TikTok and the Threat Posed by Zero-click Attacks

TikTok users have been targeted by zero-click attacks over direct messages (DM). Kate O’Flaherty explores what was interesting about this new attack methodology and questions what other novel attack methods businesses should be aware of.

TikTok users started falling victim to a novel attack that compromised accounts via direct message at the start of June. The scary thing was that no interaction or action was needed: victims didn’t even have to click on the message to be breached.

Forbes, which first reported the incident, said multiple celebrities and big brands, including Paris Hilton, CNN, and Sony, were hit by the TikTok ‘zero-click’ attack.

Similar zero-click attacks have been seen before, but in the past, adversaries used flaws in WhatsApp or iMessage to deliver their messages containing spyware, such as the now infamous Pegasus, to smartphones.

The TikTok incident is the first time social media has been targeted with a zero-click over direct message (DM), making it the first novel attack for a while.

How the TikTok zero-click DM attacks work

The TikTok attackers targeted DMs, using a zero-day vulnerability in the messaging component to execute code when a message was opened. This differs from many of the zero-click attacks seen on iMessage, for example, as spyware can be delivered without a user having to even open the message.

Zero-click attacks are generally concerning because they are difficult to detect and respond to. “The technology makes the likelihood of people detecting an issue very small because they don’t have to actively click on a link,” says Raluca Saceanu, CEO of Smarttech247.

“The TikTok incident is the first time social media has been targeted with a zero-click over DM”

Nothing has been disclosed about how this particular TikTok exploit worked. Still, Matt Aldridge, principal solutions consultant at OpenText Cybersecurity, says these attacks generally involve exploiting a chain of vulnerabilities in decoding data, metadata, or media encoded in the message body.

Aldridge calls zero-click exploits the “holy grail of attacks” for targeting individual users. “They often go completely unnoticed by the target, and you don’t even have to interact with the message,” says Aldridge.

While it’s not the first zero-click attack in general, it’s the first high-profile case of one happening over a social media platform, says Owen Lloyd-Jones, security consultant at Prism Infosec. “It is concerning due to its reach and the fact that many users will not be prepared for DM-activated malware,” he says. “Users are now quite savvy about not clicking on links but are often under the impression that opening a DM is harmless.”

Other new attack methods

The TikTok attack fits with a general trend where adversaries are looking to target the user as the “weakest link in the chain”. This is because better security controls are making it harder to initiate exploits or gain access unaided, says Lloyd-Jones.

Increasingly, adversaries are also going for the “slow-burn” approach, he says. “This sees them slowly compromising accounts, using them to gather information about other users and trying to move from account to account until they can reach their goal. This method aligns with the speculation around the hijacked TikTok accounts.”

“Users are now quite savvy about not clicking on links but are often under the impression that opening a DM is harmless” Owen Lloyd-Jones

It also stands to reason that many novel attacks are starting to include artificial intelligence (AI). For example, new threat group Void Arachne is taking advantage of malicious Microsoft Software Installer (MSI) files that contain legitimate software but are bundled with malicious Winos payloads to launch attacks on Chinese targets, security outfit Trend Micro has found.

The campaign also promotes compromised MSI files embedded with nudifiers and deepfake pornography-generating software, as well as AI voice and facial technologies. It uses SEO poisoning tactics and social media and messaging platforms to distribute malware. This installs a Winos backdoor during the installation process, which could lead to a complete system compromise, researchers said.

In general, AI deepfake attacks are also on the rise, says Lloyd-Jones, citing the example of an attack at the start of 2024. “This saw an employee transfer $25 Million to scammers who joined a Zoom call using deepfake AI technology to pose as high-ranking employees. With AI video and voice generation developments, it can be hard to trust who you are speaking to.”

Techniques combining “fuzzing” – hitting a piece of software with vast amounts of unexpected data to try to break it – with AI can yield powerful results, says Aldridge. For this reason, he says it is crucial that anyone writing apps, web services or other software “go to great lengths to ensure their code is secure, including carefully monitoring for vulnerabilities in their software dependencies.”

Meanwhile, software vulnerabilities are a top method used by cyber criminals to infiltrate businesses. With new attacks, vulnerabilities, and exploits, the most important response “is a rapid one,” says Lloyd-Jones.

Kaspersky’s exploits and vulnerabilities report in Q1 2024 found that a business is most at risk in the initial weeks after the publication of a vulnerability. “Keeping your security team on the lookout for these emerging vulnerabilities and techniques and relaying information to the necessary technical staff could put your organisation in the best position of defence during the time of piqued interest,” he advises.

Stay ahead of new attack methodologies

The problem with new attacks is that they are mostly impossible to predict, at least on a granular level. This puts the onus on businesses to carry out basic measures to protect themselves, says Richard Werner, Trend Micro’s cybersecurity platform lead for Europe. “In general, systems and applications should be updated as soon as possible, and avoid using outdated software at all costs.”

“Software supply chain integrity must be maintained by analysing all dependencies” Matt Aldridge

Threat intelligence and information sharing between businesses are also important to mitigate new attack methodologies and uncover methods targeting specific sectors.

For businesses operating online services, regular penetration testing should be performed against services and their networks, Aldridge says. “Software supply chain integrity must be maintained by analysing all dependencies and regularly checking for new flaws and vulnerabilities.  Bug bounty programmes can also be a great option to incentivise white-hat hackers to turn their attacks against a particular product or service – reporting flaws before the bad guys can do the same.”

Lessons can also be learned from the TikTok attack. The attempt on Paris Hilton’s TikTok was unsuccessful, possibly because it was protected by multi-factor authentication (MFA). This shows MFA “really is a must-have for all online accounts now”, says Aldridge.

In the case of TikTok, there’s an onus on social media platform providers to put measures in place to prevent these types of compromises, says Lloyd-Jones. “In this instance, rapid disclosure was key to protect the TikTok brand, with the firm informing the user base of potentially compromised DMs and reassuring account holders.”