Sophos Cloud Optix
This morning, a number of Australian iPad and iPhone users woke up to a strange sight.
A message, saying something like this:
Device hacked by Oleg Pliss. For unlock device...
..was visible on the screen.
Some reports say that Mr Pliss is asking for $50/€50, as in our screenshot below, while others report that he wants $100 or €100 via Paypal “for unlock device.”
It’s ransomware, but not as we know it.
As far as we can tell, the affected devices aren’t infected with malware; instead, it looks as though the attackers have somehow got hold of the victims’ iCloud login credentials and locked their devices remotely.
The demands seem to be localised to Australia, or at least to Australian users, with some reports from New Zealand.
So far, so bad.
What happened?
The problem with cloud-based attacks, as this seems to be, is that it can be hard to work out who has done what, or how to stop them (and, better, how to identify and prosecute them).
Postings on one Australian discussion forum are alive with speculation, but that’s all we have so far.
• Could it be a side-effect of the recent eBay hack?
After Adobe’s 2013 hack, many passwords were recovered from the stolen database, even though it was encrypted.
This was in part due to Adobe’s incompetence in how it secured the data, and in part due to poor password choice by users.
Other online services, such as Facebook, took the precaution of testing out passwords revealed by the Adobe breach against their own users.
The results were as expected: many people had used the same, easily guessed, password on multiple sites.
But the password data stolen from eBay doesn’t seem to have surfaced anywhere yet (the stolen Adobe data was made publicly available as part of the hack).
Also, there are reports of users who don’t have eBay accounts getting the “Oleg Pliss” message.
• Could it be a Man in the Middle (MitM) attack caused by an Apple software bug?
Some commenters on the Whirlpool forum suggest a security weakness in iTunes or iCloud, allowing hackers to trick vulnerable devices into visiting a fake login site, where Apple usernames and passwords could have been harvested.
But the iTunes security holes referenced as part of this explanation were fixed over a year ago, meaning that all affected devices would be running a long-superseded version of iOS.
No such attack pattern has been reported.
• Could it be MitM caused by a hack against an Australian ISP?
Perhaps the apparent localisation of the ransom pop-up is because it’s a Man in the Middle attack that relies on re-routing traffic inside a vulnerable ISP in Australia?
That might explain how iCloud logins could be hijacked in only one part of the world, and why even well-informed users might not realise they were visiting the wrong servers.
But there doesn’t seem to be any ISP-specific pattern amongst the victims, and at least one reported victim was an Australian user currently in London, England, connecting via an ISP in the UK.
• Could it be down to jailbreaking?
Australia was famously the site of the world’s first true in-the-wild virus (self-replicating malware) for iPhones.
The virus, known as Ikee and written by a youngster from Wollongong, New South Wales, was limited to jailbroken devices, which kept its prevalence down.
Perhaps something like that happened again?
But not all victims have jailbroken devices.
• Could a breach against an Australian online service have coughed up passwords that victims re-used elsewhere?
That’s plausible.
If the service were one that people outside Australia would be unlikely to use (e.g. because it was tied to a product only available in Australia), this is a possible explanation.
We’re inclined to consider this the most likely reason we’ve seen so far, but it relies on all victims being the sort of people who re-used passwords.
→ If you are, or know, a victim who has always used a password manager (this sort of software automatically creates a different weird-and-wonderful password for each account), we’d love to know. That would seem to rule out this explanation, too.
• Could it be a hoax?
What if the messages are just spams simply asking for $50, or $100, but nothing is locked or ransomed at all?
But victims are reporting having been locked out, and to have received emails from Apple’s lost iDevice service to say that someone has reported their iDevice as lost.
• Could it be a hole in the “report my iDevice locked” service?
Some commenters are referring to a recent story about Dutch-Moroccan hackers calling themselves Doulci (an anagram of iCloud) who claim to be able to unlock frozen iDevices using some sort of MitM attack.
That’s plausible, if Doulci’s claims are true, but the “Oleg Pliss” attack involves locking your device against your will, rather than unlocking a frozen device against Apple’s will.
