May 17, 2016 By Larry Loeb 3 min read

An Italian group known as the Hacking Team maliciously infiltrated networks and sold their findings to governments. One lone hacker, who called himself Phineas Phisher, objected to this and directed his own cyberattack at the group.

Phisher ended up with plenty of information from Hacking Team, including some of their prized exploits, according to Ars Technica. It appears he wanted to show the black hats they had no real protection against cybercriminals. He then revealed his techniques and motivations on Ghostbin.

Defenders can also learn from what he wrote; after all, this was the act of a motivated attacker. Whether the motivation is ideology or monetary gain, it created an adversary who was focused on an end goal.

“That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion dollar company,” Phisher wrote on Ghostbin. “Hacking gives the underdog a chance to fight and win.”

Hacking the Hackers

Hacking Team did have some decent security for its network. The group limited direct Internet exposure, and the servers that hosted the source code for its software were on an isolated network segment. While these are good practices, the actors were supposedly information security professionals; this level of security would be expected.

There were some embedded hardware devices exposed to the Internet, however, and it was on one of those devices that Phisher found a zero-day exploit after two weeks of reverse engineering. The particular exploit was not revealed, so it could still be vulnerable.

This device gave Phisher a foothold to examine the internals of the target system. Once he was in, he used the tools a system admin would normally have to learn more about the setup.

One thing he found was MongoDB databases with no authentication. As Phisher put it on Ghostbin, “NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they’d finally patched all the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design.”

After finding useful files, Phisher transferred to another system, which gave him data access. He also found backups with passwords stored in plaintext, effectively allowing him to access whatever information he wanted.

Finding Protection Against Cybercriminals

So what could have been done to thwart this kind of advanced attack? Pay attention, for one thing.

Firewall logs can show warnings of these types of attacks. Network mapping, port scanning and enumeration can be countered by firewall devices and other hardware. Not paying attention to the output generated is to ignore warnings. Performing this kind of analysis is admittedly grunt work, but it can show who is knocking on your door. It needs to be done.

Secondly, keep patching current. It’s easy to say, but no less essential. An adversary will know what vulnerabilities have been found in software and know how to use them. Patching to the latest versions closes this avenue. Routine and consistent patching methods — not just crisis intervention — will be the method that works.

Separating the operational and management networks is another way to protect the overall system. If the management network needs administrative privileges, for instance, keeping those admins isolated and secure is important. Proactively watching those with elevated status and seeing who or what else is watching them, such as keyloggers or scrapers, can also make a big difference.

Phisher’s efforts resulted in the actor grabbing files out of the system. Had exfiltration monitoring been in place, it could have spotted this, perhaps before he gained control of critical information.

A determined adversary who has the time and skills will be able to breach an organization somehow. Knowing that the actor got in and understanding how the breach occurred, rather than just assuming it can’t happen, is critical to mounting an effective defense and remediation effort.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today