Tuesday, July 7, 2015

Ethiopia: Hacking Team hacked, attackers claim 400GB in dumped data

Firm made famous for helping governments spy on their citizens left exposed
On Sunday, while most of Twitter was watching the Women’s World Cup – an amazing game from start to finish – one of the world’s most notorious security firms was being hacked.
Specializing in surveillance technology, Hacking Team is now learning how it feels to have their internal matters exposed to the world, and privacy advocates are enjoying a bit of schadenfreude at their expense.
Hacking Team is an Italian company that sells intrusion and surveillance tools to governments and law enforcement agencies.
hacking team hacked
hackingteam invoice
The lawful interception tools developed by this company have been linked to several cases of privacy invasion by researchers and the media.
Reporters Without Borders has listed the company on its Enemies of the Internet index due largely to Hacking Teams’ business practices and their primary surveillance tool Da Vinci.
Hacking Team Twitter hacked 2
It isn’t known who hacked Hacking Team; however, the attackers have published a Torrent file with 400GB of internal documents, source code, and email communications to the public at large.
In addition, the attackers have taken to Twitter, defacing the Hacking Team account with a new logo, biography, and published messages with images of the compromised data.
Salted Hash will continue to follow developments and update as needed.
Update 1: Christopher Soghoian says that based on the Torrent’s file listing, Hacking Team’s customers include South Korea, Kazakhstan, Saudi Arabia, Oman, Lebanon, and Mongolia. Yet, the company maintains that it does not do business with oppressive governments.
exploits sold to Egypt
Update 2: Researchers have started to post items from the released Torrent file. One such item is this invoice for 58,000 Euro to Egypt for Hacking Team’s RCS Exploit Portal.
Update 3: The video below is a commercial for Hacking Team’s top tool Da Vinci.
An email from a person linked to several domains allegedly tied to the Meles Zenawi Foundation (MZF), Ethiopia’s Prime Minister until his death in 2012, was published Sunday evening as part of the cache of files taken from Hacking Team.
In the email, Biniam Tewolde offers his thanks to Hacking Team for their help in getting a high value target.
hackingteam 9
Around the time the email was sent, which was eight months after the Prime Minister’s death, Tewolde had registered eight different MZF related domains. Given the context of the email and the sudden appearance (and disappearance) of the domains, it’s possible all of them were part of a Phishing campaign to access the target. Who the high value target is, remains unknown.
An invoice leaked with the Hacking Team cache shows that Ethiopia paid $1,000,000 Birr (ETB) for Hacking Team’s Remote Control System, professional services, and communications equipment.
Update 5:
Hacking Team currently has, based on internal documents leaked by the attackers on Sunday evening, customers in the following locations:
Egypt, Ethiopia, Morocco, Nigeria, Sudan
Chile, Colombia, Ecuador, Honduras, Mexico, Panama, United States
Azerbaijan, Kazakhstan, Malaysia, Mongolia, Singapore, South Korea, Thailand
Uzbekistan, Vietnam, Australia, Cyprus, Czech Republic, Germany, Hungary
Italy, Luxemburg, Poland, Russia, Spain, Switzerland, Bahrain, Oman
Saudi Arabia, UAE
hackingteam 010
The list, and subsequent invoice for 480,000 Euro, disproves Hacking Team’s claims that they have never done business with Sudan. According to Human Rights Watch, Sudanese security forces have repeatedly and violently suppressed protestors demonstrating against the government, with more than 170 killed in 2013.
Update 6: Is Hacking Team awake yet?
It’s 0100 EST, so sometime soon, as Krypton Security’s Khalil Sehnaoui put it, someone in Italy is about to have very a bad day.
Late Sunday evening, the Twitter account used by Hacking Team was defaced, and a link to a 400GB Torrent file was posted. The file contains a number of newsworthy items, particularly when it comes to the questionable business relationships between Hacking Team and nations that aren’t known for their positive outlook on basic human rights.
Business continuity and disaster recovery planning: The basics
Good business continuity plans will keep your company up and running through interruptions of any kind:
READ NOW
New developments in the Hacking Team incident include the release of a document outlining the maintenance agreement status of various customers. The document, shared by SynAckPwn with Salted Hash, lists Russia and Sudan as clients, but instead of an ‘active’ or ‘expired’ flag on their account, the two nations are listed as “Not officially supported”
hackingteam 011
The list of clients in the maintenance tracker is similar to the client list provided in the previous update. It’s worth mentioning that the Department of Defense is listed as not active, while the Drug Enforcement Agency (DEA) has a renewal in progress. The document notes that the FBI had an active maintenance contract with Hacking Team until June 30, 2015.
The 2010 contact between Hacking Team and the National Intelligence Centre (CNI) of Spain was released as part of the cache. According to records, they are listed as an active EU customer with a maintenance contract until 31 January 2016. At the time the contract was signed, the total financial consideration to Hacking Team is listed at 3.4 million Euros.
Hacking Team’s Christian Pozzi was personally exposed by the incident, as the security engineer’s password store from Firefox was published as part of the massive data dump. The passwords in the file are of poor quality, using a mix of easily guessed patterns or passwords that are commonly known to security engineers and criminal hackers. The websites indexed include social media (Live, Facebook, LinkedIn), financial (banks, PayPal), and network related (routers with default credentials).
However, Pozzi wasn’t the only one to have passwords leaked. Clients have had their passwords exposed as well, as several documents related to contracts and configurations have been circulating online. Unfortunately, the passwords that are circulating are just as bad as the ones observed in the Firefox file.
Here are some examples:
HTPassw0rd
Passw0rd!81
Passw0rd
Passw0rd!
Pas$w0rd
Rite1.!!
Update 7:
Among the leaked documents shared by @SynAckPwn are client details, including a number of configuration and access documents. Based on the data, it appears that Hacking Team told clients in Egypt and Lebanon to use VPN services based in the United States and Germany.

