Last active
February 15, 2018 23:01
-
-
Save toufik-airane/679b67079dc8fe098e72ec35576eda17 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
______ __ ______ _ __ ____ ____ ____ ______ | |
/ ____// / / ____/| |/ / / _// __ \ / _// ____/ | |
/ /_ / / / __/ | / / / / / / / / / / __/ | |
/ __/ / /___ / /___ / | _/ / / /_/ /_/ / / /___ | |
/_/ /_____//_____/ /_/|_|/___//_____//___//_____/ | |
brought to you by | |
__ __ ___ | |
/ / ___ ___ ___ ___ _ ____ ___/ / / _ ) ___ __ __ | |
/ /__/ -_)/ _ \ / _ \/ _ `// __// _ / / _ |/ _ \/ // / | |
/____/\__/ \___// .__/\_,_//_/ \_,_/ /____/ \___/\_, / | |
/_/ /___/ | |
__ | |
___ _ ___ ___/ / | |
/ _ `// _ \/ _ / | |
\_,_//_//_/\_,_/ | |
__ __ ___ __ _ | |
/ /_ / / ___ / _ \ ___ ____ ___ ___ / /_ (_)____ ___ ___ ___ | |
/ __// _ \/ -_) / // // -_)/ __// -_)/ _ \/ __// // __// _ \ / _ \ (_-< | |
\__//_//_/\__/ /____/ \__/ \__/ \__// .__/\__//_/ \__/ \___//_//_//___/ | |
Brazil's numero uno hacking group /_/ A familia! A movimento! | |
BTC GO HERE: 13XWdkW5sff2tUHauoEU4dKiigiMScEr7q | |
Twitter:@fleximinx (for now) | |
========================================================================== | |
--[1: Introduction]------------------------------------------------------- | |
Hello, all! | |
Since FlexiSpy burnt their entire network driving us out, we think it's | |
time for us to release our HowTo guide for aspiring hackers, about what we | |
did, and how you can do it, too. | |
This is going out there to help people learn how to hack and how to defend | |
themselves, as is traditional after these types of hacks. | |
There are lots of articles out there written by other talented | |
hackers that would serve as excellent introductions, but we'd be remiss | |
if we didn't include Phineas Fisher's articles, which are fantastic | |
introductions [1][2][3]. They cover things like how to stay safe and many | |
of the basics, including many techniques we used to compromise | |
FlexiSpy/Vervata/etc. So read them and soak them up. | |
[1] http://pastebin.com/raw/cRYvK4jb | |
[2] http://pastebin.com/raw/GPSHF04A | |
[3] http://pastebin.com/raw/0SNSvyjJ (the previous link, translated into | |
Gringo) | |
--[2: Recon]-------------------------------------------------------------- | |
Just like Phineas, our initial tactic was to run fierce against both | |
vervata.com and flexispy.com, then do some whois lookups to enumerate the | |
entire IP space. | |
You can see the output of fierce (post-hack, sadly depleted after we stole | |
their DNS) below: | |
192.168.2.231 portal.vervata.com | |
58.137.119.230 www.vervata.com | |
180.150.144.84 api.flexispy.com | |
180.150.144.84 admin.flexispy.com | |
180.150.144.83 affiliate.flexispy.com | |
180.150.144.83 affiliates.flexispy.com | |
180.150.144.83 blog.flexispy.com | |
180.150.156.197 client.flexispy.com | |
180.150.144.82 community.flexispy.com | |
58.137.119.229 crm.flexispy.com | |
54.246.87.5 d.flexispy.com | |
216.166.17.139 demo.flexispy.com | |
180.150.144.86 direct.flexispy.com | |
180.150.144.85 ecom.flexispy.com | |
54.169.162.58 log.flexispy.com | |
180.150.147.111 login.flexispy.com | |
68.169.52.82 mail.flexispy.com | |
68.169.52.82 mailer.flexispy.com | |
180.150.144.86 mobile.flexispy.com | |
180.150.156.197 monitor.flexispy.com | |
180.150.144.87 portal.flexispy.com | |
68.169.52.82 smtp.flexispy.com | |
180.150.146.32 support.flexispy.com | |
75.101.157.123 test.flexispy.com | |
180.150.144.83 www.flexispy.com | |
They had several servers situated behind Cloudflare, which was a problem. | |
Cloudflare unfortunately has a pretty effective WAF that, while nowhere | |
near guaranteed to put an end to any fun, does almost guarantee that it'll | |
be a lot more difficult and require a lot of configuring any automated | |
tools to avoid setting it off. We had time, though, and looking at that | |
list, what hostname seems immediately interesting? | |
Yes, that's right. It's admin.flexispy.com. Probably an admin panel. | |
--[3: Level 1]------------------------------------------------------------ | |
Now that we had a target, it was time to go to work. | |
