Tech

Former LulzSec Hacker Releases VPN Exploit Used to Hack Hacking Team

A security researcher has released an exploit for SonicWall VPNs that was originally found by Phineas Fisher in 2015.
sonicwall
Image: Krisztian Bocsi/Bloomberg via Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

A security researcher who used to be part of the infamous hacktivist group LulzSec published an exploit for a popular VPN application made by SonicWall on Monday. The exploit relies on the same vulnerabilities exploited by the notorious hacktivist Phineas Fisher to hack Hacking Team.

On Monday, Darren Martyn published the exploit in a blog, following the announcement by SonicWall that hackers had breached its internal network by exploiting zero-days in its equipment. Martyn said he decided to release the exploit to denounce SonicWall's poor security. 

Advertisement

"Figured that with SonicWall back in the news for getting owned via some 0days in their own shit products, it would be somewhat amusing to release this," Martyn wrote.

Do you know of any similar security vulnerability or data breach? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

In an online chat, Martyn explained that he was able to develop the exploit after reading the post-mortem Phineas Fishes wrote after hacking an offshore bank in 2019. In that writeup, the notorious vigilante explained that they used a zero-day in a SonicWall VPN used by the bank, the same product used by Hacking Team, the Italian spyware vendor that Phineas Fisher famously hacked in 2015

Martyn said he was able to work out the exploit "about 2 minutes after reading the writeup," which "basically tells you everything you need to know." 

screenshot-from-2021-01-24-17-33-06.png

A screenshot of Martyn's exploit. (Image: Darren Martyn)

The vulnerabilities underlying this exploit are patched, according to SonicWall.

“The vulnerability that this post is referencing was patched in 2015 in SMA 8.0.0.4. It cannot be exploited in version 9 or 10,” a SonicWall spokesperson said in an email.  

The researcher left the last step of the exploit—how to get administrative privileges on the SonicWall VPN—out of his blog, in order to prevent unsophisticated hackers from just copy pasting the exploit and wreaking havoc with it. In any case, Martyn criticized SonicWall for shipping products that contain severely outdated code, which allowed him and Phineas Fisher to exploit them

"Honestly kind of bizarre, like that level of outdated crap just feels like negligence," Martyn told Motherboard.

In his blog, Martyn was even more scathing in his advice for SonicWall customers. 

"The only recommendation I have if you use these products is to unplug them, douse them in kerosene, and set them on fire. It is the only way to be safe from something seemingly developed with this level of negligence."

UPDATE January 26, 11:33 a.m. ET: This story and its headline have been updated to clarify that this exploit was not a zero-day, as SonicWall had patched it.