{"id":"xciuzd","deleted":false,"future_paste":false,"expired":false,"language":"text","created_at":"2017-04-24 20:25:00","expires_at":null,"content":" ______ __ ______ _ __ ____ ____ ____ ______\r\n \/ ____\/\/ \/ \/ ____\/| |\/ \/ \/ _\/\/ __ \\ \/ _\/\/ ____\/\r\n \/ \/_ \/ \/ \/ __\/ | \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ __\/ \r\n \/ __\/ \/ \/___ \/ \/___ \/ | _\/ \/ \/ \/_\/ \/_\/ \/ \/ \/___ \r\n \/_\/ \/_____\/\/_____\/ \/_\/|_|\/___\/\/_____\/\/___\/\/_____\/ \r\n \r\n brought to you by\r\n __ __ ___ \r\n \/ \/ ___ ___ ___ ___ _ ____ ___\/ \/ \/ _ ) ___ __ __ \r\n \/ \/__\/ -_)\/ _ \\ \/ _ \\\/ _ `\/\/ __\/\/ _ \/ \/ _ |\/ _ \\\/ \/\/ \/ \r\n \/____\/\\__\/ \\___\/\/ .__\/\\_,_\/\/_\/ \\_,_\/ \/____\/ \\___\/\\_, \/ \r\n \/_\/ \/___\/ \r\n __\r\n ___ _ ___ ___\/ \/ \r\n \/ _ `\/\/ _ \\\/ _ \/ \r\n \\_,_\/\/_\/\/_\/\\_,_\/ \r\n \r\n __ __ ___ __ _ \r\n \/ \/_ \/ \/ ___ \/ _ \\ ___ ____ ___ ___ \/ \/_ (_)____ ___ ___ ___\r\n\/ __\/\/ _ \\\/ -_) \/ \/\/ \/\/ -_)\/ __\/\/ -_)\/ _ \\\/ __\/\/ \/\/ __\/\/ _ \\ \/ _ \\ (_-<\r\n\\__\/\/_\/\/_\/\\__\/ \/____\/ \\__\/ \\__\/ \\__\/\/ .__\/\\__\/\/_\/ \\__\/ \\___\/\/_\/\/_\/\/___\/\r\nBrazil's numero uno hacking group \/_\/ A familia! A movimento!\r\nBTC GO HERE: 13XWdkW5sff2tUHauoEU4dKiigiMScEr7q\r\nTwitter:@fleximinx (for now)\r\n\r\n==========================================================================\r\n--[1: Introduction]-------------------------------------------------------\r\n\r\nHello, all!\r\n\r\nSince FlexiSpy burnt their entire network driving us out, we think it's\r\ntime for us to release our HowTo guide for aspiring hackers, about what we\r\ndid, and how you can do it, too.\r\n\r\nThis is going out there to help people learn how to hack and how to defend\r\nthemselves, as is traditional after these types of hacks.\r\n\r\nThere are lots of articles out there written by other talented\r\nhackers that would serve as excellent introductions, but we'd be remiss \r\nif we didn't include Phineas Fisher's articles, which are fantastic\r\nintroductions [1][2][3]. They cover things like how to stay safe and many\r\nof the basics, including many techniques we used to compromise\r\nFlexiSpy\/Vervata\/etc. So read them and soak them up.\r\n\r\n[1] http:\/\/pastebin.com\/raw\/cRYvK4jb\r\n[2] http:\/\/pastebin.com\/raw\/GPSHF04A\r\n[3] http:\/\/pastebin.com\/raw\/0SNSvyjJ (the previous link, translated into\r\nGringo)\r\n\r\n--[2: Recon]--------------------------------------------------------------\r\n\r\nJust like Phineas, our initial tactic was to run fierce against both\r\nvervata.com and flexispy.com, then do some whois lookups to enumerate the\r\nentire IP space.\r\n\r\nYou can see the output of fierce (post-hack, sadly depleted after we stole\r\ntheir DNS) below:\r\n\r\n192.168.2.231 portal.vervata.com\r\n58.137.119.230 www.vervata.com\r\n\r\n180.150.144.84 api.flexispy.com\r\n180.150.144.84 admin.flexispy.com\r\n180.150.144.83 affiliate.flexispy.com\r\n180.150.144.83 affiliates.flexispy.com\r\n180.150.144.83 blog.flexispy.com\r\n180.150.156.197 client.flexispy.com\r\n180.150.144.82 community.flexispy.com\r\n58.137.119.229 crm.flexispy.com\r\n54.246.87.5 d.flexispy.com\r\n216.166.17.139 demo.flexispy.com\r\n180.150.144.86 direct.flexispy.com\r\n180.150.144.85 ecom.flexispy.com\r\n54.169.162.58 log.flexispy.com\r\n180.150.147.111 login.flexispy.com\r\n68.169.52.82 mail.flexispy.com\r\n68.169.52.82 mailer.flexispy.com\r\n180.150.144.86 mobile.flexispy.com\r\n180.150.156.197 monitor.flexispy.com\r\n180.150.144.87 portal.flexispy.com\r\n68.169.52.82 smtp.flexispy.com\r\n180.150.146.32 support.flexispy.com\r\n75.101.157.123 test.flexispy.com\r\n180.150.144.83 www.flexispy.com\r\n\r\n\r\nThey had several servers situated behind Cloudflare, which was a problem.\r\nCloudflare unfortunately has a pretty effective WAF that, while nowhere\r\nnear guaranteed to put an end to any fun, does almost guarantee that it'll\r\nbe a lot more difficult and require a lot of configuring any automated\r\ntools to avoid setting it off. We had time, though, and looking at that\r\nlist, what hostname seems immediately interesting?\r\n\r\nYes, that's right. It's admin.flexispy.com. Probably an admin panel.\r\n\r\n--[3: Level 1]------------------------------------------------------------\r\n\r\nNow that we had a target, it was time to go to work.\r\n\r\nWe tried some SQL injection on the login page [1]. We didn't get anywhere,\r\nbut this wasn't very surprising. It's not 2010 any more; SQL injection is a\r\nwidely-known attack, and most tutorials now teach people how to not end up\r\nintroducing simple vulnerabilities into software.\r\nIt still happens. You just can't rely on it.\r\n\r\nSo, out of boredom, we tried some common default credentials. admin:admin,\r\nadministrator:administrator, the usual culprits. Imagine our surprise when\r\ntest:test are valid. \r\n\r\nWe log in and look around. It's one user, tied to a gmail address. They\r\nhave one license, which seems like a dead test device.\r\nThere's some functionality there that throws you into what appears to be \r\nthe customer interface over at mobilebackup.biz using some\r\noauth\/single-sign-on functionality. There's also functionality for viewing\r\nuser details, looking at license details, and editing user details like\r\nusername, password, and so on. \r\n\r\nThe URL looks like this: \r\nhttps:\/\/admin.flexispy.com\/secure\/employee\/editEmployee?employeeId=1\r\n\r\nOf course, because we're not dealing with people concerned about security,\r\nyou can just change the Id=1 to Id=2. And that'll show you another user's\r\ndetails. And let you reset their password on the customer interface.\r\n\r\nWe played around with that for a couple of hours, and then we wrote a very\r\nsimple script that just used curl to request every single ID up to\r\n99999, which was the upper limit. We repackaged this into a nice text file\r\nand did some grepping to see if there were interesting customers (there\r\nwere several), before getting bored and moving on. There's only so much you\r\ncan do with customer lists, and that probably wasn't going to be enough to\r\nkill FlexiSpy.\r\n\r\n[1] https:\/\/www.owasp.org\/index.php\/Testing_for_SQL_Injection_(OTG-INPVAL-005)\r\n\r\n--[4: Level 2]------------------------------------------------------------\r\n\r\nNext, we decided to use nmap to scan their office ranges. We'd found these\r\nthrough our earlier fierce scan, and you can see them below.\r\n\r\n58.137.119.224 - 58.137.119.239\r\n202.183.213.64 - 202.183.213.79\r\n\r\nThere were a few SSH servers running, a Microsoft Exchange server, and some\r\nRDP, along with a few websites which mostly seemed to be hosting WildFly \r\ndefault pages, and one CRM instance. \r\n\r\nThose were interesting, because it indicated there was both Linux and \r\nWindows on their internal network, which gave us options once we got \r\ninside. For now, though, we didn't have access, so we looked to see what\r\nelse there was. On one server, port 8081, there appeared to be a Sonatype\r\nNexus repository with some jar files sitting in it, which appeared to be\r\nfor the command-and-control web applications. We assume that FlexiSpy put\r\nthem there deliberately for resellers to take and install on their servers.