Written By Josh Harriman And Presented By Ziften CEO Charles Leaver
Hacking Team Affected By Lack Of Real Time Vulnerability Tracking
Nowadays cyber attacks and data breaches remain in the news all the time – and not just for those in the high worth industries such as health care, financing, energy and retail. One particularly intriguing event was the breach against the Italian business Hacking Team. For those who don’t recall Hacking Team (HT) is a company that specializes in security software catering to federal government and authorities agencies that want to perform covert operations. The programs created by HT are not your ordinary remote control software or malware-type recording devices. One of their essential products, code-named Galileo – much better called RCS (Remote Control System)– claimed to be able to do practically whatever you require in terms of “controlling” your target.
Yet as skilled as they were in producing these programs, they were not able to keep others from entering into their systems, or discover such vulnerabilities at the endpoint through vulnerability tracking. In one of the most high-profile breaches of 2015, HT were hacked, and the information taken and subsequently launched to the general public was substantial – 400 GB in size. More significantly, the information included extremely harmful details such as emails, client lists (and costs) that included countries blacklisted by the UN, and the crown jewels: Source code. There was also thorough paperwork that included a few really powerful 0-day exploits against Adobe and Flash. Those 0-days were utilized soon after in attacks against some Japanese companies and United States government agencies.
The big question is: How could this occur to a business whose sole presence is to make a software application that is undetectable and finding or producing 0-day exploits for others to utilize? One would believe a breach here would be virtually impossible. Undoubtedly, that was not the case. As of now there is not a lot to go on in terms of how this breach occurred. We do understand however that someone has actually declared responsibility and that person (or team) is not new to getting into locations just like HT. In August 2014, another security company was hacked and delicate files were launched, much like HT. This consisted of client lists, prices, code, and so on. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” published on Reddit 40 GB worth data and revealed that he or she was accountable. A post in July this year on their twitter account discussed they also attacked HT. It appears that their message and purpose of these breaches and theft where to make individuals familiar with how these businesses operate and who they sell to – a hacktivist attack. He did publish some details to his approaches and some of these techniques were likely used against HT.
A last concern remains: How did they break in and what safety measures could HT have implemented to prevent the theft? We did learn from the released documents that the users within HT had very weak passwords e.g. “P4ssword” or “wolverine.” In addition, one of the primary staff member systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged on and utilizing the system, those hidden volumes are accessible. No details have been published as of yet regarding how the network was infiltrated or how they accessed the users systems so that they could download the files. It is apparent, though, that businesses have to have a service such as Ziften’s Continuous Endpoint Visibility running in their environment. By keeping an eye on all user and system activity alerts might have been generated when an activity falls outside of normal habits. Examples include 400 GB of files being uploaded externally, or understanding when vulnerable software applications are working on exposed servers within the network. When a company is making and providing sophisticated monitoring software – and possessing unidentified vulnerabilities in commercial products – a better plan needs to have been in place to limit the damage.