The hacker who allegedly hacked Hacking Team has spoken out about their techniques. The key to their attack strategy is mapping out the target’s attack surface. The hacker’s write-up demonstrates that the vast seas of digital assets existing online can plot a course back to a target’s internal systems if left unsecured.
Below is a breakdown by phases of the hacker's process of attacking another hacking group:
Phase 1 - Mapping Out the Target
“Mapping out the target...to find all IP address space and domain names associated with an organization.”
“This is actually one of the most important parts, as the larger the attack surface that you are able to map out, the easier it will be to find a hole somewhere in it.”
The hacker proceeds to go into detail on how they began the attack. At a high level they take publicly available information like domains and work backwards to plot out IP ranges. They do this by using a combination of whois data, other publically available information and mostly open source tools. In this fashion they map out the attack surface of their target.
Phase 2 – Scanning & Exploiting
“Is it exposing something it shouldn't?”
“Is it horribly misconfigured?”
“Is it running an old version of software vulnerable to a public exploit?”
Once the hacker has mapped out the attack surface, phase two is to start poking and prodding for weaknesses. The goal of the assailant is to look for misconfigurations, servers exposing sensitive directories, older versions of software with known vulnerabilities, etc. The hacker basically traverses the immense digital footprint of most organizations operating online to look for tiny slivers or cracks in the defense.
Phase 3 – Escalating
“Root over 50% of linux servers you encounter in the wild with two easy scripts, Linux_Exploit_Suggester , and unix-privesc-check .”
At this point the hacker had penetrated the firewall and was trying to get root access of the server it used to get in. It turns out the first attempt was basically a dead end:
“At any rate, the only thing this server does is host the website, so I already have access to everything interesting on it. Root wouldn't get much of anything new, so I move on to the rest of the network.”
Phase 4 – Pivot
“The next step is to look around the local network of the box you hacked.”
Once the hacker got all the data they needed from their initial point of entry, they looked to pivot around the hacked server’s local network. It’s essentially a rinse and repeat of the scanning and exploiting phase only, “...this time from inside the firewall”.
Phase 5 – Have Fun
“Once you're in their networks, the real fun starts.”
At this point the hacker found their route in and basically did whatever they wanted with impunity.
For the hacker’s testimonial read here: http://0x27.me/HackBack/0x00.txt
Looking inside the process helps put into perspective the relatively rudimentary attack methods that are unstoppable unless org’s have security over their digital footprint. This hacker even criticizes the tendency to call successful breaches sophisticated attacks:
At this point I can see the news stories that journalists will write to drum up views; In a sophisticated, multi-step attack, hackers first comprised a web design firm in order to acquire confidential data that would aid them in attacking Gamma Group...
The reality is that for security teams, mapping out one’s digital footprint is the real first line of defense. It’s simply too easy for bad guys to pivot once they can start poking around the dark, often forgotten sections of a target’s network.
Any organization operating at Internet scale needs a solution with the same capability. Otherwise, that organization is leaving to chance that all too common errors like misconfigured systems, exposed directories or unpatched systems aren’t present and easily exploitable.
In this case the attacker was more of a vigilante, but monetarily driven cyber thieves and nation state actors can use the very same methods.
The RiskIQ solution continuously discovers, indexes, and monitors an organization’s digital footprint from the outside-in. The process is ongoing and recursive— allowing security teams to inventory all the org’s digital assets. The technology discovers assets inherited via acquisitions, created by shadow IT, and counter-fitted rogues generated by outsiders with malicious intent.
Do you think you know where your attack surface begins and ends? Our customers typically find 20-40% previously unknown digital assets in their first 90 days. To find out for certain contact us to request a demo.
Reach out via twitter @riskiq with any questions or check out our resources section for more detailed information on digital footprint and the external threat detection.