\r\n\r\nWhat's a group of shadowy, amorphous internet vigilantes to do but sit and\r\nspend a little bit of time reversing them? We pulled out our copies of \r\nprocyon, a fantastic decompiler for Java [1] and got to work.\r\n\r\nWe pulled our several interesting utilities; the first would be their\r\nMailchimp API key. This was fun, and let us see them sending out emails to\r\nnew customers (with nice, fresh, default passwords they encouraged the\r\ncustomers to change). We had a look for vulnerabilities that might let us\r\ndo some SQL injection (again) or exploit the API somehow, but the code\r\ndidn't easily hand over any 0days to us.\r\n\r\nWhat it did hand over, though, was a password, fairly simple, that looked\r\nlike it might be a shared, default password: tcpip123.\r\nWe sprayed this around against the SSH servers and the WildFly servers, \r\nbut didn't have much luck.\r\n\r\nFinally, we decided to try the CRM. Amazingly, we were able to compromise\r\nan administrator account using the password we found. From there, we were\r\nable to manipulate certain module installation functionalities into, \r\neventually, letting us get remote code execution, and uploaded our shell. \r\n\r\n[1] https:\/\/bitbucket.org\/mstrobel\/procyon\/wiki\/Java%20Decompiler\r\n\r\n--[5: Level 3]------------------------------------------------------------\r\n\r\nSo, there we were, sitting on a server inside FlexiSpy's internal network.\r\nWe weren't root, and the kernel was relatively new. We could have tried\r\nusing DirtyCow [1], but many of the publicly available exploits had a high\r\nrisk of frying the server, and the more reliable methods would require\r\ncreating a development VM identical to the CRM server, which would take\r\ntime which we were not sure we had. \r\n\r\nWe dropped a simple tool that allowed us to proxy onto the internal\r\nnetwork, and we also placed a port scanner and an automated\r\ncredential-checking tool onto the server, and started scanning quietly for\r\nport 22, 3389, and 23. \r\n\r\nOnce we had a list of these, the first thing we did was deploy our SSH\r\nscanner against them to test for the simple combination of root:tcpip123,\r\nadmin:tcpip123, and Administrator:tcpip123.\r\n\r\nWe were in luck. We had managed to compromise three of their NAS servers.\r\nThese were all Linux x86-64 machines, too, which meant we could deploy our \r\ntools on them with relative ease. We backdoored the NAS servers using some\r\ncode of our own devising, which we left running in-memory hidden as one \r\nof the existing services to avoid bringing any unwarranted attention down\r\non our heads.\r\n\r\nFrom there, we spent several days scouring the systems. On one, we found\r\nsource code backups, on another, we found backups of home directories, HR\r\ndocuments, corporate files, some SSH keys, password backups, internal\r\nnetwork diagrams, you pretty much name it, we had it. Many of these files\r\nwere quite out of date, but we were able to glean the password\/username\r\ncombination to several servers (services:tcpip123 and services:**tcpip!23)\r\nwhich also had sudo privileges. \r\n\r\nWe stole SSH keys from a number of them, and tasked the Jenkins server \r\nto start pulling down all of their repositories, and send them off to a\r\nserver on the internet we controlled afterwards.