Written By Josh Harriman And Presented By Ziften CEO Charles Leaver
Hacking Team Impacted By Absence Of Real Time Vulnerability Tracking
These days cyber attacks and data breaches remain in the news all of the time – and not just for those in the high value industries such as healthcare, financing, energy and retail. One especially intriguing incident was the breach against the Italian business Hacking Team. For those who don’t remember Hacking Team (HT) is a business that specializes in surveillance software catering to government and police agencies that want to conduct concealed operations. The programs created by HT are not your run-of-the-mill push-button control software application or malware-type recording devices. One of their crucial products, code-named Galileo – better called RCS (Remote Control System)– claimed to be able to do pretty much whatever you needed in regards to “controlling” your target.
Yet as skilled as they were in developing these programs, they were not able to keep others from entering into their systems, or find such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the material taken and consequently launched to the general public was huge – 400 GB in size. More notably, the material included very destructive info such as emails, client lists (and prices) that included countries blacklisted by the UN, and the crown jewels: Source code. There was likewise in-depth paperwork that included a couple of very effective 0-day exploits against Adobe and Flash. Those 0-days were used soon after in cyber attacks against some Japanese businesses and United States federal government agencies.
The big concern is: How could this happen to a company whose sole presence is to make a software application that is undetectable and finding or producing 0-day exploits for others to use? One would believe a breach here would be next to impossible. Undoubtedly, that was not the case. Currently there is not a lot to go on in regards to how this breach took place. We do know however that someone has actually declared responsibility and that individual (or team) is not new to getting into places similar to HT. In August 2014, another security company was hacked and delicate files were released, similar to HT. This consisted of client lists, prices, code, etc. This was against Gamma International and their software was called FinFisher or FinSpy. A user by the name of “PhineasFisher” released on Reddit 40 GB worth data and revealed that he/she was responsible. A post in July this year on their twitter handle discussed they likewise attacked HT. It seems that their message and function of these breaches and theft where to make people familiar with how these companies run and who they sell to – a hacktivist attack. He did upload some information to his approaches and some of these techniques were most likely used against HT.
A final question is: How did they break in and exactly what safety measures could HT have implemented to prevent the breach? We did understand from the released documents that the users within HT had extremely weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main employee systems where the theft might have happened made use of the program TrueCrypt. Nevertheless, when you are logged in and using the system, those concealed volumes are accessible. No information has been launched as of yet as to how the network was breached or how they accessed the users systems in order to download the files. It is apparent, though, that companies need to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By monitoring all user and system activity alerts might have been generated when an activity falls beyond regular behavior. Examples are 400 GB of files being uploaded externally, or understanding when vulnerable software is operating on exposed servers within the network. When an organization is making and selling advanced monitoring software – and possessing unknown vulnerabilities in business products – a better plan must have been in place to minimize the damage.