An Italian group known as the Hacking Team maliciously infiltrated networks and sold their findings to governments. One lone hacker, who called himself Phineas Phisher, objected to this and directed his own cyberattack at the group.

Phisher ended up with plenty of information from Hacking Team, including some of their prized exploits, according to Ars Technica. It appears he wanted to show the black hats they had no real protection against cybercriminals. He then revealed his techniques and motivations on Ghostbin.

Defenders can also learn from what he wrote; after all, this was the act of a motivated attacker. Whether the motivation is ideology or monetary gain, it created an adversary who was focused on an end goal.

“That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion dollar company,” Phisher wrote on Ghostbin. “Hacking gives the underdog a chance to fight and win.”

Hacking the Hackers

Hacking Team did have some decent security for its network. The group limited direct Internet exposure, and the servers that hosted the source code for its software were on an isolated network segment. While these are good practices, the actors were supposedly information security professionals; this level of security would be expected.

There were some embedded hardware devices exposed to the Internet, however, and it was on one of those devices that Phisher found a zero-day exploit after two weeks of reverse engineering. The particular exploit was not revealed, so it could still be vulnerable.

This device gave Phisher a foothold to examine the internals of the target system. Once he was in, he used the tools a system admin would normally have to learn more about the setup.

One thing he found was MongoDB databases with no authentication. As Phisher put it on Ghostbin, “NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they’d finally patched all the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design.”

After finding useful files, Phisher transferred to another system, which gave him data access. He also found backups with passwords stored in plaintext, effectively allowing him to access whatever information he wanted.

Finding Protection Against Cybercriminals

So what could have been done to thwart this kind of advanced attack? Pay attention, for one thing.

Firewall logs can show warnings of these types of attacks. Network mapping, port scanning and enumeration can be countered by firewall devices and other hardware. Not paying attention to the output generated is to ignore warnings. Performing this kind of analysis is admittedly grunt work, but it can show who is knocking on your door. It needs to be done.

Secondly, keep patching current. It’s easy to say, but no less essential. An adversary will know what vulnerabilities have been found in software and know how to use them. Patching to the latest versions closes this avenue. Routine and consistent patching methods — not just crisis intervention — will be the method that works.

Separating the operational and management networks is another way to protect the overall system. If the management network needs administrative privileges, for instance, keeping those admins isolated and secure is important. Proactively watching those with elevated status and seeing who or what else is watching them, such as keyloggers or scrapers, can also make a big difference.

Phisher’s efforts resulted in the actor grabbing files out of the system. Had exfiltration monitoring been in place, it could have spotted this, perhaps before he gained control of critical information.

A determined adversary who has the time and skills will be able to breach an organization somehow. Knowing that the actor got in and understanding how the breach occurred, rather than just assuming it can’t happen, is critical to mounting an effective defense and remediation effort.