Hacker talked about the compromise of the Hacking Team

Almost a year after the compromise of the Hacking Team cyber group, the details of this incident finally became known, namely who was behind it, as well as the motivation for such an action. The Motherboard edition has published the details of the HT compromise, which are based on information that appeared on the pastebin resource (in Spanish) of the hacker himself. The man under the pseudonym Phineas Fisher not only described in detail the process of obtaining an archive with 400GB of confidential data, but also gave his political reasons and motivation.



According to Phineas Fisher, the hacking was motivated by the fact that the services of the Hacking Team were used by security forces to violate human rights. Recall that the secret services of various countries were the main customers of HT. One person participated in the hacking and it took him a hundred hours of work.
')

That's the 100m of a multimillion-dollar company’s work. Hacking gives a chance to fight and win.

Hacker writes that leaked cybergroup documents show that they abused the term "ethical hacking" by selling their services to those who, in his opinion, were worthy of compromise.

I see [David Hacking Team's CEO] for his long tradition of Italian fascists.

The hacker claims that at the initial stage of compromising the internal HT network, a 0day exploit was used in an embedded device, the details of which were not disclosed.

Hacking Team tenía muy poco expuesto al internet. Por ejemplo, diferente a Gamma Group, su aitio et al cliente necesita un certificado del cliente para conectar. Sémbio web principal (un blog Joomla en que Joomscan no revela ningún fallo grave), un servidor de correos, un par de routers, dos dispositivos VPN, un dispositivo para filtrar spam. Entonces tuve tres opciones: buscar un 0day en Joomla, buscar un 0day en postfix, o buscar un 0day en uno de los sistemas embebidos. Un 0day en un sistema embebido me pareció la opción más alcanzable, y después de dos semanas de trabajo de ingeniería inversa, logré un exploit remoto de root. Dado que las vulnerabilidades aún no han sido parcheadas, no voy a dar más detalles. Para más información sobre como buscar tipo de vulnerabilidades, véase y.

I had little opportunity to compromise Hacking Teeam over the Internet. For example, in contrast to the organization Gamma Group , HT used a client's identification based on a digital certificate. Compromise could be performed via the HT website (managed by Joomla, and the Joomscan scanner did not find any significant vulnerabilities in it), the mail server, a couple of routers, two VPN devices, and a spam filtering device. Thus, I had three options: find a 0day vulnerability in Joomla, postfix, or in an embedded device. Detection of a vulnerability in an embedded device seemed to me quite a doable task and after spending two weeks on it I managed to write an exploit with the root privilege feature. Since the vulnerabilities have not yet been closed, I will not disclose their details.

I spent a lot of time developing and testing an exploit before using it against HT. A special firmware backdoor was written, and a number of tools were prepared for working on an embedded device after accessing it. Firmware backdoor was used to protect the exploit used. Using the exploit once with returning control to the backdoor complicates the work of detecting the exploited vulnerabilities and subsequently correcting them.

Modifications of the following well-known tools for an embedded device were used to work and perform the necessary actions:

• A set of tools busybox to work on the OS device.
• The nmap tool for scanning the internal HT network.
• Script Responder.py, which is designed to carry out attacks on a local area network running Windows, when the attacker has access to the internal network, but there are no credentials to log on to the domain.
• Python software package for the execution of the previous script.
• The tcpdump tool for getting the transmitted traffic.
• The dsniff tool for tracking unsafe passwords for services such as ftp, as well as for performing an ARP spoofing attack.
• The socat relay tool.
• Screen tool to perform an extended range of actions in the system.
• SOCKS proxy server.
• Network tool tgcd.

As can be seen from the author’s story, after gaining access to the organization’s internal network, he used various Windows exploits to obtain administrator rights in the system. In addition to 1day exploits, they used Pass-the-Hash attacks as well as the Remote Access Tool (RAT). In general, the steps mentioned are not much different from the steps of attackers used in similar complex cyber attacks, which have been repeatedly disclosed by security firms ...

Further information about cyber attacks can be found on pastebin .