Hacking Team hacked; leaked documents confirm sale of software to Sudan and Ethiopia

An unknown number of hackers accessed, downloaded and posted at least 400 GB-worth of documents from Hacking Team, a company often seen as aiding in human rights violations.
An unknown number of hackers accessed, downloaded and posted at least 400 GB-worth of documents from Hacking Team, a company often seen as aiding in human rights violations.
An unknown number of hackers accessed and posted at least 400 GB of the “offensive technology” manufacturer Hacking Team's internal documents, emails, slideshow presentations, and more, on Sunday evening. Up until now, the company hadn't confirmed reports that its clients were using its technology for more insidious purposes, including to monitor national dissidents and journalists. The company had also never explicitly listed its clients, which now has been found to include the FBI and the U.S. Drug Enforcement Agency.
While the infamous technology firm was always known for selling technology that provided clients access to specific targets' devices and systems, the data breach tangibly proved many human rights groups' worries about the company and its deals.
Citizen Lab, for example, most recently wrote in March that Hacking Team's technology allowed the Ethiopian government to hack into the computers and accounts of Ethiopian Satellite Television (ESAT) employees based in the U.S. ESAT operates as an independent television and radio station.
The government had previously targeted journalists outside of Ethiopia, as well.
Now, a leaked clients list confirms the Information Network Security Agency in Ethiopia as a Hacking Team customer. The ledger states that the Ethiopian agency first purchased Hacking Team's technology in 2012, and so far, has spent roughly $829,200 to initially buy and then maintain the company's products.
Another leaked document, an invoice, appears to show that Hacking Team sold a “Remote Control System” to Sudan's National Intelligence and Security Services in 2012 for approximately $593,000. This apparent Sudanese deal could, if proven accurate, violate restrictive UN sanctions against the African country.
While the most damning discoveries from the breach might be these humans rights violations and client list, the breach also yielded an intimate look at the company's internal communications and procedures, along with a list of used passwords, some of which were as simple as “passw0rd.”
Details of the firm's technology leaked, too, such as a white paper on its “Remote Control System Exploit Portal,” which allows even “untrained personnel” to execute an exploitation on a target's device or system. Available exploits include public software vulnerabilities, zero-days, private vulnerabilities, and “social” exploits, or “errors by the human target in opening the document.”
The white paper, dated 2011, also claims that the portal always contains at least three zero-day exploits.
One person has come forward and claimed to be behind the attack on Hacking Team, as well as the 2014 attack on Gamma International's similar FinFisher software. The hacker, known as Phineas Fisher,confirmed to Motherboard that he was behind both attacks.
Hacking Team also allegedly is telling customers to stop using its technology, although another leaked document, the “crisis procedure,” indicates that the company could shut down every client's software remotely through a built-in backdoor.
The company's website went down earlier on Monday, but appeared to be running again at the time of this publishing.
Hacking Team has not responded to a request for comment and more findings are expected as researchers and curious onlookers continue wading through the data trove.
Source: scmagazine

No comments: