A great write-up¹ of how the HackingTeam and more were hacked (I recommend that you download it as it may likely be gone soon enough) – 04/19.
Let’s do a quick review of his (antisec) document and remind you that the Italian Company name is http://www.hackingteam.it/
Some enterprising media or bloggers have changed the name to “HackedTeam” since the Security company was compromised.
Now I will go through the write-up step-by-step with a summary at the end, needless to say you may get something out of the hacker’s info that he cataloged
first item is Infrastructure
a. domain names
b. stable servers (the hackers command and control systems)
c. hacked servers
Clearly it is just as important to have infrastructure to attack from as well as control the hacked servers.
next is Information gathering
this is an important part, because here is where a lot of information can be reviewed
subdomain enumeration – including finding different publicly available dns info.
potential target systems which normally are hard to find may be available to see in reverse dns information as well.
Of course you can’t forget Social engineering
This portion must be the hackers favorite tool,
some interesting items for me is File metadata – which means information employees have posted on the Internet to fix problems or otherwise discuss happening items in the company.
Once the data gathering is complete one can do actual vulnerability scanning:
Then use port scanning and fingerprinting to find out what is open on the server. (using nmap and more). recon-ng is a web recon framework written in Python.
Next: gaining a foothold
Actual attack… technical exploitation.
Includes sql database problems which can be exploited mysql databases have vulnerabilities and if they are not patched mr. hacker will get through.
Also after he scanned with nmap found port 3260 (iscsi) was open
Scanned and listened for a week. (without anyone shutting down his port scans).
He was able to hack and get info from an old exchange server and connect to thetest servers (which were not patched).
The key here is the database(nosql) , he was able to read all the data in the DB. the mongodb database has easier ways to get hacked.
So how did a hacker get into a company which prides itself to hack others? By being so arrogant that they think it will not happen to them.
I bet you they did not protect their database as well as they should have. They also did not dot the i’s and cross the t’s on the inside of the network.
Now the hacker is Exfiltrating data In fact he was able to connect a disk to the system that was compromised and look and take more data. Move it to the outside (likely he used several different methods by disguising the movement as regular traffic.
Once in some of the systems he was able to unpack some backups and find old files which allowed him to gain more information.
Also now with lateral moves so to gain domain admin passwords and more.
Once the files from an ld system were unpacked he was able to gain domain admin passwords – notice the proof of the 18 administrator sysadmin accounts. But the worst part is the small passwords that they have only 8 digits.
I’m sorry folks, but once in the network and have the domain admin passwords – it is over…
All I can say is hacking is disjointed at best, but little by little the puzzle is created and filled out. and then the hacker has you by the …
Interesting to note that some basic defense strategies would have caused the hacker a lot more headaches – and at least would have slowed him down. Things like changing passwords, auditing complexity of passwords, offsite backups and more. Security is sometimes just doing IT basics.