Telegram Hack – Possible Nation State Attack By Iran

Outsmart Malicious Hackers

So there’s been a lot of news lately about the Telegram hack and how 15 million accounts were compromised, which is not technically true. There’s 2 vectors of attack at play here, both of which regard Iranian users, but are not connected (other than the attackers probably being the same group).

Telegram Hacked - Possible Nation State Attack By Iran

So the two attacks were related to two totally different parts of the Telegram stack, one being targeted at a small number of user accounts via SMS 2FA and the other being a fairly basic API brute-force for information gathering purposes.

Amnesty International technologist and researcher Claudio Guarnieri and independent security researcher Collin Anderson traced recent Telegram account breaches in Iran to the SMS messages Telegram sends to people when they activate a new device. The texts contain a verification code that Telegram asks people to enter to complete a new device setup. A hacker with access to someone’s text messages can obtain these codes and enter them to add their own devices to the person’s account, thus gaining access to their data including chat histories.

The researchers think the Iranian hacking group Rocket Kitten is behind the Telegram breaches, based on similarities to the infrastructure of past phishing attacks attributed to the group. There is widespread speculation that Rocket Kitten has ties to the Iranian government. “Their focus generally revolves around those with an interest in Iran and defense issues, but their activity is absolutely global,” says John Hultquist, who manages the cyber espionage intelligence team at the security firm FireEye, of Rocket Kitten. In the case of the Telegram attacks, the researchers also suggested that SMS messages may have been compromised by Iranian cell phone companies themselves, an industry that also has potential ties to the government.

So the first part is quite serious, as it means the bad actors can totally hijack the accounts of certain users by receiving the new device activation code via SMS. There are links to the Iranian hacking group Rocket Kitten and also possibilities that the government gave access to these SMS messages.

The other option is the recently disclosed SS7 flaw that renders SMS as a 2FA method, pretty insecure.

That SMS is involved is no surprise. It has increasingly fallen out of favor as a “factor” in multi-factor authentication, because it can be compromised in a number of different ways. The National Institute of Standards and Technology even denounced SMS for two-factor in draft recommendations last week.

Telegram said in a statement to WIRED that it is “much like any SMS-based app. If someone has access to your SMS messages, they will get access to your account. If you have two-factor authentication enabled on Telegram, and they have access to your recovery email and SMS, they will get access to your account.”

In addition to concerns about SMS, the researchers also noted that the hackers were able to access 15 million phone number/account combos using Telegram’s public-facing application program interface.

The hackers brute-forced the API by entering millions of Iranian mobile phone numbers and collecting those that returned a user ID. “Since Telegram is based on phone contacts, any party can potentially check whether a phone number is registered in the system.

The second part, is much less exciting and basically involved the hackers brute forcing the Telegram API with Iranian format phone numbers to return all users with a user ID (15 Million phone numbers). Which they could then choose who to hijack using the SMS authentication message (only 12 users).

Which means the gravity of this hack in the media is often overstated.

Source: Wired

Posted in: Exploits/Vulnerabilities, Privacy

Latest Posts:

GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.
Memcached DDoS Attacks Will Be BIG In 2018 Memcached DDoS Attacks Will Be BIG In 2018
So after the massive DDoS attack trend in 2016 it seems like 2018 is going to the year of the Memcached DDoS amplification attack with so many insecure Memcached servers available on the public Internet.
libsodium - Easy-to-use Software Library For Encryption libsodium – Easy-to-use Software Library For Encryption
Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API.
XSStrike - Advanced XSS Fuzzer & Exploitation Suite XSStrike – Advanced XSS Fuzzer & Exploitation Suite
XSStrike is an advanced XSS detection suite, which contains a powerful XSS fuzzer and provides zero false positive results using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads.

Comments are closed.