Following our blog post regarding the Anonymous breach of the Apple/FBI data where over 12m personal records were claimed to be stolen via compromising an FBI Agent’s laptop via a Java Vulnerability, we decided to outline the hack in order to better explain how things worked in the wild.
What the Hack?
Anonymous have claimed to use a specific vulnerability in order to gain control over the FBI Agent’s laptop, browse and find an interesting file that they claimed to contain Apple device user information complete with personal user information - in a CSV file. They then downloaded it and distributed a portion of it, which was 1 million out of 12 million records, sanitized for only meta data.
For a while now, there has been a known Java vulnerability CVE-2012-0507, that effects specific versions of Java on all platforms and allows the remote attacker to gain control over its victim.
The hacker needs to plant the payload either via a website, email, hidden link etc – and once the user interacts with the link – the system is owned.
Lets go step by step through the different phases of the attack itself, remembering that other than the hack itself, there was a reconnaissance phase to be able to identify the specific target and address him individually.
First, the hacker uses a framework to load the exploit code and generates a host to let the victim download the malicious payload:
Second, the victim is tricked to access the malicious host, by either persistent XSS infection on a site, malicious link in an email, or plain social engineering to name a few:
Once the target has activated the URL, the payload is activated via the vulnerability vector and a reverse session is opened between the hacker and the victim: