On Saturday a transparency collective named “Distributed Denial of Secrets” tweeted that they have released a massive data set from a recent breach. Over 2 terabytes of data has been released and is hosted by DDoS and on Torrents. In addition to the data that was released the hacker published a manifesto and hacking guide called “HackBack - A DIY Guide to rob banks" alongside the data dump. The hacker, who goes by Phineas Fisher, originally wrote the HackBack guide in Spanish, however, this morning I found a translated copy. Unfortunately it’s been removed from PasteBin as of this writing, but the Spanish version is still available on DDoS’s site.
UnicornRiot has a great write up on the breach in general, which is also worth a read.
When thinking about this breach, the things that stuck out for me were the ways in which her manifesto, methodology, and guidance were strangely aligned with some of the ideas that we’ve been exploring here at ReThinkSecurity.
I am not an APT with a team of coders who can make me customized tools. I am a simple person who subsists on what the terminal gives
I love this quote. So many hackers are overly reliant on tools, but the basic capabilities built into the terminal can be incredibly powerful. There is a huge number of open source tools that can make these attacks easier, but the way she decided to set up 2FA and credential theft is novel and expertly crafted.
I did not set out to hack a specific bank, what I wanted was to hack any bank, which ends up being a much simpler task.
Jason wrote that you don’t have to outrun the bear, you just have to outrun the person next to you. There is no such thing as a perfectly secure application. In this writeup Phineas writes that she put together a script to comb through hundreds of potential targets and decided to search through the list looking for something interesting (meaning easy to attack). Cayman Islands sounded like the most interesting target so that’s the target she decided to exploit. Your takeaway:make sure your systems are more secure than your neighbors. You don’t want to to be low-hanging-fruit.
The reality, that is, the fact that it took me two weeks to realize that it was trivially exploitable with shellshock, is perhaps less flattering to me, but I think it is also more inspiring. Shows that you can really do this for yourself.
Making sure that your systems are secured and up to date through patching and updates is a critical component to out running the hackers. Shellshock is a family of security issues that allow an attacker to execute arbitrary commands. A patch was released relatively quickly, but rolling the patches out across a massive server fleet can be difficult. We’re still finding this vulnerability in the wild.
I didn’t get anywhere with Hacking Team, but I was lucky with Gamma Group, and I was able to hack their customer support portal with basic sql injection and file upload vulnerabilities.
Understanding and mitigating SQL Injection is still a critical component to application security. SQL injection can lead to massive data breaches and even command injection. Make sure your developers are trained to protect against this vulnerability and understand the importance and impact.
So I studied and practiced (see section 11), until I felt I was ready to pay a visit to Hacking Team almost a year later. The practice paid off, and this time I was able to make a complete commitment from the company [7]. Before I realized that I could enter with shellshock, I was willing to spend happy whole months of life studying exploit development and writing a reliable exploit for one of the memory corruption vulnerabilities I had encountered.
Hackers will always go deep. They have dedication to understanding the details of the technology to develop a complete knowledge of the system they’re attacking is very impressive. I love the idea that she was ready to dedicate months to studying exploit development to make this attack happen.
Following the investigation they did about the hacking, I found it interesting to see that, by the same time I did it, the bank could have been compromised by someone else through a targeted phishing email [1]. As the old saying goes, “give a man an exploit and he will have access for a day, teach phishing and he will have access all his life” Social Engineering and Phishing cannot be understated as an attack vector. We want to believe and trust that people are good and aren’t trying to manipulate us, but it’s very important to remember that these people and attacks to exist. I wrote about this recently in the Deconstructing a Sexploitation Attack post.
They were using a remote citrix app from the bottomline company [4] to access the SWIFT network, where each payment message SWIFT MT103 had to go through three employees: one to “create” the message, one to “verify” it, and another to “authorize it.” Since I already had all their credentials thanks to the keylogger, I could easily perform all three steps myself.
I like this comment because clearly the three employees to verify a SWIFT transaction was put in place in response to a perceived threat. They were worried that one of the people involved could be a bad actor, or that their credentials might be compromised. Since Phineas had all three sets of credentials she was able to quickly authorize the transfer herself. Going through the process of thoroughly threat modeling the system would have identified this issue, I believe.
[6 - Send the money] I had no idea what I was doing, so I was discovering it along the way.
This section was fascinating. She outlines a number of mistakes and blunders that she made up front as she explored the system. All of these failures should have been detected through proper logging and auditing systems or SWIFT transfer reviews for the days. Something will go wrong, what will you do when it does? Do you have the systems in place to detect an attack in progress?
The best way to learn to hack is by hacking. Put together a laboratory with virtual machines and start testing things, taking a break to investigate anything you don’t understand.
I just think this is a great sentiment. Learning to be a great security engineer or researcher can be overwhelming and difficult at times, but sticking with it and following your interests can really pay off in a massive way. Hopefully, for you it will pay off in a legitimate job helping to protect data, systems, and people’s finances, instead of paying off by making massive transfers to your cryptocurrency accounts.