The Update You Can’t Afford to Skip: End of Support for Office 2016 & Office 2019

Read Now
We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.
Home/ Blog / What Can IT Departments Learn From Hacking Team's…
Blog

What Can IT Departments Learn From Hacking Team's Leaked Emails?

By OPSWAT
Share this Post

Among the revelations coming out of the massive data dump from the Hacking Team breach include emails showing that the FBI purchased services and products from Hacking Team for the purpose of identifying Tor users. With customers all across the world, this isn't surprising that the FBI is among them.
Apparently a small unit in the FBI purchased Hacking Team's Remote Control System (RCS), otherwise known as Galileo, as a sort of 'backup' for a primary tool. RCS is an impressive 'tool' that provides endpoint telemetry and surveillance of encrypted communications as long as it is installed on the target device.


Map of Hacking Team and FinSpy Clients - Image Credit: Electronic Fronteir Foundation

The Hacking Team emails published and indexed on Wikileaks show that multiple techniques were used to get RCS onto a target's device. In the case of PC (as opposed to Android), the most common appear to be spear phishing and/or drive-by-download. Spear phishing is used to entice the target to open an attachment or click a link. In specific emails from the FBI, the infection vector used to identify a particular Tor user was a weaponized document or PDF attachment.

We'll need to send him an email with a document or PDF [attachment] to hopefully install the scout [Hacking Team's software]…

The Hacking Team relies on the fact that given sufficient time and resources in preparation, a malicious or questionable file can evade detection by antivirus and even sandbox analysis for a time. In the case of the FBI, identifying the Tor user they were watching didn't require much more than an IP address.

…if he is using TBB you will get the real IP address of the target.

With such a small set of behaviors programmed into the initial payload, even heuristic and sandbox detection cannot reliably identify the file as malicious or even spyware.
There are security technologies that can disarm the embedded threats found in weaponized documents and PDFs. However, given that this target was approached with spear phishing, they would most likely drop their guard just long enough to activate the file and let the FBI get what they need without employing one of these sanitization tools.

For those of us not trying to remain anonymous on TOR and evade the FBI, an attacker would use spyware or a Trojan to do a lot more than just collect an IP address. Thankfully(?) that makes the malware easier to detect, especially with heuristics.

What Can IT Learn From This?

  1. Your devices are more vulnerable than you think.
  2. Spear phishing can trick even the most cautious users. Don't assume that you or your users are safe.
  3. Scanning files when they are downloaded or first enter the network isn't sufficient in all cases, even when using multiple antivirus engines like Metascan Online.

Steps to Protect Your Endpoints:

  1. Monitor all of your endpoints, including personal devices, mobile and remote for compliance with security policies like maintaining a patched operating system, running a properly configured antivirus, encrypting the hard disk, and more.
  2. Encourage or enforce the usage of browser anti-malware and antiphishing protection. This is an often overlooked layer of security can be extremely effective in preventing drive-by-downloads and phishing attempts. Chrome has one of the best protection mechanisms with the other major browsers not far behind, namely Microsoft Edge. OPSWAT Gears is able to monitor and enforce this setting on managed and unmanaged PCs and Macs, whether provided by the browser or a third-party plugin.
  3. Periodically scan your endpoints with advanced threat detection tools like Metascan Online. Just because a malicious file may slip through your initial defenses from time-to-time doesn't mean it can't be found quickly thereafter. Like the Duqu malware, some threats take a low-profile to get on the network without detection and then use binary patching and other techniques to 'upgrade' themselves into more dangerous forms. Performing a daily scan of running processes and DLLs can catch these otherwise evasive files. OPSWAT Gears provides a daily scan with 44+ anti-malware engines for all devices.

References:

https://citizenlab.org/2014/02/mapping-hacking-teams-untraceable-spyware/
https://twitter.com/UID_/status/618885911510581248/photo/1
http://securityaffairs.co/wordpress/38601/cyber-crime/fbi-hacking-team-tor.html
https://wikileaks.org/hackingteam/emails/emailid/749683
https://wikileaks.org/hackingteam/emails/emailid/636440

Latest Posts

Sign up for the OPSWAT Newsletter

Get the latest OPSWAT company updates along with event information and the news that's driving the industry forward.
Sign Me Up

Follow Us on Social Media

Follow OPSWAT on your LinkedIn, Facebook, Twitter, and YouTube for more!

Stay Up-to-Date With OPSWAT!

Sign up today to receive the latest company updates, stories, event info, and more.
Subscribe