Hacked « IT Security Geeks

When something goes wrong, it is common for those affected and those responsible to play the blame game, often to place the responsibility on any doorstep but their own. Last week, as the result of Chinese app developers using a counterfeit version of Xcode now dubbed “Xcode Ghost”, a number of malware-infected apps (currently believed to be in the region of 300) made it past Apple’s vaunted review process and onto their App Store. As the dust settles and the situation is now believed to have been brought under control, many are now pointing fingers as to who or what allowed this to happen.

Some background; Xcode is Apple’s own suite of development tools for iOS and OS X, it is freely available to developers for download and use. A large number of Chinese app developers were duped into downloading and using a version of Xcode from an unverified source. This version, the afore-mentioned “Xcode Ghost”, was embedded with malicious code that could then perform a number of functions. Primarily it was found that the code could upload device and app information to a command and control server, however it was later discovered to also be capable of phishing user credentials; hijacking and opening specific URLs; reading and writing data to and from a user’s clipboard. Also, debated by some, it is believed to be capable of phishing for iCloud passwords. All quite scary stuff for the end user. But can any one party be blamed and made responsible for this?

Apple have long prided themselves on the security and quality control of their App Store. Certainly, this is the largest influx of malware infected apps ever to make it past their system of checks. It is also very difficult to protect against the unprecedented. How can you put measures in place to guard against an angle previously unconsidered? While many would say that this leaves Apple with egg on their face and a dent in their reputation, it would be hard to accuse them of neglect or carelessness.

The developers who were duped by the counterfeit Xcode Ghost must surely bear some of the brunt? Apple’s Gatekeeper software is shown to have thrown up warning flags regarding the use of the maliciously modified software, warnings that the developers would had to have deliberately ignored to proceed in using the tool for their work. This could be seen as very naive, but why was this fake version ever able to make it into their hands in the first place?

In answer to that, some point to the Chinese government’s stringent Internet restrictions, their “Great Firewall”. As a result of this, cross border downloads such as those from Apple’s official store, can take a very long time to complete. Apple software, particularly Xcode, is notorious for how long downloads can take even in Western countries. Because of this it appears that many Chinese developers chose to try and obtain Xcode from quicker, unofficial sources. This is how hackers were able to trick so many developers into downloading and utilising Xcode Ghost.

Amongst all of this there has been little discussion of who created Xcode Ghost. Who was it who set these wheels in motion, who was their target and what were they aiming to achieve? The consensus at present seems to simply be “Chinese hackers”. The basis for this assumption appears to be the fact that it was Chinese developers who were tricked into crafting the malware infected apps. The apps affected were those most popular in China, leaving them with the majority of affected users, though that is not to say that users globally were not also affected.

The truth is that there is simply not enough evidence to make any valid accusation of culprits at this point in time. What is concerning as is often the case when the blame game is played, is that too few seem to be asking the right questions. How can the stolen data be used, to what end and who benefits the most from it? With these angles considered it seems increasingly less clear that simple “criminal hackers” are behind this attack. Maybe such speculation at this stage is pointless and focus should instead be on prevention; never the less, it is our opinion that uncovering the true source and intent of Xcode Ghost would allow pre-emptive prevention, instead of just re-active measures. By keeping a close eye on further developments and seeing how any stolen data gets used, we may yet get some clues as to the purpose and origin of this attack on China.

So today we received the following phish at one of our honeypot e-mail addresses.

As you can see, it looks legitimate, however the URL doesn’t resolve to linkedin.com, it resolves to http://hungryhorsechapel.com/removed/for/obvious/reasons.php

It appears Hungry Horse Chapel have been compromised, IT Security Geeks have reached out to the teams at Horse Chappel and LinkedIn, and are hoping to hear back soon. We will post updates here as and when we have them.

It’s all over the news that Ubisoft got hacked, and I’m sure that a lot of people are sitting back wondering just what the effects of this hack are, and how it affects them.

To sum things up, below is the content of one of the “Password Reset” e-mails that Ubisoft sent out yesterday.

“Dear Member,

We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <your name here>

To enter your new password, click the link below: <removed>

Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.

You can find more information here <removed>

For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com

We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.

The Ubisoft team”

So your credit/debit card information may be safe, as Ubisoft don’t store this information (thankfully!), but the important part of the e-mail is the line that states:

“Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

If like many millions of people out on the Internet, you’ve used the same password on other web sites, when the hackers eventually crack the encrypted passwords, they will then have your e-mail address and password. Imagine the damage they could cause to your life through websites like Facebook, Twitter, LinkedIn, PayPal, Amazon, eBay, the list goes on and on.

It’s never about attacking a single web site, until people learn that using the same password all over the Internet is not a good idea, this will never change unfortunately.

If you have a Ubisoft account and even if you only use it for gaming, go and change all your other passwords on any other web sites where you’ve used the same password immediately. Just because this data was stolen recently, it doesn’t mean that it will all be used any time soon. You may only notice someone else logging into one or more of your accounts a year down the line. While you’re changing those passwords, it may be a good time to make sure that you’re not using a different “same” password on multiple other web sites or applications.

Unfortunately a lot of the time attacks such as these can be prevented with proper security measures and regular “real world” penetration tests. We always advise our clients to conduct penetration testing on a regular basis, and always before launching any new Internet facing services or web sites. We also always advise our clients to maintain a strong Password Policy.