Written By Josh Harriman And Presented By Ziften CEO Charles Leaver
Hacking Team Affected By Lack Of Real Time Vulnerability Tracking
Nowadays cyber attacks and data breaches are in the news all the time – and not just for those in the high worth industries such as health care, financing, energy and retail. One especially intriguing event was the breach against the Italian company Hacking Team. For those who don’t remember Hacking Team (HT) is a company that concentrates on monitoring software applications accommodating federal government and authorities agencies that want to perform hidden operations. The programs created by HT are not your run-of-the-mill push-button control software or malware-type recording devices. One of their crucial products, code-named Galileo – much better called RCS (Remote Control System)– declared to be able to do pretty much whatever you require in terms of “controlling” your target.
Yet as talented as they remained in developing these programs, they were unable to keep others from getting into their systems, or identify such vulnerabilities at the endpoint through vulnerability tracking. In one of the most high-profile breaches of 2015, HT were hacked, and the material stolen and consequently launched to the public was big – 400 GB in size. More significantly, the information included extremely damaging details such as e-mails, client lists (and prices) which included countries blacklisted by the UN, and the crown jewels: Source code. There was also thorough documentation which included a few very powerful 0-day exploits against Flash and Adobe. Those 0-days were used very soon after in attacks against some Japanese companies and US federal government agencies.
The huge question is: How could this take place to a business whose sole existence is to make software that is undetectable and finding or producing 0-day exploits for others to utilize? One would believe a breach here would be almost impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in terms of how this breach took place. We do understand nevertheless that somebody has actually declared responsibility and the individual (or group) is not new to getting into places just like HT. In August 2014, another monitoring business was hacked and delicate files were launched, much like HT. This included client lists, prices, code, and so on. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and announced that he/she was responsible. A post in July this year on their twitter account discussed they likewise attacked HT. It seems that their message and purpose of these breaches and theft where to make people familiar with how these businesses run and who they sell to – a hacktivist attack. He did publish some information to his methods and some of these techniques were likely utilized against HT.
A last question is: How did they break in and what precautions could HT have implemented to prevent the theft? We did learn from the launched documents that the users within HT had extremely weak passwords e.g. “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged in and utilizing the system, those concealed volumes are accessible. No information has been published as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It appears, though, that businesses have to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By keeping an eye on all user and system activity notifications might have been produced when an activity falls beyond normal behavior. Examples include 400 GB of files being submitted externally, or understanding when vulnerable software applications are running on exposed servers within the network. When an organization is making and selling advanced monitoring software applications – and possessing unknown vulnerabilities in business deliverables – a better strategy needs to have implemented to restrict the damage.