The highly publicised recent hack of the Hacking Team, the company that provides spyware and surveillance technology to governments and law enforcement agencies, has put the issue of malware detection into the spotlight.
Widely criticised by privacy advocates for providing spyware to governments with poor human rights records, in July the Hacking Team itself became a target when unknown hackers spirited away 400 GB of data. The leaked cache of files included details of client dealings and the working source code of the company’s Remote Control Software (RCS) snooping tool.
This should represent a major red light for enterprise security professionals across the globe. Publication of the RCS source code puts it directly into the hands of professional hackers everywhere, potentially unleashing an explosion of backdoor advanced cyber-threats
Evaluating data from the Hacking Team breach does, however, provide a fascinating glimpse into the world of professional hackers. From the nuts and bolts of attack vectors to the technical infrastructure of the RCS spying tool itself, there are some key learning points enterprise security professionals should take away from the Hacking Team incident.
Anyone can be a victim of cyber attack – even ‘professional hackers’
If your data is valuable to you, chances are it will be of interest to someone else. Witness how the Hacking Team, purportedly a state-of-the-art professional hacking company, itself became the victim of determined and highly motivated hackers.
The way the breach was engineered is still not known. But similar attacks indicate what the likely entry point was: an employee that clicked on something they shouldn’t have; poor practice in relation to passwords; exploitation of a system vulnerability following the failure to apply a patch.
Clearly, securing the enterprise requires determined 24 x 7 real time monitoring and the rigorous application of numerous protocols. However, employees, partners and customers may not be so vigilant or security aware – and that risks opening the door to wider scale enterprise data compromise.
The Hacking Team’s methodology – a lesson for hackers everywhere
Using Hacking Team’s controversial RCS spyware tool, it’s possible to monitor the communications of internet users, download and decipher encrypted files and emails, intercept Skype and other VoIP communications, and even remotely activate microphones and cameras on target computers. All that source code is readily available on the web.
Perhaps the most valuable information to come out of the RCS code leak was the existence of multiple zero-day vulnerabilities in commonly used applications like Adobe Flash player, iOS, and Internet Explorer.
But while vendors like Microsoft and Adobe may have issued patches for leaked vulnerabilities, the Hacking Team’s internal secrets are now out in the open for others to evolve, modify and augment. Detection using traditional anti-virus technology will be pretty challenging from this point forward.
Worryingly, analysis of Facebook and Twitter page structures indicates these were often used to elicit interactions with malicious content. In other words, infections were often engineered by getting targets to click on a link or open an application or file.
It’s easy to be compromised – discovering the breach isn’t
Hacking Team invested significant time and resources to ensure targets remained unaware they had been compromised. The RCS tool contained multiple mechanisms to ensure potential targets were infected specifically – and once only. The infection server checked and evaluated the operating system, browser and visiting IP address parameters in order to determine whether or not to infect a target.
And when it came to covering tracks, the Hacking Team’s malware infrastructure was designed to utilise multiple anonymiser IP addresses acting as ‘collectors’ that fed back to a control server.
In other words, this malware represented an advanced and persistent threat that contained payloads for Android, Blackberry, Apple iOS, Linus, Mac OS X, Symbian as well as Microsoft Windows, Windows Mobile and Windows Phone class of operating systems.
Detecting data espionage – applying the lessons learned
The RedSocks Malware Intelligence Team has already been able to reverse engineer binaries within the leaked Hacking Team code and perform search queries that enable users of our Malware Threat Defender solution to identify if they’ve been a victim of this malware in the past.
What’s more, we’ve also been able to share data in the STiX format (Structured Threat Information Expression) with the wider security community that identifies which global IP addresses were used as ‘collectors’.
But this is a lesson for everyone responsible for the integrity of enterprise data. Malware of this nature is covert and designed to bypass and evade detection by firewalls and anti-virus software. Passing unnoticed into the enterprise utilising vulnerabilities in browsers, apps and operating systems – it awaits instructions to steal data.
Most enterprises will never suspect a thing, unless they are constantly monitoring the network for those little telltale ‘handshakes’ that occur the moment the malware ‘phones home’. And that’s the greatest lesson we can all learn from the Hacking Team hack.[su_box title=”About Ricky Gevers” style=”noise” box_color=”#336588″]Rickey Gevers is a security practitioner, researcher and consultant since 2004 . He has been actively involved in Anti-Malware defense and research since 1999 at both a corporate and international level.Gevers has research interests in malware automation and analysis, application security, secure software design and cybercrime. Education: He holds a bachelor degree in Computer Science and Specialized in Forensics, Incident Response, Reverse Engineering, Pentesting.
Companies he worked with: Internship at NFI -Netherlands Forensic Institute, Digital Investigation, currently employed at RedSocks.
He has contributed to the book: “Komt een vrouw bij de hacker” by Maria Genova. ( “A woman comes to the hacker” ), a book about identity thefts in the practice and he is actively involved in speaking at various security conferences in the Netherlands. His primary effort is to present new research ideas and and design flaws in software. “I sincerely believe in learning and sharing knowledge among security community.”[/su_box]