The same sophisticated cyber attack that has targeted Facebook and Twitter has also targeted Apple, according to an exclusive revelation by Reuters. In this latest occurrence, the attackers were able to infect several Mac computers belonging to some employees of Cupertino, exploiting the same 0-Day Java vulnerability used to carry on the attacks against the two well known social networks.
Further details have emerged in the meantime: particularly noticeable is the fact that the attackers used the consolidated “watering hole” technique, compromising a well-known mobile developer forum (iphonedevsdk.com) accessed by the employees of Cupertino (and of many other high profile companies). This has raised the concern that maybe the attackers aimed to manipulate the code of smartphone apps to compromise a huge number of users. Currently the forums shows a banner inviting users to change their passwords.
Apple is working closely with the Federal Bureau of Investigation and has released an update to disable its Java SE 6. Although there is no clear evidence about the Chinese origin of the attack, unfortunately it comes out in the worst possible period: after the wave of attacks against U.S. Media, Mandiant, the firm that investigated the attack against the NYT, released a detailed report suggesting a link between the hacks against U.S. assets. and the Chinese Army.
Update 4 Sep 23:38 GMT+2: The FBI issued a tweet denying that it ever had the 12 million Apple IDs in question:
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE—
FBI PressOffice (@FBIPressOffice) September 04, 2012
Here the complete Statement from the FBI Press Office.
Original Post: Few hours ago, the @AnonymousIRC Twitter account has announced yet another resounding cyber attack carried on in name of the #Antisec movement:
(@AnonymousIRC) September 04, 2012
In a special edition of their #FFF refrain (literally quoting the authors of the attack: “so special that’s even not on friday”), the Hacktivists claim to have obtained from FBI 12,000,000 Apple Devices UDIDs (UDID is the short form for Unique Device Identifier, the unique string of numbers that univocally identifies each iOS device), and have consequently published 1,000,001 of them in pastebin post.
In the same post they explain how they were able to obtain them:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Did you notice the misplaced detail? Actually I could not help but notice that the UDIDs were obtained exploiting a Java vulnerability, the AtomicReferenceArray vulnerability (CVE-2012-0507). A detail is not so important in other circumstances, if it had not disclosed only few days after the controversies following the discovery of a potentially devastating 0-day for Java, and the subsequent issues deriving from the release of a vulnerable patch.
There could be no worse moment for this event to happen, and I am afraid it will contribute to add fuel to the raising concerns regarding Java security… Hard days for Java… And for the FBI
As usual, here is the list of the main cyber attacks for April 2012. A first half of the month which has been characterized by hacktivism, although the time of the resounding attacks seems so far away. Also because, after the arrest of Sabu, the law enforcement agencies (which also were targeted during this month, most of all in UK), made two further arrests of alleged hackers affiliated to the Anonymous Collective: W0rmer, member of CabinCr3w, and two possible members of the infamous collective @TeaMp0isoN.
In any case, the most important breach of the first half of the month has nothing to deal with hacktivism, targeted the health sector and occurred to Utah Department of Health with potentially 750,000 users affected. According to the Last Ponemon Study related to the cost of a breach ($194 per record) applied to the minimum number of users affected (250,000), the monetary impact could be at least $ 55 million.
Another interesting event to mention in the observed period is also the alleged attack against a Chinese Military Contractor, and the takedown of the five most important al-Qaeda forums. On the hacktivist front, it worths to mention a new hijacked call from MI6 to FBI, but also the alleged phone bombing to the same Law Enforcement Agency. Both events were performed by TeamPoison, whose two alleged members were arrested the day after.
For the sample of attacks I tried to identify: the category of the targets, the category of the attacks, and the motivations behind them. Of course this attempt must be taken with caution since in many cases the attacks did not target a single objective. Taking into account the single objectives would have been nearly impossible and prone to errors (I am doing the timeline in my free time!), so the data reported on the charts refer to the single event (and not to all the target affected in the single event).
As usual the references are placed after the jump.
By the way, SQL Injection continues to rule (the question mark indicates attacks possibly performed by SQL Injection, where the term “possibly” indicates the lack of direct evidences…).
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated), and follow @pausparrows on Twitter for the latest updates.
Last week, while browsing the 2012 Cyber Attacks Timeline, I could not help but notice the huge amount of cyber attacks that the collective @CabinCr3w did between January and February 2012 in the name of the so-called #OpPiggyBank. You will probably remember that most of those Cyber Attacks, made in combination with @ItsKahuna, were targeting Law Enforcement Agencies in support of the occupy movements. The crew was not new to such similar actions (for instance they doxed the Citigroup CEO in October 2011), in any case I was impressed by their sudden peak and by the equally sudden disappearance in the second half of February.
Few clicks on Google were enough for me to came across an article on Threatpost that I had missed a couple of days before.
On March 20 federal authorities had arrested Higinio Ochoa, AKA @Anonw0rmer, a resident of Texas accused of working for the hacking group CabinCr3w. He had been taken into custody by FBI agents and charged with unauthorized access to a protected computer in a criminal complaint dated March 15 whose Offense Description indicates an “Unauthorized Access to a protected computer” made on February 2012 in the County of Travis, District of Texas.
The rich Resumé of the @CabinCr3w, part of which is listed on the Criminal Complaint, includes 10 cyber attacks made between January and February 2012, in particular one against the Texas Police Association, on February the 1st 2012, and one against the Texas Department of Public Safety, on February, the 8th 2012. The latter, at least according to an alleged self-written memorial that W0rmer Higinio Ochoa allegedly posted on pastebin on Mar 30 2012, is maybe the one for which he was charged.
