MAN-IN-THE-MIDDLE ATTACKS TARGET ios AND ANDROID

Similar documents
The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

JOOMLA REFLECTION DDOS-FOR-HIRE

SSDP REFLECTION DDOS ATTACKS

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

Enterprise Apps: Bypassing the Gatekeeper

Enterprise Mobile Threat Report

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

BYPASSING THE ios GATEKEEPER

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

SPEAR-PHISHING ATTACKS

white paper Malware Security and the Bottom Line

Trend Micro Incorporated Research Paper Adding Android and Mac OS X Malware to the APT Toolbox

Account Checkers and Fraud

of firms with remote users say Web-borne attacks impacted company financials.

Spear Phishing Attacks Why They are Successful and How to Stop Them

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Web Application Vulnerability Scanner: Skipfish

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Security Best Practices for Mobile Devices

Protect Your Business and Customers from Online Fraud

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

Marble & MobileIron Mobile App Risk Mitigation

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Trust Digital Best Practices

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Advanced Persistent Threats

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

OUT OF POCKET: A Comprehensive Mobile Threat Assessment of 7 Million ios and Android Apps FEBRUARY 2015 SECURITY REIMAGINED

DATA SHEET. What Darktrace Finds

THE BLACKSHADES RAT. akamai s [state of the internet] / Threat Advisory

WildFire. Preparing for Modern Network Attacks

Security A to Z the most important terms

WEB ATTACKS AND COUNTERMEASURES

Fidelis XPS Power Tools. Gaining Visibility Into Your Cloud: Cloud Services Security. February 2012 PAGE 1 PAGE 1

COORDINATED THREAT CONTROL

How To Protect Your Mobile Device From Attack

Advanced Threat Protection with Dell SecureWorks Security Services

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

How To Protect Your Online Banking From Fraud

Mobile Threat Intelligence Report

Protecting Your Organisation from Targeted Cyber Intrusion

Enabling Seamless & Secure Mobility in BYOD, Corporate-Owned and Hybrid Environments

MOBILE SECURITY: DON T FENCE ME IN

Secure Content Delivery Network

Operation Liberpy : Keyloggers and information theft in Latin America

GOING BEYOND BLOCKING AN ATTACK

User Documentation Web Traffic Security. University of Stavanger

State of App Security

Protecting Android Mobile Devices from Known Threats

Workday Mobile Security FAQ

Unknown threats in Sweden. Study publication August 27, 2014

Symantec Advanced Threat Protection: Network

Kaspersky Security for Mobile Administrator's Guide

How to Evaluate DDoS Mitigation Providers:

What Do You Mean My Cloud Data Isn t Secure?

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Kaspersky Security 10 for Mobile Implementation Guide

The Key to Secure Online Financial Transactions

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

INSTANT MESSAGING SECURITY

Five Trends to Track in E-Commerce Fraud

Managing Web Security in an Increasingly Challenging Threat Landscape

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

Basic Security Considerations for and Web Browsing

Agenda , Palo Alto Networks. Confidential and Proprietary.

White Paper. Three Steps To Mitigate Mobile Security Risks

Transaction Anomaly Protection Stopping Malware At The Door. White Paper

Security Intelligence Services. Cybersecurity training.

Practical Attacks against MDM Solutions (and What Can You Do About It)

Where every interaction matters.

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

elearning for Secure Application Development

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

The Benefits of SSL Content Inspection ABSTRACT

Enterprise Mobility Report 10/2014. Creation date: Vlastimil Turzík, Edward Plch

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

TLP WHITE. Denial of service attacks: what you need to know

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Technical Testing. Network Testing DATA SHEET

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Practical Attacks against Mobile Device Management Solutions

Enterprise Mobility Report 06/2015. Creation date: Vlastimil Turzík

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

OWASP AND APPLICATION SECURITY

Skynax. Mobility Management System. System Manual

Breaking the Cyber Attack Lifecycle

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Transcription:

