Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ______ __ ______ _ __ ____ ____ ____ ______
- / ____// / / ____/| |/ / / _// __ \ / _// ____/
- / /_ / / / __/ | / / / / / / / / / / __/
- / __/ / /___ / /___ / | _/ / / /_/ /_/ / / /___
- /_/ /_____//_____/ /_/|_|/___//_____//___//_____/
- brought to you by
- __ __ ___
- / / ___ ___ ___ ___ _ ____ ___/ / / _ ) ___ __ __
- / /__/ -_)/ _ \ / _ \/ _ `// __// _ / / _ |/ _ \/ // /
- /____/\__/ \___// .__/\_,_//_/ \_,_/ /____/ \___/\_, /
- /_/ /___/
- __
- ___ _ ___ ___/ /
- / _ `// _ \/ _ /
- \_,_//_//_/\_,_/
- __ __ ___ __ _
- / /_ / / ___ / _ \ ___ ____ ___ ___ / /_ (_)____ ___ ___ ___
- / __// _ \/ -_) / // // -_)/ __// -_)/ _ \/ __// // __// _ \ / _ \ (_-<
- \__//_//_/\__/ /____/ \__/ \__/ \__// .__/\__//_/ \__/ \___//_//_//___/
- Brazil's numero uno hacking group /_/ A familia! A movimento!
- BTC GO HERE: 13XWdkW5sff2tUHauoEU4dKiigiMScEr7q
- Twitter:@fleximinx (for now)
- ==========================================================================
- --[1: Introduction]-------------------------------------------------------
- Hello, all!
- Since FlexiSpy burnt their entire network driving us out, we think it's
- time for us to release our HowTo guide for aspiring hackers, about what we
- did, and how you can do it, too.
- This is going out there to help people learn how to hack and how to defend
- themselves, as is traditional after these types of hacks.
- There are lots of articles out there written by other talented
- hackers that would serve as excellent introductions, but we'd be remiss
- if we didn't include Phineas Fisher's articles, which are fantastic
- introductions [1][2][3]. They cover things like how to stay safe and many
- of the basics, including many techniques we used to compromise
- FlexiSpy/Vervata/etc. So read them and soak them up.
- [1] http://pastebin.com/raw/cRYvK4jb
- [2] http://pastebin.com/raw/GPSHF04A
- [3] http://pastebin.com/raw/0SNSvyjJ (the previous link, translated into
- Gringo)
- --[2: Recon]--------------------------------------------------------------
- Just like Phineas, our initial tactic was to run fierce against both
- vervata.com and flexispy.com, then do some whois lookups to enumerate the
- entire IP space.
- You can see the output of fierce (post-hack, sadly depleted after we stole
- their DNS) below:
- 192.168.2.231 portal.vervata.com
- 58.137.119.230 www.vervata.com
- 180.150.144.84 api.flexispy.com
- 180.150.144.84 admin.flexispy.com
- 180.150.144.83 affiliate.flexispy.com
- 180.150.144.83 affiliates.flexispy.com
- 180.150.144.83 blog.flexispy.com
- 180.150.156.197 client.flexispy.com
- 180.150.144.82 community.flexispy.com
- 58.137.119.229 crm.flexispy.com
- 54.246.87.5 d.flexispy.com
- 216.166.17.139 demo.flexispy.com
- 180.150.144.86 direct.flexispy.com
- 180.150.144.85 ecom.flexispy.com
- 54.169.162.58 log.flexispy.com
- 180.150.147.111 login.flexispy.com
- 68.169.52.82 mail.flexispy.com
- 68.169.52.82 mailer.flexispy.com
- 180.150.144.86 mobile.flexispy.com
- 180.150.156.197 monitor.flexispy.com
- 180.150.144.87 portal.flexispy.com
- 68.169.52.82 smtp.flexispy.com
- 180.150.146.32 support.flexispy.com
- 75.101.157.123 test.flexispy.com
- 180.150.144.83 www.flexispy.com
- They had several servers situated behind Cloudflare, which was a problem.
- Cloudflare unfortunately has a pretty effective WAF that, while nowhere
- near guaranteed to put an end to any fun, does almost guarantee that it'll
- be a lot more difficult and require a lot of configuring any automated
- tools to avoid setting it off. We had time, though, and looking at that
- list, what hostname seems immediately interesting?
