/ ____// /    / ____/| |/ / /  _// __ \ /  _// ____/

          / /_   / /    / __/   |   /  / / / / / / / / / __/   

         / __/  / /___ / /___  /   | _/ / / /_/ /_/ / / /___   

        /_/    /_____//_____/ /_/|_|/___//_____//___//_____/   

                         brought to you by

           __                                 __  ___                          

          / /  ___  ___   ___  ___ _ ____ ___/ / / _ ) ___  __ __              

         / /__/ -_)/ _ \ / _ \/ _ `// __// _  / / _  |/ _ \/ // /              

        /____/\__/ \___// .__/\_,_//_/   \_,_/ /____/ \___/\_, /               

                       /_/                                /___/       

                                       __

                        ___ _ ___  ___/ /                                              

                       / _ `// _ \/ _  /                                               

                       \_,_//_//_/\_,_/                                                

  __   __         ___                       __   _                     

 / /_ / /  ___   / _ \ ___  ____ ___  ___  / /_ (_)____ ___   ___   ___

/ __// _ \/ -_) / // // -_)/ __// -_)/ _ \/ __// // __// _ \ / _ \ (_-<

\__//_//_/\__/ /____/ \__/ \__/ \__// .__/\__//_/ \__/ \___//_//_//___/

Brazil's numero uno hacking group  /_/  A familia! A movimento!

BTC GO HERE: 13XWdkW5sff2tUHauoEU4dKiigiMScEr7q

Twitter:@fleximinx (for now)

==========================================================================

--[1: Introduction]-------------------------------------------------------

Hello, all!

Since FlexiSpy burnt their entire network driving us out, we think it's

time for us to release our HowTo guide for aspiring hackers, about what we

did, and how you can do it, too.

This is going out there to help people learn how to hack and how to defend

themselves, as is traditional after these types of hacks.

There are lots of articles out there written by other talented

hackers that would serve as excellent introductions, but we'd be remiss 

if we didn't include Phineas Fisher's articles, which are fantastic

introductions [1][2][3]. They cover things like how to stay safe and many

of the basics, including many techniques we used to compromise

FlexiSpy/Vervata/etc. So read them and soak them up.

[1] http://pastebin.com/raw/cRYvK4jb

[2] http://pastebin.com/raw/GPSHF04A

[3] http://pastebin.com/raw/0SNSvyjJ (the previous link, translated into

Gringo)

--[2: Recon]--------------------------------------------------------------

Just like Phineas, our initial tactic was to run fierce against both

vervata.com and flexispy.com, then do some whois lookups to enumerate the

entire IP space.

You can see the output of fierce (post-hack, sadly depleted after we stole

their DNS) below:

192.168.2.231   portal.vervata.com

58.137.119.230  www.vervata.com

180.150.144.84  api.flexispy.com

180.150.144.84  admin.flexispy.com

180.150.144.83  affiliate.flexispy.com

180.150.144.83  affiliates.flexispy.com

180.150.144.83  blog.flexispy.com

180.150.156.197 client.flexispy.com

180.150.144.82  community.flexispy.com

58.137.119.229  crm.flexispy.com

54.246.87.5     d.flexispy.com

216.166.17.139  demo.flexispy.com

180.150.144.86  direct.flexispy.com

180.150.144.85  ecom.flexispy.com

54.169.162.58   log.flexispy.com

180.150.147.111 login.flexispy.com

68.169.52.82    mail.flexispy.com

68.169.52.82    mailer.flexispy.com

180.150.144.86  mobile.flexispy.com

180.150.156.197 monitor.flexispy.com

180.150.144.87  portal.flexispy.com

68.169.52.82    smtp.flexispy.com

180.150.146.32  support.flexispy.com

75.101.157.123  test.flexispy.com

180.150.144.83  www.flexispy.com

They had several servers situated behind Cloudflare, which was a problem.

Cloudflare unfortunately has a pretty effective WAF that, while nowhere

near guaranteed to put an end to any fun, does almost guarantee that it'll

be a lot more difficult and require a lot of configuring any automated

tools to avoid setting it off. We had time, though, and looking at that

list, what hostname seems immediately interesting?