1 TLP: GREEN GSI ID: 1084 MAN-IN-THE-MIDDLE ATTACKS TARGET ios AND ANDROID RISK FACTOR - HIGH 1.1 / OVERVIEW / Information from intelligence sources suggests ongoing efforts by an organized and resourceful group of malicious actors to target mobile devices, such as smartphones. Open-source intelligence suggests man-in-the-middle attacks are targeting owners of specific phone and software vendors with attempts to steal credentials or hijack browsing sessions in an effort to serve malicious applications. This activity has been observed primarily in Asia, beginning in September 2014. The attacks have targeted software vendors, Software-as-a-Service (SaaS) providers and Internet service providers in an attempt to acquire the sign-in credentials of their users. Attacks also attempt to serve malicious software, such as Remote Access Trojans (RATs), by the use of phishing techniques or by impersonating valid applications. Other attacks use phishing to solicit users to download applications being hosted on third-party repositories. Attackers first compromise a client device or network to use webinjects, however portions of these attacks might also be used in cross-site scripting (XSS), phishing, and drive-by download attacks. 1.2 / OPEN-SOURCE INTELLIGENCE / A variety of sources have publicized attacks involving mobile devices. Apple Daily, a site owned by Next Media, was said to have reported distributed denial of service (DDoS) attacks caused downtime and disruption in content publishing, according to Computer World Hong Kong. FireEye published research data that suggested the use of customized and sophisticated malware, which indicates a high-level of skill and resources typically only available to veteran criminals. Figure 1 shows captured traffic indicating the man-in-the-middle attack. Attacks on a large scale appear to have targeted companies that supply SaaS and application services, such as Microsoft online email and Apple application services, by conducting man-in-the-middle attacks on the Internet infrastructure. GreatFire.org reported a man-in-the-middle attack against Microsoft, Yahoo and Apple icloud service. These attacks purportedly sought to obtain credentials of victims by intercepting traffic going to these sites. They were reported in October 2014 and coincided with the release of Apple s iphone 6 in Asia. Apple acknowledged the attack by producing a web page warning against the forged certificates and releasing a series of recommendations for users to avoid becoming victims of this type of attack. A forged security certificate is shown in Figure 2. 1 1

2 Figure 1: GreatFire.org shared captured traffic indicating the man- in- the- middle attack Figure 2: A forged security site certificate for icloud.com 1.3 / TARGETED DEVICES: MOBILE / Open source intelligence suggests the active targeting of mobile devices. This targeting has been seen in the forms of phishing attacks, attempts to create man-in-the-middle application stores and impersonating an application so the attackers can compromise devices, redirect them or gather information about users browsing actions. The attacks require access to specific parts of the Internet infrastructure as well as specific knowledge of mobile operating system architecture in order to develop the customized malicious payload. In addition, the use of cell phone signal interception technology may have been used when targeting victims. By intercepting cellphone signals and data, attackers can pinpoint the user s approximate location, eavesdrop on communications, modify incoming transmissions, and view communication and application protocols being used by victims and proceed to target them. Previous research by Kristin Paget showed that actual interception of GSM traffic was possible by targeting GSM protocol vulnerabilities. Research also shows that CDMA protocol and mobiles can be targeted and compromised. 2 2

