How Attackers are Targeting Your Mobile Devices Wade Williamson
Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best practices 2 2012, Palo Alto Networks. Confidential and Proprietary.
Mobile Buzz, Hype, and Risk 3 2012, Palo Alto Networks. Confidential and Proprietary.
Mobility is being adopted faster than any other technology Smart phone and tablet adoption is outpacing virtually every technology that came before it. 4 2012, Palo Alto Networks. Confidential and Proprietary.
Time to maturity Smart phone and tablet adoption is outpacing virtually every technology that came before it. 5 2012, Palo Alto Networks. Confidential and Proprietary.
Android has begun to dominate 6 2012, Palo Alto Networks. Confidential and Proprietary. Magic Software State of BYOD 2013
Android has begun to dominate part 2 Magic Software State of BYOD 2013 7 2012, Palo Alto Networks. Confidential and Proprietary.
Android has begun to dominate part 3 79% of mobile malware targets Android - US Department of Homeland Security Magic Software State of BYOD 2013 8 2012, Palo Alto Networks. Confidential and Proprietary.
Add it all up: Huge growth in the enterprise attack surface Massive new adoption of mobile computers A very large and unguarded attack surface for the bad-guys High level of functionality, comparable to PCs Largely undefended compared to PCs + + = 9 2012, Palo Alto Networks. Confidential and Proprietary.
Anatomy of a Network Compromise SMTP Brute-force Exploitation Command injection Phishing email (corporate email with link to malicious site) Corporate Email Server Application servers Hypervisor Virtual server host HTTP Exploitation, tool drops, credential and data theft Exploitation, tool drops, credential and data theft SSL Phishing email (web-based email with malicious attachment) Initially targeted client Domain Controller Network ownership complete Legitimate credentials used Compromise of mobile devices Exploit delivery Command-and-control Remote access tool download Command-and-control Data exfiltration Workstations harvested for IP and used as mules Mobile Devices 10 2012, Palo Alto Networks. Confidential and Proprietary.
Anatomy of a Network Compromise SMTP Brute-force Exploitation Command injection Phishing email (corporate email with link to malicious site) Corporate Email Server Application servers Hypervisor Virtual server host HTTP Exploitation, tool drops, credential and data theft Exploitation, tool drops, credential and data theft SSL Phishing email (web-based email with malicious attachment) Initially targeted client Domain Controller Network ownership complete Legitimate credentials used Compromise of mobile devices Exploit delivery Command-and-control Remote access tool download Command-and-control Data exfiltration Workstations harvested for IP and used as mules Mobile Devices 11 2012, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks Platform for Advanced Threats Fully inspect all traffic Full Network Visibility Equal full-stack inspection of all traffic across all ports Decrypt SSL All hosts mobile and virtualized Control the attack surface Block whenever possible Take action on the unknowns Empower the security team Shared Context Application User File type URL Signature Technologies Exploit Malware C2 DNS Hacking & Reconnaissance Test and Manage Unknowns Unknown Malware Unknown Traffic Unknown URLs Investigation and Response Share IOCs PCAPs End-point integration SIEM integration Correlated anomalies automated feedback 12 2012, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks Platform for Mobile Threats GlobalProtect (ios and Android) Full Network Visibility Equal full-stack inspection of all traffic across all ports Decrypt SSL All hosts mobile and virtualized App-IDs for mobile apps APK malware AV Signatures WildFire analysis of APKs Shared Context Application User File type URL Signature Technologies Exploit Malware C2 DNS Hacking & Reconnaissance Test and Manage Unknowns Unknown Malware Unknown Traffic Unknown URLs automated feedback Investigation and Response Share IOCs PCAPs End-point integration SIEM integration Correlated anomalies 13 2012, Palo Alto Networks. Confidential and Proprietary.
Zero-day discovery with WildFire 10Gbps advanced threat visibility and prevention on all traffic, all ports (web, email, SMB, etc.) Global intelligence and protection delivered to all users Anti-malware signatures DNS intelligence Malware URL database Anti-C2 signatures Malware run in the cloud with open internet access to discover C2 protocols, domains, URLs and staged malware downloads Malware, DNS, URL, and C2 signatures automatically created based on WildFire intelligence and delivered to customers globally Command-and-control Staged malware downloads Host ID and data exfil WildFire TM Soak sites, sinkholes, 3 rd party sources Stream-based malware engine performs true inline enforcement WildFire Appliance (optional) On-premises WildFire appliance available for additional data privacy WildFire Users 14 2012, Palo Alto Networks. Confidential and Proprietary.
New Delivery Vectors for Malware WildFire detected previously unknown malware being delivered by mobile ad networks. These mobile ad networks present a novel security challenge. App developers need to use them in order to make money. They often require the developer to embed software from the ad network within the application. Mobile ad networks are uniquely engrained in mobile apps If the ad network is malicious, an unsuspecting benign application can pull malicious content. 15 2012, Palo Alto Networks. Confidential and Proprietary.
16 2012, Palo Alto Networks. Confidential and Proprietary.
How a valid app from a valid store can deliver malware App Store 1 Malware Malicious ad network App SDK 2
Analysis of Parasites Malware Malicious code repackaged within a benign host application. Able to be called dynamically and independent of the host app Triggered to execute based on local events on the device A user unlocks the device Device connects to WiFi network New app is installed Able to add new malware into any app on the host So many choices 18 2012, Palo Alto Networks. Confidential and Proprietary.
Analysis of Parasites Malware Building a botnet out many different infected applications The malware can infect any app on the host, providing many places to hide Uses SMS to build a command and control channel Sends SMS to attacker controlled numbers Intercepts incoming SMS messages Uses both the device ID and infected app to identify hosts a build a botnet. Device: #1 App B Device: #2 App C Device: #3 App D 19 2012, Palo Alto Networks. Confidential and Proprietary.
Leveraging SMS for Instant Profit Malicious Ad Network Fake premium service Takes advantage of the compromised device to sign up for premium services. 1. Device is infected 2. SMS is used to sign up for a pay web service that likely does nothing at all. 3. Service is verified by capturing incoming SMS confirmation messages 4. The victim is completely unaware until his monthly bill arrives. Malware infection Sign me up! Are you sure? Yes! 20 2012, Palo Alto Networks. Confidential and Proprietary.
Anatomy of a Network Compromise SMTP Brute-force Exploitation Command injection Phishing email (corporate email with link to malicious site) Corporate Email Server Application servers Hypervisor Virtual server host HTTP Exploitation, tool drops, credential and data theft Exploitation, tool drops, credential and data theft SSL Phishing email (web-based email with malicious attachment) Initially targeted client Domain Controller Network ownership complete Legitimate credentials used Compromise of mobile devices Exploit delivery Command-and-control Remote access tool download Command-and-control Data exfiltration Workstations harvested for IP and used as mules Mobile Devices 21 2012, Palo Alto Networks. Confidential and Proprietary.
Palo Alto Networks Platform for Mobile Threats GlobalProtect (ios and Android) Full Network Visibility Equal full-stack inspection of all traffic across all ports Decrypt SSL All hosts mobile and virtualized App-IDs for mobile apps APK malware AV Signatures WildFire analysis of APKs Shared Context Application User File type URL Signature Technologies Exploit Malware C2 DNS Hacking & Reconnaissance Test and Manage Unknowns Unknown Malware Unknown Traffic Unknown URLs automated feedback Investigation and Response Share IOCs PCAPs End-point integration SIEM integration Correlated anomalies 22 2012, Palo Alto Networks. Confidential and Proprietary.
Questions