Illegal Legal Hacks

Looks like Apple and meta will be undergoing some social engineering awareness training!

Hackers posing as various legal entities succeeded in acquiring private customer data (PII) from Apple and Meta in mid-2021, it was reported this week. Under the guise of law enforcement officials, hackers forged “emergency data requests” and were provided with details such as customer addresses, phone numbers and IP addresses. 

Law enforcement globally liaises with social media platforms to procure important information to solve criminal investigations but these are always with a court order, subpoena or search warrant signed by a judge. ‘Emergency requests” do not require these forms of verification as by nature they are intended for use in dangerous situations of imminent consequence. It isn’t clear whether companies provided the information on a number of occasions or just one time. 

Amazingly, investigators believe that this was carried out by the same minors believed to be behind Lapsus$. In this case, the perpetrators used the information to harass individuals, although it is suspected that it will be used for future financial fraud. 

It’s important to note that the requests came from legitimate email accounts of law enforcement agencies that had been breached by a malicious actor. So when the companies tried to verify the email, it my have appeared legitimate indeed. According to Bloomberg.com, Allison Nixon, Chief research officer at the cyber firm Unit 221B, stated that this legal flexibility for employees of social media platforms to respond with private data has saved lives in numerous tragic situations. This would suggest that the flaw doesn’t lie in what was the response to a legitimate request.

What stands out as being flawed is the security surrounding the official law enforcement email system that was hacked. It will be interesting to see the results of an investigation of how the perpetrators took over the email to send out these requests. 

Ensure your networks and systems are water-tight by assessing their security through a comprehensive risk assessment and taking immediate action to remediate flaws and patch vulnerabilities

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days