- Yes, that's right. It's admin.flexispy.com. Probably an admin panel.
- --[3: Level 1]------------------------------------------------------------
- Now that we had a target, it was time to go to work.
- We tried some SQL injection on the login page [1]. We didn't get anywhere,
- but this wasn't very surprising. It's not 2010 any more; SQL injection is a
- widely-known attack, and most tutorials now teach people how to not end up
- introducing simple vulnerabilities into software.
- It still happens. You just can't rely on it.
- So, out of boredom, we tried some common default credentials. admin:admin,
- administrator:administrator, the usual culprits. Imagine our surprise when
- test:test are valid.
- We log in and look around. It's one user, tied to a gmail address. They
- have one license, which seems like a dead test device.
- There's some functionality there that throws you into what appears to be
- the customer interface over at mobilebackup.biz using some
- oauth/single-sign-on functionality. There's also functionality for viewing
- user details, looking at license details, and editing user details like
- username, password, and so on.
- The URL looks like this:
- https://admin.flexispy.com/secure/employee/editEmployee?employeeId=1
- Of course, because we're not dealing with people concerned about security,
- you can just change the Id=1 to Id=2. And that'll show you another user's
- details. And let you reset their password on the customer interface.
- We played around with that for a couple of hours, and then we wrote a very
- simple script that just used curl to request every single ID up to
- 99999, which was the upper limit. We repackaged this into a nice text file
- and did some grepping to see if there were interesting customers (there
- were several), before getting bored and moving on. There's only so much you
- can do with customer lists, and that probably wasn't going to be enough to
- kill FlexiSpy.
- [1] https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)
- --[4: Level 2]------------------------------------------------------------
- Next, we decided to use nmap to scan their office ranges. We'd found these
- through our earlier fierce scan, and you can see them below.
- 58.137.119.224 - 58.137.119.239
- 202.183.213.64 - 202.183.213.79
- There were a few SSH servers running, a Microsoft Exchange server, and some
- RDP, along with a few websites which mostly seemed to be hosting WildFly
- default pages, and one CRM instance.
- Those were interesting, because it indicated there was both Linux and
- Windows on their internal network, which gave us options once we got
- inside. For now, though, we didn't have access, so we looked to see what
- else there was. On one server, port 8081, there appeared to be a Sonatype
- Nexus repository with some jar files sitting in it, which appeared to be
- for the command-and-control web applications. We assume that FlexiSpy put
- them there deliberately for resellers to take and install on their servers.
- What's a group of shadowy, amorphous internet vigilantes to do but sit and
- spend a little bit of time reversing them? We pulled out our copies of
- procyon, a fantastic decompiler for Java [1] and got to work.
- We pulled our several interesting utilities; the first would be their
- Mailchimp API key. This was fun, and let us see them sending out emails to
- new customers (with nice, fresh, default passwords they encouraged the
- customers to change). We had a look for vulnerabilities that might let us
- do some SQL injection (again) or exploit the API somehow, but the code
- didn't easily hand over any 0days to us.
- What it did hand over, though, was a password, fairly simple, that looked
- like it might be a shared, default password: tcpip123.
- We sprayed this around against the SSH servers and the WildFly servers,
- but didn't have much luck.
- Finally, we decided to try the CRM. Amazingly, we were able to compromise
- an administrator account using the password we found. From there, we were
- able to manipulate certain module installation functionalities into,
- eventually, letting us get remote code execution, and uploaded our shell.
- [1] https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
- --[5: Level 3]------------------------------------------------------------
- So, there we were, sitting on a server inside FlexiSpy's internal network.
- We weren't root, and the kernel was relatively new. We could have tried
- using DirtyCow [1], but many of the publicly available exploits had a high
- risk of frying the server, and the more reliable methods would require
- creating a development VM identical to the CRM server, which would take
- time which we were not sure we had.
- We dropped a simple tool that allowed us to proxy onto the internal
- network, and we also placed a port scanner and an automated
- credential-checking tool onto the server, and started scanning quietly for
- port 22, 3389, and 23.
- Once we had a list of these, the first thing we did was deploy our SSH
- scanner against them to test for the simple combination of root:tcpip123,
- admin:tcpip123, and Administrator:tcpip123.