Yes, that's right. It's admin.flexispy.com. Probably an admin panel.

--[3: Level 1]------------------------------------------------------------

Now that we had a target, it was time to go to work.

We tried some SQL injection on the login page [1]. We didn't get anywhere,

but this wasn't very surprising. It's not 2010 any more; SQL injection is a

widely-known attack, and most tutorials now teach people how to not end up

introducing simple vulnerabilities into software.

It still happens. You just can't rely on it.

So, out of boredom, we tried some common default credentials. admin:admin,

administrator:administrator, the usual culprits. Imagine our surprise when

test:test are valid. 

We log in and look around. It's one user, tied to a gmail address. They

have one license, which seems like a dead test device.

There's some functionality there that throws you into what appears to be 

the customer interface over at mobilebackup.biz using some

oauth/single-sign-on functionality. There's also functionality for viewing

user details, looking at license details, and editing user details like

username, password, and so on. 

The URL looks like this: 

https://admin.flexispy.com/secure/employee/editEmployee?employeeId=1

Of course, because we're not dealing with people concerned about security,

you can just change the Id=1 to Id=2. And that'll show you another user's

details. And let you reset their password on the customer interface.

We played around with that for a couple of hours, and then we wrote a very

simple script that just used curl to request every single ID up to

99999, which was the upper limit. We repackaged this into a nice text file

and did some grepping to see if there were interesting customers (there

were several), before getting bored and moving on. There's only so much you

can do with customer lists, and that probably wasn't going to be enough to

kill FlexiSpy.

[1] https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

--[4: Level 2]------------------------------------------------------------

Next, we decided to use nmap to scan their office ranges. We'd found these

through our earlier fierce scan, and you can see them below.

58.137.119.224 -  58.137.119.239

202.183.213.64 -  202.183.213.79

There were a few SSH servers running, a Microsoft Exchange server, and some

RDP, along with a few websites which mostly seemed to be hosting WildFly 

default pages, and one CRM instance. 

Those were interesting, because it indicated there was both Linux and 

Windows on their internal network, which gave us options once we got 

inside. For now, though, we didn't have access, so we looked to see what

else there was. On one server, port 8081, there appeared to be a Sonatype

Nexus repository with some jar files sitting in it, which appeared to be

for the command-and-control web applications. We assume that FlexiSpy put

them there deliberately for resellers to take and install on their servers.

What's a group of shadowy, amorphous internet vigilantes to do but sit and

spend a little bit of time reversing them? We pulled out our copies of 

procyon, a fantastic decompiler for Java [1] and got to work.

We pulled our several interesting utilities; the first would be their

Mailchimp API key. This was fun, and let us see them sending out emails to

new customers (with nice, fresh, default passwords they encouraged the

customers to change). We had a look for vulnerabilities that might let us

do some SQL injection (again) or exploit the API somehow, but the code

didn't easily hand over any 0days to us.

What it did hand over, though, was a password, fairly simple, that looked

like it might be a shared, default password: tcpip123.

We sprayed this around against the SSH servers and the WildFly servers, 

but didn't have much luck.

Finally, we decided to try the CRM. Amazingly, we were able to compromise

an administrator account using the password we found. From there, we were

able to manipulate certain module installation functionalities into, 

eventually, letting us get remote code execution, and uploaded our shell. 

[1] https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler

--[5: Level 3]------------------------------------------------------------

So, there we were, sitting on a server inside FlexiSpy's internal network.

We weren't root, and the kernel was relatively new. We could have tried

using DirtyCow [1], but many of the publicly available exploits had a high

risk of frying the server, and the more reliable methods would require

creating a development VM identical to the CRM server, which would take

time which we were not sure we had. 

We dropped a simple tool that allowed us to proxy onto the internal

network, and we also placed a port scanner and an automated

credential-checking tool onto the server, and started scanning quietly for

port 22, 3389, and 23. 

Once we had a list of these, the first thing we did was deploy our SSH

scanner against them to test for the simple combination of root:tcpip123,

admin:tcpip123, and Administrator:tcpip123.