The list of the facts contained in the Criminal Complaint and how the FBI combined them to identify Higinio Ochoa and to join his real identity with the virtual identity of W0rmer, is a brilliant example of Open Source Intelligence clearly summarized in this article by ArsTechnica. Incredible to believe for a hacker, who should be supposed to clean each trace he leaves on the cyber space, is the fact that the main security concern for a mobile device, the geo-tagging feature, was one of the elements which led Investigators to Higinio Ochoa. By mining EXIF data contained in a photo on the web page left after the defacement of the Texas Department of Public Safety (showing a woman in a bikini with the sign: “PwNd by w0rmer & cabincr3w”), the Feds were able to collect the GPS data in the image, and to consequently identify it was taken with an iPhone 4 at a location in South VIC, Australia. By browsing the (inevitable) Ochoa’s Facebook Profile, the agents also learned that a girlfriend of him, Kylie Gardner, had graduated from a high school in Australia, the same country in which the first photo was shot.
Inevitably, this event has (too) many points in common with the affaire of Sabu, the alleged leader of the infamous LulzSec Collective, arrested by the Feds approximately a month before.
Both crews, LulzSec and CabinCr3w, targeted Law Enforcement Agencies, both crews met the same destiny: hit in the heart (or better to say in the head) by those same Law Enforcements they mocked so deeply during their days of lulz.
But the points in common do not end here… Sabu was discovered to act as an informant of FBI, and the above quoted pastebin suggests that W0rmer did the same prior of his arrest.
Were you ever approached to be a confidential informant? Of course I was! Some body such as myself who not only participated in the occupy movement but knew many and knew the inner workings of the “infamous” cabin crew would not be just put away without wondering if he could be turned. I did how ever tell FBI that I would participate in the capture of my fellow crew mates
Even if it is not clear if his cooperation was really genuine. As a matter of fact in the following sentence, he refers to his role as an informant as a “play” which created confusion on FBI:
a play which undoubtfully both satisfied and confused the FBI
Maybe this is the reason why the Twitter account of the CabinCr3w on April 3, tweeted:
(Curiously it looks like at 00:04 (UTC +1) this tweet has just disappeared)
In any case the court documents indicate that Ochoa first appeared in federal court for the Southern District of Texas on March 21, subsequently released on bail and forbidden to use a computer or smart phone, hence it is possible that the post on pastebin, which is dated March 31st, has not been written directly from his hand.
Last but not least there is a strange coincidence: W0rmer had a twitter account with the nick @AnonW0rmer who ceased to tweet on March, the 20th (@ItsKahuna ceased to tweet on March, the 23rd while @CabinCr3w is the only still active). Guess what is the name associated with the @AnonW0rmer account? FBI HaZ A File on ME. A dark omen or a dissimulation?
Hacktivists and Information Security Professionals could not believe their eyes while reading the breaking news published by Fox News according to which the infamous Sabu, the alleged leader of the LulzSec collective, has been secretly working for the government for months and played a crucial role for the raids which today led to the arrests of three members of the infamous hacking collective with two more charged for conspiracy.
You will probably remember that the hacking collective which, in its “50 days of Lulz” become the nightmare for System Administrators and Law Enforcement Agencies all over the Globe, suddenly decided to give up, on June the 25th, in a completely unexpected way, leaving their supporters and followers completely surprised, but also leaving the heritage of a name which has become a synonym for hacktivism (also because of their pact with the Anonymous, with whom they are often associated, in the name of the #Antisec movement).
Even after the group left the scene, Sabu has continued to constantly tweet and comment the events through his “official” Twitter account @anonymouSabu, probably a fake or a diversionary tactic, since it looks like that Sabu had already been arrested by the FBI since June, the 7th, more than a couple of weeks before the breakdown of the group,
At that time, the hacking group was hunted by Law Enforcement Agencies and several Grayhats as well (among all @th3j35ter, the A-Team and Web Ninjas whose blog, lulzsecexposed.blogspot.com, unfortunately is no longer available).
Curiously, it looks like that Sabu had already been “doxed” since then. At that time many claimed to have revealed the identity of the members: there was no day without a new pastebin promising to expose new information. But if you have a look at them, they all have only one thing in common, and it is just the identity of Xavier Monsegur (or Montsegur), also known as Sabu. The truth was very close and before everybody eyes: on pastebin.
June, 28th 2011: http://pastebin.com/qmP7R49Y
The real identity of the other members is not still completely known, but for sure it is not a coincidence that no one of the pastebins was able to guess anyone else except Sabu, who hence was the first to be arrested, well before the rest of the group.
February 2012 brings a new domain for my blog (it’s just a hackmaggedon) and confirms the trend of January with a constant and unprecedented increase in number and complexity of the events. Driven by the echo of the ACTA movement, the Anonymous have performed a massive wave of attacks, resuming the old habits of targeting Law Enforcement agencies. From this point of view, this month has registered several remarkable events among which the hacking of a conf call between the FBI and Scotland Yard and the takedown of the Homeland Security and the CIA Web sites.
The Hacktivism front has been very hot as well, with attacks in Europe and Syria (with the presidential e-mail hacked) and even against United Nations (once again) and NASDAQ Stock Exchange.
Scroll down the list and enjoy to discover the (too) many illustrious victims including Intel, Microsoft, Foxconn and Philips. After the jump you find all the references and do not forget to follow @paulsparrows for the latest updates. Also have a look to the Middle East Cyberwar Timeline, and the master indexes for 2011 and 2012 Cyber Attacks.
Addendum: of course it is impossible to keep count of the huge amount of sites attacked or defaced as an aftermath of the Anti ACTA movements. In any case I suggest you a couple of links that mat be really helpful:
- List of all vulnerable websites attacked by anonymous Part II (updated daily) (via cylaw.info)
- List of Websites Hacked, Defaced & Taken Down By Anonymous (via valuewalk.com)