Written By Josh Harriman And Presented By Ziften CEO Chuck Leaver
Hacking Team Impacted By Absence Of Real Time Vulnerability Monitoring
These days cyber attacks and data breaches remain in the news all of the time – and not just for those in the high worth industries such as health care, finance, energy and retail. One especially fascinating event was the breach against the Italian company Hacking Team. For those who don’t recall Hacking Team (HT) is a company that specializes in surveillance software applications accommodating government and authorities agencies that wish to perform covert operations. The programs developed by HT are not your run-of-the-mill remote control software or malware-type recording devices. Among their crucial products, code-named Galileo – better known as RCS (Remote Control System)– declared to be able to do practically whatever you needed in regards to “managing” your target.
Yet as talented as they remained in producing these programs, they were unable to keep others from getting into their systems, or identify such vulnerabilities at the endpoint through vulnerability monitoring. In one of the most prominent breaches of 2015, HT were hacked, and the material taken and subsequently released to the public was huge – 400 GB in size. More significantly, the material included really destructive information such as emails, consumer lists (and prices) that included nations blacklisted by the UN, and the crown jewels: Source code. There was also in-depth documents that included a few very effective 0-day exploits against Adobe and Flash. Those 0-days were utilized very soon after in attacks against some Japanese businesses and US government agencies.
The huge concern is: How could this take place to a business whose sole presence is to make software that is undetectable and finding or creating 0-day exploits for others to use? One would think a breach here would be next to impossible. Obviously, that was not the case. As of now there is not a lot to go on in regards to how this breach happened. We do know nevertheless that somebody has claimed responsibility and that individual (or team) is not new to getting into places much like HT. In August 2014, another security company was hacked and sensitive files were released, similar to HT. This included consumer lists, costs, code, and so on. This was against Gamma International and their product was called FinFisher or FinSpy. A user by the name of “PhineasFisher” published on Reddit 40 GB worth data and revealed that he/she was accountable. A post in July this year on their twitter account discussed they likewise took down HT. It appears that their message and purpose of these breaches and theft where to make people knowledgeable about how these businesses operate and who they sell to – a hacktivist attack. He did submit some information to his approaches and a few of these techniques were likely utilized against HT.
A final question is: How did they break in and what safety measures could HT have taken to avoid the theft? We did understand from the released documents that the users within HT had very weak passwords such as like “P4ssword” or “wolverine.” In addition, one of the main worker systems where the theft might have occurred made use of the program TrueCrypt. However, when you are logged on and utilizing the system, those hidden volumes are accessible. No information has been released at this time regarding how the network was infiltrated or how they accessed the users systems so that they could download the files. It is apparent, though, that businesses need to have a service such as Ziften’s Constant Endpoint Visibility running in their environment. By monitoring all user and system activity notifications might have been generated when an activity falls outside of typical habits. Examples include 400 GB of files being submitted externally, or understanding when susceptible software is running on exposed servers within the network. When an organization is making and providing advanced surveillance software applications – and having unknown vulnerabilities in commercial deliverables – a much better strategy needs to have been in place to limit the damage.