We tried some SQL injection on the login page [1]. We didn't get anywhere, | |
but this wasn't very surprising. It's not 2010 any more; SQL injection is a | |
widely-known attack, and most tutorials now teach people how to not end up | |
introducing simple vulnerabilities into software. | |
It still happens. You just can't rely on it. | |
So, out of boredom, we tried some common default credentials. admin:admin, | |
administrator:administrator, the usual culprits. Imagine our surprise when | |
test:test are valid. | |
We log in and look around. It's one user, tied to a gmail address. They | |
have one license, which seems like a dead test device. | |
There's some functionality there that throws you into what appears to be | |
the customer interface over at mobilebackup.biz using some | |
oauth/single-sign-on functionality. There's also functionality for viewing | |
user details, looking at license details, and editing user details like | |
username, password, and so on. | |
The URL looks like this: | |
https://admin.flexispy.com/secure/employee/editEmployee?employeeId=1 | |
Of course, because we're not dealing with people concerned about security, | |
you can just change the Id=1 to Id=2. And that'll show you another user's | |
details. And let you reset their password on the customer interface. | |
We played around with that for a couple of hours, and then we wrote a very | |
simple script that just used curl to request every single ID up to | |
99999, which was the upper limit. We repackaged this into a nice text file | |
and did some grepping to see if there were interesting customers (there | |
were several), before getting bored and moving on. There's only so much you | |
can do with customer lists, and that probably wasn't going to be enough to | |
kill FlexiSpy. | |
[1] https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) | |
--[4: Level 2]------------------------------------------------------------ | |
Next, we decided to use nmap to scan their office ranges. We'd found these | |
through our earlier fierce scan, and you can see them below. | |
58.137.119.224 - 58.137.119.239 | |
202.183.213.64 - 202.183.213.79 | |
There were a few SSH servers running, a Microsoft Exchange server, and some | |
RDP, along with a few websites which mostly seemed to be hosting WildFly | |
default pages, and one CRM instance. | |
Those were interesting, because it indicated there was both Linux and | |
Windows on their internal network, which gave us options once we got | |
inside. For now, though, we didn't have access, so we looked to see what | |
else there was. On one server, port 8081, there appeared to be a Sonatype | |
Nexus repository with some jar files sitting in it, which appeared to be | |
for the command-and-control web applications. We assume that FlexiSpy put | |
them there deliberately for resellers to take and install on their servers. | |
What's a group of shadowy, amorphous internet vigilantes to do but sit and | |
spend a little bit of time reversing them? We pulled out our copies of | |
procyon, a fantastic decompiler for Java [1] and got to work. | |
We pulled our several interesting utilities; the first would be their | |
Mailchimp API key. This was fun, and let us see them sending out emails to | |
new customers (with nice, fresh, default passwords they encouraged the | |
customers to change). We had a look for vulnerabilities that might let us | |
do some SQL injection (again) or exploit the API somehow, but the code | |
didn't easily hand over any 0days to us. | |
What it did hand over, though, was a password, fairly simple, that looked | |
like it might be a shared, default password: tcpip123. | |
We sprayed this around against the SSH servers and the WildFly servers, | |
but didn't have much luck. | |
Finally, we decided to try the CRM. Amazingly, we were able to compromise | |
an administrator account using the password we found. From there, we were | |
able to manipulate certain module installation functionalities into, | |
eventually, letting us get remote code execution, and uploaded our shell. | |
[1] https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler | |
--[5: Level 3]------------------------------------------------------------ | |
So, there we were, sitting on a server inside FlexiSpy's internal network. | |
We weren't root, and the kernel was relatively new. We could have tried | |
using DirtyCow [1], but many of the publicly available exploits had a high | |
risk of frying the server, and the more reliable methods would require | |
creating a development VM identical to the CRM server, which would take | |
time which we were not sure we had. | |
We dropped a simple tool that allowed us to proxy onto the internal | |
network, and we also placed a port scanner and an automated | |
credential-checking tool onto the server, and started scanning quietly for | |
port 22, 3389, and 23. | |
Once we had a list of these, the first thing we did was deploy our SSH | |
scanner against them to test for the simple combination of root:tcpip123, | |
admin:tcpip123, and Administrator:tcpip123. | |
We were in luck. We had managed to compromise three of their NAS servers. | |
These were all Linux x86-64 machines, too, which meant we could deploy our | |
tools on them with relative ease. We backdoored the NAS servers using some | |
code of our own devising, which we left running in-memory hidden as one | |
of the existing services to avoid bringing any unwarranted attention down | |
on our heads. | |
From there, we spent several days scouring the systems. On one, we found | |
source code backups, on another, we found backups of home directories, HR | |
documents, corporate files, some SSH keys, password backups, internal | |
network diagrams, you pretty much name it, we had it. Many of these files | |
were quite out of date, but we were able to glean the password/username | |
combination to several servers (services:tcpip123 and services:**tcpip!23) | |
which also had sudo privileges. | |
We stole SSH keys from a number of them, and tasked the Jenkins server | |
to start pulling down all of their repositories, and send them off to a | |
server on the internet we controlled afterwards. | |
We also noticed we had access to the Domain Controller for all of the | |
Windows domains, so we dropped some malware on that, and started slowly | |
infecting devices and pulling credentials from memory. One of those sets of | |
credentials belonged to a member of staff in charge of IT, which gave us | |
access to the internal SharePoint server, which is always a house of fun. | |
By this point, we realised that FlexiSpy didn't give a crap about security, | |
and in order to give us as many different points of access as possible, we | |
deployed Tor across the Linux infrastructure, setting up each server's SSHd | |
as a Hidden Service. We siphoned out as much as we could, stopping for a | |
few weeks to attempt to transfer the EDB files from the Exchange Server, | |
which were over 100GB in size. Eventually, we gave up, after trying several | |
times to exfiltrate them, because we felt if we kept going, we'd eventually | |
cause an alert loud enough that even FlexiSpy would notice. | |
Once that was done, we contacted Motherboard, gave them the interesting | |
files, and sat back with some popcorn. | |
[1] https://dirtycow.ninja | |
--[6: BONUS LEVEL]-------------------------------------------------------- | |
Wiping their servers was mostly a case of dding /dev/urandom all over all | |
their drives, but we did have to do that across several RAID devices on | |
their ESXi servers, which was one of the most frustrating things we've | |
attempted. | |
Not even several hackers, armed with years of knowledge of | |
UNIX, could enjoy trying to use ESXi. Eventually, after entering several | |
long and arcane enchantments, we were able to reformat and dd over the | |
RAID devices. The rest was fairly simple. | |
We used the stolen credentials from the SharePoint, NAS devices, and other | |
places to log into Cloudflare, drop their account, then log into Rackspace, | |
and destroy their servers there, and log into their multiple Amazon | |
accounts, deleting as many S3 buckets of backups as we could find, before | |
killing all of those. | |
