Hackers explain how they “owned” FlexiSpy

How did the hackers that go by the name Decepticons breach stalkerware manufacturer FlexiSpy?

According to information purportedly provided by the attackers themselves, it took them a while to thoroughly “own” the company’s networks and wreak as much havoc as possible, but it was ultimately not that difficult.

FlexiSpy hack

What is FlexiSpy?

FlexiSpy is a piece of spyware that can be deployed on a variety of devices running Windows, macOS, iOS and Android.

It can record calls, steal application passwords, listen in on chats effected via popular social networking and instant messaging apps, monitor the victim’s web surfing, snap pictures with the device’s camera, send fake SMSes, track the device’s location, and more.

The company says it is meant to help parents keep an eye on children and employers on employees, but analysis of the documents stolen by the hackers revealed that the company has been also marketing the spyware to people who wanted to monitor their significant other’s online activities and digital communications.

The attackers’ motivation

Motherboard reporters talked to “Leopard Boy”, a member of the Decepticons, and another anonymous hacker that has breached American company Retina-X at practically the same time the Decepticons went after FlexiSpy. (Retina-X develops and sells PhoneSheriff, another piece of consumer surveillance software).

Both said that the thing they wanted to achieve with their destructive breaches is to put the companies out of business.

The FlexiSpy hack

The Decepticons published a step-by-step overview of how they hit the company.

They started by enumerating the company’s IP space with Fierce, and among the results they found a subdomain hosting an admin panel.

They tried to perform SQL injection on it, but failed. Then they tried some common default credential combinations and struck gold. Once inside, they managed to enumerate and extract info on the company’s customers.

Then they set out to find servers and websites run by the company, and found SSH servers, a Microsoft Exchange server, a CRM instance, etc. They also found a software repository, a Mailchimp API key, and a password that allowed them to compromise an administrator account on the CRM instance, from which they proxied onto the FlexiSpy’s internal network and began scanning for open ports.

They say that they’ve managed to compromise the company’s NAS servers, servers that contained source code backups abd backups of “home directories, HR documents, corporate files, some SSH keys, password backups, internal network diagrams.”

They accessed and compromised the Domain Controller for all of the Windows domains, the internal SharePoint server, and started exfiltrating every kind of information and code they could – then handed much of it over to Motherboard reporters.

Then they set on destroying and wiping everything: the company’s RAID devices, NAS devices, Rackspace servers, Amazon S3 buckets of backups. And finally, they said that they have redirected the company’s domains to Privacy International and hijacked a couple of their Twitter accounts.

“We’ve stolen every a great deal of source code, going back years. We are hoping that signatures are going to be distributed, tools written to identify and remove infections, and we also hope that people will see that this industry is really out there, is worth money, and that it’s terribly, terribly evil,” they concluded.

The company’s domains are now back online, and the company did not confirm or deny the breach. Instead, it only apologized to users about a “temporary technical issue affecting the portal” on April 18, and announced a “Hacker Reward Program” on April 24.

Similarly, Retina-X did not mention a breach to its customers, and apparently instructed its staff to say that a hardware failure was behind a recent outage that prevented customers from logging into their accounts.