May 17, 2016 By Larry Loeb 3 min read

An Italian group known as the Hacking Team maliciously infiltrated networks and sold their findings to governments. One lone hacker, who called himself Phineas Phisher, objected to this and directed his own cyberattack at the group.

Phisher ended up with plenty of information from Hacking Team, including some of their prized exploits, according to Ars Technica. It appears he wanted to show the black hats they had no real protection against cybercriminals. He then revealed his techniques and motivations on Ghostbin.

Defenders can also learn from what he wrote; after all, this was the act of a motivated attacker. Whether the motivation is ideology or monetary gain, it created an adversary who was focused on an end goal.

“That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion dollar company,” Phisher wrote on Ghostbin. “Hacking gives the underdog a chance to fight and win.”

Hacking the Hackers

Hacking Team did have some decent security for its network. The group limited direct Internet exposure, and the servers that hosted the source code for its software were on an isolated network segment. While these are good practices, the actors were supposedly information security professionals; this level of security would be expected.

There were some embedded hardware devices exposed to the Internet, however, and it was on one of those devices that Phisher found a zero-day exploit after two weeks of reverse engineering. The particular exploit was not revealed, so it could still be vulnerable.

This device gave Phisher a foothold to examine the internals of the target system. Once he was in, he used the tools a system admin would normally have to learn more about the setup.

One thing he found was MongoDB databases with no authentication. As Phisher put it on Ghostbin, “NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they’d finally patched all the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design.”

After finding useful files, Phisher transferred to another system, which gave him data access. He also found backups with passwords stored in plaintext, effectively allowing him to access whatever information he wanted.

Finding Protection Against Cybercriminals

So what could have been done to thwart this kind of advanced attack? Pay attention, for one thing.

Firewall logs can show warnings of these types of attacks. Network mapping, port scanning and enumeration can be countered by firewall devices and other hardware. Not paying attention to the output generated is to ignore warnings. Performing this kind of analysis is admittedly grunt work, but it can show who is knocking on your door. It needs to be done.

Secondly, keep patching current. It’s easy to say, but no less essential. An adversary will know what vulnerabilities have been found in software and know how to use them. Patching to the latest versions closes this avenue. Routine and consistent patching methods — not just crisis intervention — will be the method that works.

Separating the operational and management networks is another way to protect the overall system. If the management network needs administrative privileges, for instance, keeping those admins isolated and secure is important. Proactively watching those with elevated status and seeing who or what else is watching them, such as keyloggers or scrapers, can also make a big difference.

Phisher’s efforts resulted in the actor grabbing files out of the system. Had exfiltration monitoring been in place, it could have spotted this, perhaps before he gained control of critical information.

A determined adversary who has the time and skills will be able to breach an organization somehow. Knowing that the actor got in and understanding how the breach occurred, rather than just assuming it can’t happen, is critical to mounting an effective defense and remediation effort.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today