In a very mobile-centric installment, we’re starting with the story of a long-running iPhone exploitation campaign. It’s being reported that this campaign was being run by the Chinese government. Attack attribution is decidedly non-trivial, so let’s be cautious and say that these attacks were probably Chinese operations.
In any case, Google’s Project Zero was the first to notice and disclose the malicious sites and attacks. There were five separate vulnerability chains, targeting iOS versions 10 through 12, with at least one previously unknown 0-day vulnerability in use. The Project Zero write-up is particularly detailed, and really documents the exploits.
The payload as investigated by Project Zero doesn’t permanently install any malware on the device, so if you suspect you could have been compromised, a reboot is sufficient to clear you device.
This attack is novel in how sophisticated it is, while simultaneously being almost entirely non-targeted. The malicious code would run on the device of any iOS user who visited the hosting site. The 0-day vulnerability used in this attack would have a potential value of over a million dollars, and these high value attacks have historically been more targeted against similarly high-value targets. While the websites used in the attack have not been disclosed, the sites themselves were apparently targeted at certain ethnic and religious groups inside China.
Once a device was infected, the payload would upload photos, messages, contacts, and even live GPS information to the command & control infrastructure. It also seems that Android and Windows devices were similarly targeted in the same attack.
Telegram Leaking Phone Numbers
“By default, your number is only visible to people who you’ve added to your address book as contacts.” Telegram, best known for encrypted messages, also allows for anonymous communication. Protesters in Hong Kong are using that feature to organize anonymously, through Telegram’s public group messaging. However, a data leak was recently discovered, exposing the phone numbers of members of these public groups. As you can imagine, protesters very much want to avoid being personally identified. The leak is based on a feature — Telegram wants to automatically connect you to other Telegram users whom you already know.
By default, your number is only visible to people who you’ve added to your address book as contacts.
Telegram is based on telephone numbers. When a new user creates an account, they are prompted to upload their contact list. If one of the uploaded contacts has a number already in the Telegram system, those accounts are automatically connected, causing the telephone numbers to become visible to each other. See the problem? An attacker can load a device with several thousand phone numbers, connect it to the Telegram system, and enter one of the target groups. If there is a collision between the pre-loaded contacts and the members of the group, the number is outed. With sufficient resources, this attack could even be automated, allowing for a very large information gathering campaign.
In this case, it seems such a campaign was carried out, targeting the Hong Kong protesters. One can’t help but think of the first story we covered, and wonder if the contact data from compromised devices was used to partially seed the search pool for this effort.
The Hack of @Jack
You may have seen that Twitter’s CEO, Jack [@Jack] Dorsey’s Twitter account was hacked, and a series of unsavory tweets were sent from that account. This seems to be a continuing campaign by [chucklingSquad], who have also targeted other high profile accounts. How did they manage to bypass two factor authentication and a strong password? Cloudhopper. Acquired by Twitter in 2010, Cloudhopper is the service that automatically posts a user’s SMS messages to Twitter.
Rather than a username and password, or security token, the user is secured only by their cell phone number. Enter the port-out and SIM-swap scams. These are two similar techniques that can be used to steal a phone number. The port-out scam takes advantage of the legal requirement for portable phone numbers. In the port-out scam, the attacker claims to be switching to a new carrier. A SIM-swap scam is convincing a carrier he or she is switching to a new phone and new SIM card. It’s not clear which technique was used, but I suspect a port-out scam, as Dorsey hadn’t gotten his cell number back after several days, while a SIM swap scam can be resolved much more quickly.
Google’s Bug Bounty Expanded
In more positive news, Google has announced the expansion of their bounty programs. In effect, Google is now funding bug bounties for the most popular apps on the Play store, in addition to Google’s own code. This seems like a ripe opportunity for aspiring researchers, so go pick an app with over 100 million downloads, and dive in.
An odd coincidence, that 100 million number is approximately how many downloads CamScanner had when it was pulled from the Play store for malicious behavior. This seems to have been caused by a third party advertisement library.
Updates
Last week we talked about Devcore and their VPN Appliance research work. Since then, they have released part 3 of their report. Pulse Secure doesn’t have nearly as easily exploited vulnerabilities, but the Devcore team did find a pre-authentication vulnerability that allowed reading arbitraty data off the device filesystem. As a victory lap, they compromised one of Twitter’s vulnerable devices, reported it to Twitter’s bug bounty program, and took home the highest tier reward for their trouble.
“This seems to have been caused by a third party advertisement library.”
And this is why blindly using libraries and frameworks is one of the worst practices EVER. all it takes is the owner of said library to have nefarious motives and your appy app is seen as the bad one because most users dont understand how programming works and how the entire computing industry is built ontop of layers of abstraction.
They don’t even need bad motives, just bad code through lack of competence or effort.
But I’d put money on a lot of them having bad motives.
https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report
I remember when adware started appearing on the PC and was considered a very bad thing. Now it’s commonplace on mobile and tolerated?
It’s less adware and more aggrevated advertising. On PC, adware is commonly defined as software that injects advertising into places that didn’t normally have it, like throwing embedded ads onto the homepage of Google.
On mobile it’s different. Adware on mobile is usually defined as annoying notifications containing advertisements that appear at random. You would need to do much, much more complex exploiting to have the same effect as PC adware on mobile, so the notificstion spam route is much easier, and also visible on all devices and all apps.
Unless, of course, you’re Grandma and don’t ever pull down the notifications.
Of the iPhone story….
“This operation used fourteen zero-days exploits.”
Holy moly. That’s (using the value from the article for an iOS zero-day ‘sploit) $28 million (USD).
This does somewhat change the view on the attributed value.
Some of the timing is uncertain. It may be that many of those zero-days made it into this attack after they were made public, meaning this particular attacker probably didn’t discover or purchase them.
My understanding of the term “zero day” is that it’s a previously undisclosed bug?
I thought it stopped being a zero-day once public? Given iOS anyway, I would have thought they were quite quick to respond to these…
The write up from Googles TAG / Project Zero pages suggest these were previously unknown?
“TAG was able to collect five separate, complete and unique iPhone exploit chains, covering almost every version from iOS 10 through to the latest version of iOS 12.”
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
Android is going for 2.5 mil now even though there is almost always a way to root Android publicly.. I believe even in 9.0 Go the security is SELinux and API wrappers for the virtual machine sandboxing. A single kernel bug breaks all of it as you can see for the CVEs used in all rooting tools..
IOS isn’t a big deal it just has that trustzone based kernel memory protection. The rest of the security is old x86 stuff like stack and heap cookies, aslr, kaslr, nx etc..
SEP has been defeated for years and publicly documented. It was just for auth stuff anyway not memory bugs
A12 added some extra stuff for a small class of overflows or something
Are you the same Jonathan Bennett involved in Autoit?
Well that’s weird. Nope, different guy.
On a IOS 12.4.5 and A12 device fully patched the KPP is still the only innovative security. The rest is stuff people bypass on x86 all the time(heap and stack cookies, ASLR, KASLR, nx etc..).
x86 has something close under Windows 10 with the TPM backed virtualization security where one of the virtualization instruction sets and a TPM is on the mobo
Something weird you’ll never read or hear about with both Android and Apple devices is that the baseband typically has better security than the AP OS. They not only have hardened micro-OS with a tight attack surface but they have a lot of features that are gateway-side. PlanetBeing exposed this years ago
The rest of this news is boring; just sloppy security engineers and devs
“Something weird you’ll never read or hear about with both Android and Apple devices is that the baseband typically has better security than the AP OS. ”
General rule of thumb. Loss of their money, tight security. Loss of YOUR money, SOL.
Wow. That Telegram fault is awful. If you make software explicitly and exclusively committed to secure communications, for the love of Christ don’t use this kind of sneaky opt-out method to connivingly drive engagement and growth. That’s really disgusting.
But hey, we’ve known since Lavabit shut down that Telegram and several others are probably pwned in some way.
which is why i use pure. since theyre hong kong based they dont keep any logs because they dont fall under the 5 eyes. and dirt cheap as well since its halloween