Finally, we redirected their domains to Privacy International, and went on | |
our merry way, pausing only to hijack a few twitter accounts and laugh at | |
FlexiSpy. | |
--[7: Hack Back!]--------------------------------------------------------- | |
Firstly, we'd like to dedicate this to everyone who has ever been a victim | |
of Gamma, or FlexiSpy, or other surveillance tools. | |
We've stolen every a great deal of source code, going back years. We are | |
hoping that signatures are going to be distributed, tools written to | |
identify and remove infections, and we also hope that people will see that | |
this industry is really out there, is worth money, and that it's terribly, | |
terribly evil. | |
We're just, like, this group of guys, you know? We can hack these people, | |
and we can expose their secrets, but it's up to everyone to make a | |
difference. | |
If you have reverse-engineering skills, please, put them to use here. And | |
not just with FlexiSpy. Take apart other malware samples, from other | |
vendors of the same scumware. | |
If you have contacts in the antivirus or threat intelligence industry, | |
push your colleagues to spend a little more time on these things. | |
If you're a hacker, hack back. | |
If you're an ordinary person, stay safe. Watch how things progress, and see | |
what people are saying about how to detect FlexiSpy and protect yourselves. | |
Several researchers, such as Hacker Fantastic [1], Tek [2], and Ben [3] are | |
doing really good work. | |
If you're a spouseware vendor, we're coming for you. Stop, rethink your | |
life, kill your company, and be a better person. | |
Otherwise, you'll be seeing us soon. | |
[1] https://twitter.com/hackerfantastic | |
[2] https://twitter.com/tenacioustek | |
[3] https://twitter.com/Ben_RA |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
______ __ ______ _ __ ____ ____ ____ ______ | |
/ ____// / / ____/| |/ / / _// __ \ / _// ____/ | |
/ /_ / / / __/ | / / / / / / / / / / __/ | |
/ __/ / /___ / /___ / | _/ / / /_/ /_/ / / /___ | |
/_/ /_____//_____/ /_/|_|/___//_____//___//_____/ | |
brought to you by | |
__ __ ___ | |
/ / ___ ___ ___ ___ _ ____ ___/ / / _ ) ___ __ __ | |
/ /__/ -_)/ _ \ / _ \/ _ `// __// _ / / _ |/ _ \/ // / | |
/____/\__/ \___// .__/\_,_//_/ \_,_/ /____/ \___/\_, / | |
/_/ /___/ | |
__ | |
___ _ ___ ___/ / | |
/ _ `// _ \/ _ / | |
\_,_//_//_/\_,_/ | |
__ __ ___ __ _ | |
/ /_ / / ___ / _ \ ___ ____ ___ ___ / /_ (_)____ ___ ___ ___ | |
/ __// _ \/ -_) / // // -_)/ __// -_)/ _ \/ __// // __// _ \ / _ \ (_-< | |
\__//_//_/\__/ /____/ \__/ \__/ \__// .__/\__//_/ \__/ \___//_//_//___/ | |
Brazil's numero uno hacking group /_/ A familia! A movimento! | |
BTC GO HERE: 13XWdkW5sff2tUHauoEU4dKiigiMScEr7q | |
Twitter:@fleximinx (for now) | |
========================================================================== | |
--[Mic Tap]--------------------------------------------------------------- | |
Hello? | |
Is this thing on? | |
Friends, hackers, countrypeople, lend us your twitter and facebook feeds! | |
It's been a few days now since Motherboard have begun publishing the | |
articles on Vervata/Flexispy/WeFeelSecure/DigitalEndpoint/Raysoft, and we | |
really hope you've been enjoying the show so far. It's just the opening | |
act, though, and there's more to come, so hold on. | |
For now, though, this is a mini-release on Flexispy. Nothing new. | |
Nothing too revelatory. We don't want to spoil the show just yet. | |
But after the news of their links to both Gamma, and their terrible | |
response, which basically shows total disdain for their customers (mind | |
you, we can understand that), we feel like it's time to turn up the heat. | |
It's time to deal another blow to Flexispy. We've got a lot of these ready | |
to roll, and some of them are going to be REAL brutal. It's a sad thing to | |
do, but if you want to destroy an industry, you've gotta be scary. | |
So we'll be a little scary right now. The rest comes later. | |
release.zip can be found here: | |
https://mega.nz/#!pnBh1LqB!OsmIdcGYoSLi-Q0IEDp2Y7k4jT7RU81-T5TS43QyT28 | |
HACK | |
THE | |
PLANET |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment