By Splunk August 25, 2014
On August 3, an unknown individual compromised a FinFisher support website, stole 40GB of documents and publicly leaked them to DropBox and to BitTorrent. FinFisher is a German subsidiary of Gamma International Gmbh, which sells the FinFisher suite of backdoors and the FinSpy command-and-control (C2) software to manage them. Although officially they claim to only sell to governments for law enforcement purposes, Citizen Lab has found:
… a growing body of evidence suggests that these tools are regularly obtained by countries where dissenting political activity and speech is criminalized. Our findings highlight the increasing dissonance between Gamma’s public claims that FinSpy is used exclusively to track “bad guys” and the growing body of evidence suggesting that the tool has and continues to be used against opposition groups and human rights activists.
This includes at least one case of a foreign government using FinSpy to spy on a US citizen living in the US.
There are already numerous write-ups about FinFisher and the stolen document horde, including Violet Blue’s summary on ZDNet. We’re going to focus on how the compromise happened, and examine a Pastebin paste posted by an anonymous individual claiming responsibility for the FinFisher hack and outlining exactly how they did it. Although we cannot determine if the paste was created by the FinFisher attacker or that the attack actually followed the presented outline, it is a plausible scenario and therefore useful for analyzing the possible methods used by hacktivists to perform a targeted attack.
The intrusion outline highlights several differences between hacktivist-style targeted compromises and Advanced Persistent Threat (APT) style state-sponsored targeted attacks. Whereas APT attacks usually utilize social engineering in the form of spearphishing or strategic web compromises to gain their initial foothold, hacktivist attacks such as this FinFisher attack orthe compromise of HBGary Federal by Anonymous often begin with attackers identifying vulnerabilities and exploiting website vulnerabilities. The FinFisher attacker leveraged significant URI patterns to identify the webdesign firm that created FinFisher’s website and compromised other customers to gain a collection of the design firm’s code. This demonstrates that the FinFisher attacker has a greater degree of skill and sophistication than many amateur hacktivists.
According to the paste, the attacker’s reconnaissance identified several critical security vulnerabilities in FinFisher’s website, including SQL injection, client-side validation for file uploads, and local file inclusion. Although providing validation of file uploads is a good security practice, because the developers coded it in Javascript the validation executes on the client-side and can be trivially bypassed. The attacker apparently first tried and failed to utilize the local file inclusion vulnerability to execute malicious code on the server, then turned to the SQL injection vulnerability. The attacker leveraged this vulnerability to retrieve the full source code of the website, which allowed them to identify a file upload vulnerability. The attacker also used the SQL injection vulnerability to retrieve customer account credentials from the database. Although the attacker does not note it specifically, the fact that they were able to retrieve and use customer credentials from the database implies that the passwords were being stored in cleartext. This is against security best practices, but appears in many data breach reports.
With legitimate credentials in hand and an unfiltered file upload feature in FinFisher’s support ticket system, the attacker was able to upload a PHP webshell. Once uploaded, the attacker used the webshell to gain user-level access to the webserver. This shows that the webserver was set to allow file execution permissions to the webserver’s upload directory. Denying execute permissions to file upload directories is a security best practice to hinder webshell usage, and could have interfered with the attacker’s progress.
Once the attacker gained a foothold in FinFisher’s network, they leveraged their user-level access to move laterally through their network to locate and obtain the data they were after. Although the attacker did not provide details as to how they accomplished this, they do note that the NFS and SMB protocols are good candidates to move through the compromised network. Ultimately the attacker only compromised two webservers: the support webserver and a QA webserver. They downloaded significant files from these webservers and released them to the public. Of significant interest is that the files from their QA webserver were encrypted and the attacker was either unable or unwilling to decrypt them or locate the encryption keys. Had FinFisher not utilized this security control, the compromise could have been significantly worse.
This demonstrates another significant difference between hacktivist-type intrusions and state-sponsored intrusions. The FinFisher attacker shows a degree of skill, but they do not show the degree of persistence that an APT actor would. The FinFisher attacker states that their objectives were:
1) Hack Gamma and obtain a copy of the FinSpy server software
2) Find vulnerabilities in FinSpy server
3) Scan the internet for, and hack, all FinSpy C&C servers
4) Identify the groups running them
5) Use the C&C server to upload and run a program on all targets telling them
who was spying on them
6) Use the C&C server to uninstall FinFisher on all targets
7) Join the former C&C servers into a botnet to DDoS Gamma Group
This is an ambitious plan, but when the attacker encountered obstacles to their lateral movement they gave up. In their words, “It was only after failing to fully hack Gamma and ending up with some interesting documents but no copy of the FinSpy server software that I had to make due with the far less lulzy backup plan of leaking their stuff while mocking them on twitter.” APT actors tend to be much more persistent in achieving their goals. Instead of giving up, APT attackers would utilize any options at their disposal to penetrate deeper into the network. In similar intrusions, APT actors have utilized stolen documents to craft highly-targeted spearphishing emails, or placed web exploits on internal-facing webservers such as the compromised customer support or QA webservers. As the QA webserver is likely to be accessed by engineers, it would be the better choice if the attacker were interested in retrieving the FinSpy source code. Although the FinFisher attacker mentioned web exploits and spearphishing as suggestions for further intrusion, they did not attempt it and did not appear to consider the possibility of placing web exploits on the compromised internal servers.
Despite the industry’s focus on highly skilled APT threat actors, the truth is that if a company hasn’t taken care of the basics, even a moderately skilled attacker can find security vulnerabilities, compromise a portion of a network and cause a significant data breach. As the attacker themselves noted, “I wanted to show that the Gamma Group hack really was nothing fancy, just standard sqli, and that you do have the ability to go out and take similar action.” Hardening a network to slow an attacker’s progress and utilizing intrusion detection systems improve the ability of the incident response team to respond, minimize data theft, and remediate the intrusion.