- We were in luck. We had managed to compromise three of their NAS servers.
- These were all Linux x86-64 machines, too, which meant we could deploy our
- tools on them with relative ease. We backdoored the NAS servers using some
- code of our own devising, which we left running in-memory hidden as one
- of the existing services to avoid bringing any unwarranted attention down
- on our heads.
- From there, we spent several days scouring the systems. On one, we found
- source code backups, on another, we found backups of home directories, HR
- documents, corporate files, some SSH keys, password backups, internal
- network diagrams, you pretty much name it, we had it. Many of these files
- were quite out of date, but we were able to glean the password/username
- combination to several servers (services:tcpip123 and services:**tcpip!23)
- which also had sudo privileges.
- We stole SSH keys from a number of them, and tasked the Jenkins server
- to start pulling down all of their repositories, and send them off to a
- server on the internet we controlled afterwards.
- We also noticed we had access to the Domain Controller for all of the
- Windows domains, so we dropped some malware on that, and started slowly
- infecting devices and pulling credentials from memory. One of those sets of
- credentials belonged to a member of staff in charge of IT, which gave us
- access to the internal SharePoint server, which is always a house of fun.
- By this point, we realised that FlexiSpy didn't give a crap about security,
- and in order to give us as many different points of access as possible, we
- deployed Tor across the Linux infrastructure, setting up each server's SSHd
- as a Hidden Service. We siphoned out as much as we could, stopping for a
- few weeks to attempt to transfer the EDB files from the Exchange Server,
- which were over 100GB in size. Eventually, we gave up, after trying several
- times to exfiltrate them, because we felt if we kept going, we'd eventually
- cause an alert loud enough that even FlexiSpy would notice.
- Once that was done, we contacted Motherboard, gave them the interesting
- files, and sat back with some popcorn.
- [1] https://dirtycow.ninja
- --[6: BONUS LEVEL]--------------------------------------------------------
- Wiping their servers was mostly a case of dding /dev/urandom all over all
- their drives, but we did have to do that across several RAID devices on
- their ESXi servers, which was one of the most frustrating things we've
- attempted.
- Not even several hackers, armed with years of knowledge of
- UNIX, could enjoy trying to use ESXi. Eventually, after entering several
- long and arcane enchantments, we were able to reformat and dd over the
- RAID devices. The rest was fairly simple.
- We used the stolen credentials from the SharePoint, NAS devices, and other
- places to log into Cloudflare, drop their account, then log into Rackspace,
- and destroy their servers there, and log into their multiple Amazon
- accounts, deleting as many S3 buckets of backups as we could find, before
- killing all of those.
- Finally, we redirected their domains to Privacy International, and went on
- our merry way, pausing only to hijack a few twitter accounts and laugh at
- FlexiSpy.
- --[7: Hack Back!]---------------------------------------------------------
- Firstly, we'd like to dedicate this to everyone who has ever been a victim
- of Gamma, or FlexiSpy, or other surveillance tools.
- We've stolen every a great deal of source code, going back years. We are
- hoping that signatures are going to be distributed, tools written to
- identify and remove infections, and we also hope that people will see that
- this industry is really out there, is worth money, and that it's terribly,
- terribly evil.
- We're just, like, this group of guys, you know? We can hack these people,
- and we can expose their secrets, but it's up to everyone to make a
- difference.
- If you have reverse-engineering skills, please, put them to use here. And
- not just with FlexiSpy. Take apart other malware samples, from other
- vendors of the same scumware.
- If you have contacts in the antivirus or threat intelligence industry,
- push your colleagues to spend a little more time on these things.
- If you're a hacker, hack back.
- If you're an ordinary person, stay safe. Watch how things progress, and see
- what people are saying about how to detect FlexiSpy and protect yourselves.
- Several researchers, such as Hacker Fantastic [1], Tek [2], and Ben [3] are
- doing really good work.
- If you're a spouseware vendor, we're coming for you. Stop, rethink your
- life, kill your company, and be a better person.
- Otherwise, you'll be seeing us soon.
- [1] https://twitter.com/hackerfantastic
- [2] https://twitter.com/tenacioustek
- [3] https://twitter.com/Ben_RA
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement