A hacktivist group associated with Anonymous claims it has lifted over 12 million Apple Unique Device Identifiers (UDIDs) from an FBI computer and released 1 million online – the leaked data includes names, phone numbers and addresses. Rob Rachwald, Director of Security Strategy at Imperva has looked into the claim and have laid out step by step how the hack occurred as well as answered questions to explain the effects of this hack.
What the Breached Apple/FBI Data Tells Us
So far the best coverage of this breach in terms of how it occurred is here. We hope to answer a few more questions that seem to be swirling on the Web.
Is this breach real?
Probably. We think so for two reasons:
The FBI agent that was supposedly breached is real. He’s a known recruiter in the FBI focused on getting white hat hack hackers to work for the feds. Here’s his Facebook video.
The data base that was breached seems authentic—though only Apple can confirm. However, the structure and format of the data indicates that this is a real breach. It would be hard to fake such data.
What is new about this hack?
There are two things interesting about this attack:
1. Shows a new angle on hacktivism—This breach resembles a new innovation by hacktivists. Specifically, they targeted an individual in the same way government-sponsored hackers (a.k.a., APT hackers) would attack. Sure, Anonymous/Lulzsec targeted HB Gary in the past but we haven’t seen this type of attack reappear until now. Is this part of a broader trend of hacktivists expanding their attack methods? Could be. For example, the recent Saudi Aramco breach used malware, a type of attack not normally associated with hacktivists.
2. This attack was not pre-announced— Normally, hacktivist attacks are pre-announced, often an Operation [FILL IN THE BLANK]. Doesn’t seem to be the case here.
What can hackers or FBI use this data for?
If the hackers have what they claim, they may be able to cross reference the breached data to monitor a user’s online activity—possibly even a user’s location. To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users.
What scams can we expect?
How many people will get infected “finding out” if their apple device was one of the 12 million? Here’s one blog that already points you do a site where you can “check” if your creds were stolen.
http://www.zerohedge.com/news/find-out-if-your-apple-device-was-among-12-million-units-hacked-and-tracked-fbi
How do we know if such sites are real or scams to find out your real credentials? Sites like this sometimes appear after high profile breaches and consumers shouldn’t visit them.
Anatomy of the FBI Breach
Following our blog post regarding the Anonymous breach of the Apple/FBI data where over 12m personal records were claimed to be stolen via compromising an FBI Agent’s laptop via a Java Vulnerability, we decided to outline the hack in order to better explain how things worked in the wild.
What the Hack?
Anonymous have claimed to use a specific vulnerability in order to gain control over the FBI Agent’s laptop, browse and find an interesting file that they claimed to contain Apple device user information complete with personal user information – in a CSV file. They then downloaded it and distributed a portion of it, which was 1 million out of 12 million records, sanitized for only meta data.
Some background
For a while now, there has been a known Java vulnerability CVE-2012-0507, that effects specific versions of Java on all platforms and allows the remote attacker to gain control over its victim.
The hacker needs to plant the payload either via a website, email, hidden link etc – and once the user interacts with the link – the system is owned.
Hack Anatomy
Lets go step by step through the different phases of the attack itself, remembering that other than the hack itself, there was a reconnaissance phase to be able to identify the specific target and address him individually.
First, the hacker uses a framework to load the exploit code and generates a host to let the victim download the malicious payload:
Second, the victim is tricked to access the malicious host, by either persistent XSS infection on a site, malicious link in an email, or plain social engineering to name a few:
Once the target has activated the URL, the payload is activated via the vulnerability vector and a reverse session is opened between the hacker and the victim:
The hacker at this stage has full control on the machine and is able to launch commands including a prompt to execute code or search the victims host:
The hacker then looks for relevant information that he wishes to steal and downloads it from the victims computer
Game over, no quarter:
By
Rob Rachwald
Director of Security Strategy
Imperva
Visit Imperva’s blog for more details