Also, the Doulci hack doesn’t explain why all the victims seem to have a Australian connection.
• Could it be a Joe Job against someone called Oleg Pliss?
A “Joe Job” is the online equivalent of putting up a message in a telephone booth with an irresitible offer, giving the number of someone you don’t like. (The episode that gave this sort attack its name was carried out using spam with the sender spoofed in the name of a victim called Joe Doll.)
But if so, it’s an astonishingly subtle Joe Job, because it doesn’t identify the actual “Joe” against whom the victims are supposed to take retribution.
Also, whether it is a Joe Job or not doesn’t explain how the attack was carried out, or why only Australians were targeted.
What to do?
The bottom line is that:
- We don’t yet know how this happened.
- It smells like stolen or guessed passwords shared with some other account.
- If guess (2) is correct, choosing a different, non-trivial password for each account would almost certainly have protected you.
- If guess (2) is correct, using Apple’s two step verification would almost certainly have protected you.
Apple introduced its version of 2FA (two factor authentication) after the infamous case of a journalist called Mat Honan, whose iDevices were hijacked via the cloud in 2012.
Honan didn’t get the chance to pay $50 to get his data back: the crook or crooks decided to trigger a remote wipe of his devices instead.
If you have an Apple account, we suggest you look into two step verification right away.
If you’d like to know more about 2FA, and what it can do for you, take a listen to our Techknow podcast:
Have you been hit?
If you’ve seen the “Oleg Pliss” message, you can recover without paying the ransom.
→ We urge you not to pay, or even to negotiate to pay. Indeed, it seems that paying probably won’t work anyway, with Aussie journalist Ben Grubb reporting on Twitter that, for at least one of the email addresses used in the scam, there is no assoicated PayPal account.
At worst, you will need to do a “recovery mode” reset of your device, which will remove all your apps and data.
If you have a recent backup, you can then recover it using iTunes.
Apple tells you how in support article HT5570.
By the way, if you were hit, we’re interested in hearing from you. (If you have screenshots, we’ve love to see them!)
You can leave a comment below, or email tips@sophos.com – we won’t use your name unless you [a] tell us what it is and [b] give us permission.
Just a thought, but this might be a result of an mdm provider of some sort being interfered with.
I havent seen any information on if these devices (how many?) were under mdm or not, but if some mobile carriers “helping you keep your mobile safe” type service got owned or interfered with it might explain a geographic link.
Lock screens are the same since MDM triggers the same function as find my iphone
I like that explanation. (MDM, by the way, means “mobile device management,” the official interface provided by Apple to let the otherwise heavily controlled iOS environment be managed by third party products, like our own Sophos Mobile Control.)
Problem is that it sounds as though victims are reporting that their iCloud credentials have been changed – presumably to a new password that Mr Oleg is offering to sell back to you. Forgive my ignorance, but could a third-party MDM product do that, or does that tell us the crooks must have known their victim’s Apple passwords?
Quite mysterious.
Please do keep us updated if you find out anything new about this case.
My guess however, is that it’s stolen re-used passwords.
Other possible explanations might be
* Aussie ISP hacked allowing users’ email to be redirected, thus allowing the crooks to do password resets.
But with so many users these days on web-based services like Gmail and Outlook.com (where your email is no longer stored-and-forwarded by your ISP), this seems unlikely.
* Apple’s own customer database hacked or misused.
It’s conceivable that a rogue insider (or malware on an Apple/Apple Store computer in Oz) might have managed a raft of password resets, limited to Aussie accounts by some sort of internal regional security restriction.
But if you had the smarts to go to those lengths, would you ask for $100 to be sent to a non-existent account for a “recovery service” many users simply don’t need (if they follow Apple’s existing recovery advice)?
As you say, “Quite mysterious!”
And adding another one:
* Windows malware that takes over via iTunes on Windows (or via your browser) and manages to do a remote lock.
I’m guessing ever more wildly now.
We can as good as disprove this one if there are any victims who only ever use Macs. And we can disprove the other side of this, that this was Mac malware, if there are any victims who don’t have a Mac.
Anyway, it’s highly unlikely considering the apparent Aussie-centric nature of the attack
(I’m ruling out cross-platform malware carefully limited to Aussie users. If you’re smart enough to mount an attack that sophisticated, I reckon you aren’t going to make a basic grammatical mistake in your extortion message!)
I would say the hack might be linked to the iTunes store country setting. My iTunes store account is different from my iCloud profile and I wonder if any of the victims have a different store account and iCloud account – I am guessing not. So then a compromised in-app purchase could possibly acquire credentials to the store and, by default, to iCloud, to permit this to happen. It shouldn’t but that would be my best guess, given the geographical nature of the hack.
Add it to the list of possibilities. Dodgy in-app purchase code…interesting idea. But I still don’t see why that would cause the geographical focus on Oz. Of course, it were a dodgy app that just happened to be Oz-specific, e.g. for a service only offered in or relevant to Oz.
Well the iTunes store account is linked to a geography so if the app were in that store and no/few others you would see this kind of geographical trend. Now the iTunes store account doesn’t have to be the same as the iCloud account but it usually is, unless your iTunes account is older typically – mine predates iCloud and the requirement for the login to be an email address, for example.
I don’t think the iCloud account is linked to a geography as closely as the iTunes store account is which is why I thought that might be a vector. Of course, one would hope that the payment dialogues in IOS were proofed against snooping but one would hope a lot of things about computer security that turn out to be wrong…
An example of a geography-specific app might be a tie-in to an Australian TV show where licensing prevents it from being distributed elsewhere. This is pretty common with apps in the iTunes Japan store for example – they exist nowhere else.
You can also imagine a geographical angle for various free apps that relate to regionally-specific services (payment of local rates, electricity, public transport, taxation, etc.) Or, as you say, a “catchup” video player for a TV channel that is limited to a particular country.
Apple’s reaction so far seems to be that “it’s password re-use, not anything Apple ID related.”
Of course…we may never find out. (Like we never found out who wrote the Conficker virus, or what it was for.)
Phishing? I have been seeing an uptick of Apple account phishing in the last couple of months.
Add it to the list of possibilities. But why the apparent Aussie-only distribution of victims? Unless it was one crook doing a test validation of a bunch of Apple account creds he just bought…
I do IR in higher-ed. Phishing schemes here come in targeted little waves. They even take the time to research the institution to get terminology and branding down. Doesn’t make as much sense for an Apple account phish, but the point is that I’ve found phishing and a few other scams like this to be targeted enough to be regional (US). I don’t know why AUS would be any different. It seems the simplest explanation to me.
Are the affected users on Windows and Osx or windows alone?
Not sure. They’re all on iOS, though 🙂
Will stick with my dumbphone. Let them try hacking that old Nokia.
I don’t think setting a password makes everything go off beautifully. Some hackers easily gain access to Wi-Fi connected iPhone when it’s jail-broken if they try the default root password, 80% jailbreakers know nothing about the root password configuration after their jailbreak!!! Some users even install spy apps like ikeymonitor to steal unlock pass-code when the device is jailbroken. We are not living in a safe world protected by password.
But it is at least safer than no password. In normal cases, password is a protective and useful shield, even if it is weak to some extend..
Might it be as simple as login+passwords of people using an open WiFi (such as in an Australian domestic airport) being harvested before the “gotofail” bug was patched in late Feb?
Regarding Apple’s 2FA, it only works in a handful of countries. Granted, these countries cover big percentage of Apple’s market but we from the rest of the world are left out in the cold.
I read the message as ‘Device hacked by Oleg, Pliss for unlock device’…. Given this happened in the UK looks like whoever did it thought it would be funny to play on the compare the market adverts and the recent addition of troublemaker baby Oleg.
I keep getting a dialogue box popping up at random times on my IPhone saying that ICloud backup needs to verify my ICloud password. I ignore it but now wonder if it is not ICloud but malware. We have IPhones and IPads and backup to the Mac not ICloud. Probably it is unrelated but have followed the discussion expecting that the mystery of how it was done would have been solved by now.
We reside in Australia and were alarmed when the story broke.