Lack of Real-time Vulnerability Monitoring Affects Hacking Team
Data breaches and attacks are non-stop news these days — and not just for those in the high value industries such as finance, healthcare, energy and retail. One particularly interesting incident was the breach against the Italian company Hacking Team. For those who don’t remember Hacking Team (HT) is a company that specializes in surveillance software catering to government and police agencies that want to conduct covert operations. The programs created by HT are not your run-of-the-mill remote control software or malware-type recording devices. One of their key products, code-named Galileo — better known as RCS (Remote Control System) — claimed to be able to do pretty much whatever you needed in terms of “controlling” your target.
Yet as talented as they were in creating these programs, they were not able to keep others from getting into their systems, or detect such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most high-profile breaches of 2015, HT were hacked, and the material taken and subsequently released to the public was huge — 400 GB in size. More importantly, the material included very damaging information such as emails, customer lists (and prices) which included countries blacklisted by the UN, and the crown jewels: Source code. There was also in-depth documentation which included a couple of very powerful 0-day exploits against Flash and Adobe. Those 0-days were used very soon after in attacks against some Japanese companies and US government agencies.
The big question is: How could this happen to a company whose sole existence is to make software that is undetectable and finding or creating 0-day exploits for others to use? One would think a breach here would be next to impossible. Obviously, that was not the case. As of now there is not a lot to go on in terms of how this breach occurred. We do know however that someone has claimed responsibility and that person (or group) is not new to getting into places just like HT. In August 2014, another surveillance company was hacked and sensitive files were released, just like HT. This included customer lists, prices, code, etc. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and announced that he/she was responsible. A post in July this year on their twitter handle mentioned they also took down HT. It appears that their message and purpose of these breaches and theft where to make people aware of how these companies operate and who they sell to — a hacktivist attack. He did upload some details to his methods and some of these techniques were likely used against HT.
A final question remains: How did they break in and what precautions could HT have taken to prevent the theft? We did learn from the released documents that the users within HT had very weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have occurred utilized the program TrueCrypt. However, when you are logged on and using the system, those hidden volumes are accessible. No details have been released as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It is apparent, though, that companies need to have a solution such as Ziften’s Continuous Endpoint Visibility running in their environment. By monitoring all user and system activity alerts could have been generated when an activity falls outside of normal behavior. Examples include 400 GB of files being uploaded externally, or knowing when vulnerable software is running on exposed servers within the network. When a business is making and selling sophisticated surveillance software —and possessing unknown vulnerabilities in commercial products — a better plan should have been in place to limit the damage.