A user of a low-level cybercriminal forum is selling access to a database of phone numbers belonging to Facebook users, and conveniently letting customers look up those numbers by using an automated Telegram bot.

Although the data is several years old, it still presents a cybersecurity and privacy risk to those whose phone numbers may be exposed—one person advertising the service says it contains data on 500 million users. Facebook told Motherboard the data relates to a vulnerability the company fixed in August 2019.

"It is very worrying to see a database of that size being sold in cybercrime communities, it harms our privacy severely and will certainly be used for smishing and other fraudulent activities by bad actors," Alon Gal, co-founder and CTO of cybersecurity firm Hudson Rock, and who first alerted Motherboard about the bot, said.

Upon launch, the Telegram bot says "The bot helps to find out the cellular phone numbers of Facebook users," according to Motherboard's tests. The bot lets users enter either a phone number to receive the corresponding user's Facebook ID, or visa versa. The initial results from the bot are redacted, but users can buy credits to reveal the full phone number. One credit is $20, with prices stretching up to $5,000 for 10,000 credits. The bot claims to contain information on Facebook users from the U.S., Canada, the U.K., Australia, and 15 other countries.

Motherboard tested the bot and confirmed it contained the real phone number of a Facebook user who tries to keep this number private.

In 2019, researchers found it was possible to scrape Facebook users' phone numbers en masse. Gal obtained a sample of the bot's data and provided it to Motherboard. When Motherboard then shared that sample with Facebook so the company could comment, Facebook said the data contained Facebook IDs that were created prior to Facebook's fix of the contact vulnerability. Facebook said it also tested the bot itself against newer data, and that the bot did not return any results.

But the bot can still present a significant issue for people who may have linked their number to their Facebook account before August 2019. This should be cold comfort to many—for years before 2019, Facebook encouraged and at times required users to give it their phone number. It was also caught using the phone numbers people gave the company for two-factor authentication to target users with ads, meaning it was gathering phone numbers from its most security-minded users. By 2019, Facebook already had more than 2 billion users worldwide. And the ease of access for this new bot means that even unsophisticated cybercriminals or hackers can obtain the information.

"It is important that Facebook notify its users of this breach so they are less likely to fall victim to different hacking and social engineering attempts," Gal added.

Subscribe to our cybersecurity podcast CYBER, here.

Cellebrite, a well-known provider of phone-unlocking and hacking technology for law enforcement agencies, pushed an update to its products less than a week after the CEO of Signal claimed to have hacked one of the company's products.

Moxie Marlinspike, the founder of the popular encrypted messaging app Signal, explained in a blog post last week that he had obtained a Cellebrite device and found that "industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present." According to him, that allowed an attacker to embed malicious files in their app or phone—once connected to a Cellebrite unlocking device—that would then exploit the Cellebrite devices and manipulate what kind of data the device could access, potentially compromising police investigations.

On Monday, Cellebrite pushed an update to its customers.

A source who works in the forensics industry provided Motherboard with a copy of the Cellebrite announcement. Motherboard granted the source anonymity to protect them from retaliation from Cellebrite. Motherboard obtained multiple copies of the announcement. 

Two new version updates "have been released to address a recently identified security vulnerability. The security patch strengthens the protections of the solutions," the announcement read.

Cellebrite has limited what products can perform a logical iOS extraction. Mobile forensics products typically perform logical and physical extractions; with the former being the simpler of the two.

"As part of the update, the Advanced Logical iOS extraction flow is now available in Cellebrite UFED only," the announcement added.

The announcement did not specifically say whether the addressed vulnerability is one and the same as the one disclosed by Marlinspike. It does add that "Based on our reviews, we have not found any instance of this vulnerability being exploited in the real-life usage of our solutions."

"This update is precautionary, as per our security response procedures. As always, we recommend customers regularly apply the latest software version updates," the message reads.

A Cellebrite customer, who asked to remain anonymous as they were not allowed to speak to the press, said that they believed these updates were to address the vulnerabilities found by Marlinspike. 

"It appears to be an attempt to minimize the attack surface not a 'fix,'" the source said. 

Andrew Garrett, CEO of forensics firm Garrett Discovery, told Motherboard in an email that "Most law enforcement have IT administrators that monitor and work on computers within the forensic lab and based on these types of attacks they should reconsider their network architecture to avoid someone taking total control of their network. The entire ecosystem of digital forensic tools is built on egg shells."

On Sunday, an Israeli human rights lawyer sent a letter to the country's attorney general demanding that Israeli police stop using the forensic technology until it can be fully audited, Haaretz reported.

Marlinspike's blog post was the latest in escalating tensions between Signal and Cellebrite. Signal is one of the largest encrypted messaging services in the world; Cellebrite is designed to extract information off of devices including message content. Last year, Cellebrite published a blog post titled "Cellebrite's new solution for decrypting the Signal app." Marlinspike then published a blog titled "No, Cellebrite cannot 'break Signal encryption,'" and last week published the blog post describing Cellebrite vulnerabilities. 

Cellebrite did not respond to a request for comment.

Subscribe to our cybersecurity podcast CYBER, here.

The group of hackers that provided the U.S. government with the capability to unlock an iPhone at the center of the San Bernardino terrorist attack investigation was Azimuth Security, a small firm in Australia that develops high-end hacking tools for governments, The Washington Post reported on Wednesday. Motherboard confirmed Azimuth's involvement with a source with knowledge of the company's operations. Motherboard granted the source anonymity as they weren't authorized to speak publicly about the case.

