It’s been an interesting week when it comes to Apple’s cybersecurity news. Whether a mysterious “crime family” is really out to compromise iCloud and .mac accounts is yet to be seen, but either way the possible extortion of a tech giant is worrisome. In this week’s Hacker Tracker, cybersecurity experts weigh in on what may or may not impact hundreds of millions of Apple customers.
The Ransom Debacle
Earlier this week, news outlets reported that a group of hackers, also known as the Turkish Crime Family, claimed to be in possession of more than 627 million icloud.com, me.com and mac.com login credentials.
The group initially demanded that if Apple did not pay $75,000 in cryptocurrency, either bitcoin or rival ether, within two weeks, then it would wipe the data from millions of Apple devices. Since that threat, the group has upped the ante — claiming that if the company does not adhere to its ransom, raised to $150,000, then it will wipe the data in three days, as of Wednesday (March 22).
“It seems that the attackers are going for a big score in this case. As opposed to selling the accounts nickel- and-dime style to other malicious actors, they are attempting to get a big score from extorting the affected company directly,” Alex Heid, chief research officer of SecurityScorecard, told PYMNTS.
Turkish Crime Family said it has a database of nearly 519 million iCloud credentials, and, since it announced plans to wipe devices, others hackers have added other compromised credentials to the pot, bringing the total number to more than 627 million.
The hacker group also claimed that 220 million of these credentials are verified and allow access to iCloud accounts without two-factor authentication measures in place.
Though the cybergang was relatively unheard of until its recent threats, they claim to have years of experience in selling stolen online databases, according to a report from CIO.
Ultimately, the group has given Apple until April 7 to meet its demands.
But as the deadline looms, many questions have arisen about how worried Apple customers should actually be about these threats.
Most important to note is that while Apple has yet to officially confirm or deny the authenticity of the data in question, it has assured customers that no breach has taken place on its systems.
Apple claims that the compromised credentials are probably victims of password reuse and were extracted from multiple third-party data breaches, such as LinkedIn, Dropbox, Yahoo and others, Heid explained.
“This is a highly likely scenario. Password checking scripts are prolific within the hacking underground and exist for the sole purpose of identifying accounts that reuse passwords across multiple platforms,” Heid added.
Measuring Motive
“At this stage, I am personally cautious on the veracity of the hacking group. In fact, there is an apparent dichotomy (discrepancy) between the amount requested by the hacking group and the eventual impact of such a massive data wiping and the consequential potential data breach affecting Apple,” Dario Forte, CEO of DF Labs, a European incident response technology company, told PYMNTS.
Nonetheless, if the claim is true, it could result in greater impacts than many have initially anticipated.
While it’s still unclear who is making these claims and why, and even what they really hope to gain, one thing that hasn’t wavered is their reasoning behind the ransomware threat in the first place.
“We are doing this because we can and mainly to spread awareness for Karim Baratov and Kerem Albayrak, which both are being detained for the Yahoo hack and one of them is most probably facing heavy sentencing in America,” a representative for the group said via email, reported by CIO. “Kerem Albayrak, on the other hand, is being accused of listing the database for sale online.”
The men mentioned have both had charges brought against them by the U.S. Justice Department for allegedly taking part in the massive data breach that rocked Yahoo.
One interesting thing to note is that even if the Turkish Crime Family does move forward with its automated attack to wipe over half a billion phones, Apple said the task itself is highly improbable.
“Let’s be clear that unless Apple verifies the threat with a major call for password resets, this threat could very well be unfounded. Also, two-factor authentication protection foils this kind of threat — but not all kinds — making reports of Apple’s death greatly exaggerated,” George Avetisov, CEO of HYPR, noted.
According to Avetisov, the true problem lies in how much stake is put into authentication that cannot be controlled, especially in the case of ransomware threats which are entirely credentials-based.
“If we stopped tying identity to a stagnant alphanumeric string and abandoned the wrongheaded use of enterprises holding that data, we’d erase this attack vector from the hacker’s playbook,” Avetisov said. “We should tie identity to a person with secure biometric authentication as part of an end-to-end solution.”