\r\n\r\nWe also noticed we had access to the Domain Controller for all of the\r\nWindows domains, so we dropped some malware on that, and started slowly\r\ninfecting devices and pulling credentials from memory. One of those sets of\r\ncredentials belonged to a member of staff in charge of IT, which gave us\r\naccess to the internal SharePoint server, which is always a house of fun. \r\n\r\nBy this point, we realised that FlexiSpy didn't give a crap about security,\r\nand in order to give us as many different points of access as possible, we\r\ndeployed Tor across the Linux infrastructure, setting up each server's SSHd\r\nas a Hidden Service. We siphoned out as much as we could, stopping for a\r\nfew weeks to attempt to transfer the EDB files from the Exchange Server,\r\nwhich were over 100GB in size. Eventually, we gave up, after trying several\r\ntimes to exfiltrate them, because we felt if we kept going, we'd eventually\r\ncause an alert loud enough that even FlexiSpy would notice.\r\n\r\nOnce that was done, we contacted Motherboard, gave them the interesting\r\nfiles, and sat back with some popcorn. \r\n\r\n[1] https:\/\/dirtycow.ninja\r\n\r\n--[6: BONUS LEVEL]--------------------------------------------------------\r\n\r\nWiping their servers was mostly a case of dding \/dev\/urandom all over all\r\ntheir drives, but we did have to do that across several RAID devices on\r\ntheir ESXi servers, which was one of the most frustrating things we've\r\nattempted. \r\n\r\nNot even several hackers, armed with years of knowledge of \r\nUNIX, could enjoy trying to use ESXi. Eventually, after entering several\r\nlong and arcane enchantments, we were able to reformat and dd over the \r\nRAID devices. The rest was fairly simple.\r\n\r\nWe used the stolen credentials from the SharePoint, NAS devices, and other\r\nplaces to log into Cloudflare, drop their account, then log into Rackspace,\r\nand destroy their servers there, and log into their multiple Amazon\r\naccounts, deleting as many S3 buckets of backups as we could find, before\r\nkilling all of those.\r\n\r\nFinally, we redirected their domains to Privacy International, and went on\r\nour merry way, pausing only to hijack a few twitter accounts and laugh at\r\nFlexiSpy.\r\n\r\n--[7: Hack Back!]---------------------------------------------------------\r\n\r\nFirstly, we'd like to dedicate this to everyone who has ever been a victim\r\nof Gamma, or FlexiSpy, or other surveillance tools. \r\n\r\nWe've stolen every a great deal of source code, going back years. We are\r\nhoping that signatures are going to be distributed, tools written to \r\nidentify and remove infections, and we also hope that people will see that\r\nthis industry is really out there, is worth money, and that it's terribly,\r\nterribly evil. \r\n\r\nWe're just, like, this group of guys, you know? We can hack these people,\r\nand we can expose their secrets, but it's up to everyone to make a\r\ndifference.\r\n\r\nIf you have reverse-engineering skills, please, put them to use here. And\r\nnot just with FlexiSpy. Take apart other malware samples, from other\r\nvendors of the same scumware. \r\n\r\nIf you have contacts in the antivirus or threat intelligence industry, \r\npush your colleagues to spend a little more time on these things. \r\n\r\nIf you're a hacker, hack back.\r\n\r\nIf you're an ordinary person, stay safe. Watch how things progress, and see\r\nwhat people are saying about how to detect FlexiSpy and protect yourselves.\r\nSeveral researchers, such as Hacker Fantastic [1], Tek [2], and Ben [3] are\r\ndoing really good work.\r\n\r\nIf you're a spouseware vendor, we're coming for you. Stop, rethink your\r\nlife, kill your company, and be a better person.\r\n\r\nOtherwise, you'll be seeing us soon.\r\n\r\n[1] https:\/\/twitter.com\/hackerfantastic\r\n[2] https:\/\/twitter.com\/tenacioustek\r\n[3] https:\/\/twitter.com\/Ben_RA"}