The news provides clarity to one of the most closely watched episodes in the so-called Going Dark debate, where the U.S. government has tried to find legal and technical mechanisms to circumvent the encryption offered on popular consumer devices, including those made by Apple. In 2017 a dramatic legal tussle between the Department of Justice and Apple came to a sudden and mysterious end. As the Department of Justice tried to force Apple to unlock the encrypted iPhone of one of the dead San Bernardino terrorists, a group approached the FBI and provided a technical solution. 

The Washington Post reported that David Wang, a researcher who developed the exploit, dubbed it Condor. Motherboard's source, who provided the information several years ago, also said the "one-off" tool developed by Azimuth was called Condor.

The FBI, Azimuth Security, Linchpin Labs, and L3Harris did not respond to a previous request for comment in March from Motherboard when asked about Azimuth's involvement. Apple declined to comment. Thom Mrozek, the director of media relations at the United States Attorney's Office for the Central District of California told Motherboard in an email "We have no comment."

Azimuth sits in the high-end tier of the exploit industry. Whereas other companies which develop hacking tools may sell them to as many governments as possible, Azimuth and other small shops typically provide them to democratic governments. In February 2018, Motherboard revealed that Azimuth has previously provided exploits—through a partner firm run by ex-spies called Linchpin Labs—to the FBI, Australia’s intelligence services, as well as the UK and Canada. As Motherboard reported, the FBI obtained an exploit for the Tor Browser from Azimuth. 

Contracting giant L3Harris later acquired Azimuth and Linchpin Labs in April 2018.

Multiple news outlets sued the FBI for information on who provided the iPhone hack. In 2017 the Department of Justice turned over nearly 100 pages of heavily redacted documents, but which contained nothing on the possible identity of the hackers.

Shortly after the FBI successfully accessed the phone, rumours circulated, originating with a single Israeli press report, that established phone-cracking company Cellebrite was behind the hack. Those reports were unsubstantiated, though. 

After unlocking the device, the FBI found no previously unknown message data or contacts.

The already disastrous hacks of Microsoft Exchange servers, used by thousands of companies all over the world to manage their emails, just got worse.

On Thursday night, Microsoft reported that it had detected a new type of ransomware targeting Exchange servers. According to Philip Misner, Microsoft's security program manager, the ransomware is called DoejoCrypt or DearCry. The ransomware gang is abusing the vulnerabilities that Chinese government hackers and other state-sponsored groups have been abusing for weeks, as Microsoft revealed at the beginning of March. According to news reports, the Chinese government hackers, who were the first to exploit the vulnerabilities, have broken into more than 30,000 companies in the US, and hundreds of thousands all over the world. 

Now, cybercriminals are piling on and trying to take advantage of the same vulnerabilities to make some cash. 

"In my opinion, this is poised to be pretty bad," said a Microsoft security researcher, who asked to remain anonymous because they were not authorized to speak to the press. The researcher said they think hackers are still in a preliminary phase where they are sorting what organizations they have hacked into before they decide who to try to monetize. 

Joe Slowik, a security researcher at DomainTools, told Motherboard in an online chat that while the government-backed hackers were targeting Exchange servers as a first step to hack into even more sensitive parts of an organization, the cybercrime gangs "will seek to execute disruptive effects such as ransomware." 

The good news is that, for now, cybercriminals have to manually target and exploit Exchange servers, and there's no evidence that they can make the ransomware spread in an automated way. 

"Based on all available information it is deployed post compromise via interactive operations and not automatically," Slowik said. "This makes it significantly different from a self-propagating ransomware variant like WannaCry."

According to Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, even cybercriminals who operate cryptocurrency miners on hacked computers are targeting vulnerable Exchange servers. This shows that even relatively unsophisticated hackers, like those who run cryptocurrency miners, are jumping onto the Exchange servers hacking frenzy.  

For Brett Callow, a security researcher at Emsisoft, companies will now face new challenges.

“Patching is easy whereas remediating isn’t. Small businesses may not even know how to work out whether they’ve been compromised, let alone fix any compromise which has already occurred,” Callow said in an online chat.

According to cybersecurity Palo Alto Networks, there are still around 80,000 Exchange servers that are vulnerable.

All these cybercriminals are taking advantage of the same vulnerabilities. Many organizations have yet to patch them, despite the fact that Microsoft published fixes for the vulnerabilities on March 2. 

Microsoft is doing all it can to limit the damage. On Wednesday, an independent security researcher published a proof-of-concept tool to hack Exchange servers on the popular Microsoft-owned open source repository GitHub. The company removed the tool, claiming it violated its Acceptable Use Policies, a move that caused controversy. 

"I am completely speechless here," Dave Kennedy, the founder of cybersecurity consultancy TrustedSec, said on Twitter. "This is huge, removing a security researchers' code from GitHub against their own product and which has already been patched. This is not good." 

For others, however, it was the right thing to do. 

"There's more than 50,000 unpatched exchange servers out there," Marcus Hutchins, a security researcher at Kryptos Logic, responded to Kennedy. "Releasing a full ready to go RCE chain is not security research, it's recklessness and stupid."

Ransomware gangs and run-of-the-mill cybercriminals getting in on the game shows that, perhaps, the genie is now out of the bottle.  

This story was updated to include a quote from Brett Callow and information from Palo Alto Networks.

Subscribe to our cybersecurity podcast CYBER, here.