link looks like:http://46.38.63.194/docs/iAj3Ip/qieex.html

Meet RCS


This is where the fun starts…

Meet RCS


Meet RCS



Adwords?



HackingTeam delivered 2 exploits.


CVE-2015-5119 – Flash use-after-free vulnerability in the ByteArray class in the AS3 implementation of

FlashPlayerFor code execution


Let’s look at some of the files


PHP is used for Browscap and for the rest of the webserver related stuff (target fingerprinting)



Python is used for all of the ‘heavy lifting’

Xp_filter.py



Chrome_non_chrome_filter.py



But wait… privesc_filter.py?



Again, news buzzwords. ‘news’ is the priv_esc exploit + the RCS agent



News file descrambled and decrypted


CVE-2015-2426 – Buffer underflow in atmfd.dll, Windows Adobe Type Manager Library.

For privilege escalation


mynewsfeeds.info



112 Jerusalem St., Tel Aviv


There is a logic here


Mod ReWrite RegEx Match /docs/[a-zA-Z0-9]{6}/

Infections Left = 0

Return 404

Is Campaign Expired?

Process Invalid

No

Yes

Yes

Yes

No

UserAgent Filter Match

No

No

Log Valid

Yes

Log Invalid

Infect

Potential Victim


Android 4.x Remote Infection


Demo


Questions

www.cybereason.com


you.Thank

Amit Serper:[email protected]@0xamit

Alex Frazer:[email protected]@awfrazer

Contact Us

Cybereason - behind the HackingTeam infection server

Technology

Transcript of Cybereason - behind the HackingTeam infection server