We were in luck. We had managed to compromise three of their NAS servers.

These were all Linux x86-64 machines, too, which meant we could deploy our 

tools on them with relative ease. We backdoored the NAS servers using some

code of our own devising, which we left running in-memory hidden as one 

of the existing services to avoid bringing any unwarranted attention down

on our heads.

From there, we spent several days scouring the systems. On one, we found

source code backups, on another, we found backups of home directories, HR

documents, corporate files, some SSH keys, password backups, internal

network diagrams, you pretty much name it, we had it. Many of these files

were quite out of date, but we were able to glean the password/username

combination to several servers (services:tcpip123 and services:**tcpip!23)

which also had sudo privileges. 

We stole SSH keys from a number of them, and tasked the Jenkins server 

to start pulling down all of their repositories, and send them off to a

server on the internet we controlled afterwards.

We also noticed we had access to the Domain Controller for all of the

Windows domains, so we dropped some malware on that, and started slowly

infecting devices and pulling credentials from memory. One of those sets of

credentials belonged to a member of staff in charge of IT, which gave us

access to the internal SharePoint server, which is always a house of fun. 

By this point, we realised that FlexiSpy didn't give a crap about security,

and in order to give us as many different points of access as possible, we

deployed Tor across the Linux infrastructure, setting up each server's SSHd

as a Hidden Service. We siphoned out as much as we could, stopping for a

few weeks to attempt to transfer the EDB files from the Exchange Server,

which were over 100GB in size. Eventually, we gave up, after trying several

times to exfiltrate them, because we felt if we kept going, we'd eventually

cause an alert loud enough that even FlexiSpy would notice.

Once that was done, we contacted Motherboard, gave them the interesting

files, and sat back with some popcorn. 

[1] https://dirtycow.ninja

--[6: BONUS LEVEL]--------------------------------------------------------

Wiping their servers was mostly a case of dding /dev/urandom all over all

their drives, but we did have to do that across several RAID devices on

their ESXi servers, which was one of the most frustrating things we've

attempted. 

Not even several hackers, armed with years of knowledge of 

UNIX, could enjoy trying to use ESXi. Eventually, after entering several

long and arcane enchantments, we were able to reformat and dd over the 

RAID devices. The rest was fairly simple.

We used the stolen credentials from the SharePoint, NAS devices, and other

places to log into Cloudflare, drop their account, then log into Rackspace,

and destroy their servers there, and log into their multiple Amazon

accounts, deleting as many S3 buckets of backups as we could find, before

killing all of those.

Finally, we redirected their domains to Privacy International, and went on

our merry way, pausing only to hijack a few twitter accounts and laugh at

FlexiSpy.

--[7: Hack Back!]---------------------------------------------------------

Firstly, we'd like to dedicate this to everyone who has ever been a victim

of Gamma, or FlexiSpy, or other surveillance tools. 

We've stolen every a great deal of source code, going back years. We are

hoping that signatures are going to be distributed, tools written to 

identify and remove infections, and we also hope that people will see that

this industry is really out there, is worth money, and that it's terribly,

terribly evil. 

We're just, like, this group of guys, you know? We can hack these people,

and we can expose their secrets, but it's up to everyone to make a

difference.

If you have reverse-engineering skills, please, put them to use here. And

not just with FlexiSpy. Take apart other malware samples, from other

vendors of the same scumware. 

If you have contacts in the antivirus or threat intelligence industry, 

push your colleagues to spend a little more time on these things. 

If you're a hacker, hack back.

If you're an ordinary person, stay safe. Watch how things progress, and see

what people are saying about how to detect FlexiSpy and protect yourselves.

Several researchers, such as Hacker Fantastic [1], Tek [2], and Ben [3] are

doing really good work.

If you're a spouseware vendor, we're coming for you. Stop, rethink your

life, kill your company, and be a better person.

Otherwise, you'll be seeing us soon.

[1] https://twitter.com/hackerfantastic

[2] https://twitter.com/tenacioustek

[3] https://twitter.com/Ben_RA