3 The use of this technology by attackers may have aided their efforts in targeting specific applications and generating customized malicious payloads. Apple ios and Android mobile operating system have been the primary mobile architectures targeted. The open-source Android architecture is more accessible to wouldbe attackers than ios, but both have been targeted. 1.3A / ANDROID / The exploitation of the Android platform can range from footprinting a specific operating system version to the complete takeover and command of the mobile device. Device users can allow installation of applications from third-party application stores, some of which are unsigned or unverified by the Google Play Store. Figure 3 shows how extensive exploitation of an Android mobile can be using current payloads available on the Internet. Figure 3: An example of Android operating system exploitation via Metasploit penetration testing software 1.3B / ios / The ios platform is closed-source and has a very restricted process of application verification, approval, review and publishing. It has multiple OS-based security controls. Companies must follow a process involving a number of formal requests and financial investments in order to be part of the Apple development program or even to get access to development resources. This makes ios more difficult to target than the Android platform and reinforces the thesis that higher-level skills and resources were needed to create the exploits. Due to this difficulty, malicious actors chose tactics such as impersonating or bypassing the Apple store in order to serve malicious payloads to targeted victims. This is often accomplished by targeting enterprise provisioning profiles and bypassing the Online Certificate Status Protocol (OCSP) check used to validate enterprise certificates. A detailed description of this type of attack was published by Virus Bulletin. In other cases, attackers will create clones of third-party applications in which they embed a targeted application bundle identifier. Once this cloned (and malicious) application is installed, it will replace the genuine application, bypassing security checks. This approach is feasible because ios does not enforce matching certificates for applications with the 3 3

4 same bundle identifier. A detailed account of an attack named ios Masque was published on the FireEye blog. 1.3C / THE JAILBREAKING FACTOR / Malicious actors have also targeted users that have used jailbreaking on their ios phones. Jailbreaking is the process of removing limitations and security checks in the ios operating system in order to allow users to install applications from other application stores. In China, for example, 14 percent of the 60 million ios devices have been jailbroken, often to support the use of third-party Chinese character keyboard apps. Cydia is the most popular third-party application store installed after jailbreaking an iphone 1.4 / MOBILE REMOTE ACCESS TROJAN: THE XSSER MRAT / Lacoon Mobile Security discovered the Xsser mrat, the first advanced Chinese ios Trojan, which is related to Android spyware already distributed broadly in Hong Kong. Both Android and ios payloads were found to be installed in the same command-and-control server. Xsser mrat was originally an Android-exclusive mobile Remote Access Trojan (mrat); however, a new variant aimed at infecting ios devices emerged in the jailbroken market. The app is installed via a rogue Cydia repository and once the bundle has been installed and executed, it gains persistence. It then makes server-side checks and proceeds to exfiltrate data from the user s device and executes remote commands from its commandand-control (C2) server. Applications bundled in Cydia use the popular Debian packaging system, where a.deb file contains the archive of files for the application. The Xsser mrat package consists of several installation scripts and a Mach-O (name associated with Apple binaries) executable. Following the extraction process, the postinst (post install) file shown in Figure 4 executes a series of bash commands to adjust the permissions of the files. Figure 4: The post- installation script packed with the ios XsserRAT Debian file It then executes the shell script xsser.0day_t.sh, shown in Figure 5, which is used to install the LaunchDaemon plist, giving the Trojan persistence. 4 4

5 Figure 5: The startup script executed after the post- installation script Once the launchctl load command is executed, the contents of the plist file will determine which application is launched. This will be the xsser.0day_t binary, which has now been renamed to xsser.0day. 1.5 / HOSTING THE MALICIOUS APPLICATION / In order for XsserRAT to be distributed, it must either be pushed onto the user s device or uploaded into a Cydia repository. Cydia repositories are sources where packages are maintained and distributed. They work in much the same way as Debian sources. Users must add these sources manually, or be tricked into adding them. Many jailbreak users add sources freely, without any guarantee that a source is safe from publishing malicious applications. There are a number of free sources where a user can host their applications. For example, a website called myrepospace provides free hosting for Cydia sources. This allows a malicious actor to host the offending application and phish users into adding the source with packages that target specific interests, such as popular games sold in the App Store. In Figure 6, a package disguised as the popular Flappy Bird game has been uploaded to a free source hosting webpage. 5 5

6 Figure 6: A malicious package disguised as the popular gaming app Flappy Bird, is listed on a free source hosting site Once a user has added the unsuspecting malicious source to his or her Cydia source list, the application is available for the user to download, as shown in Figure 7. No details are provided about the application, so the victim is unaware of the malicious binary. Figure 7: The malicious app shown in the Cydia sources page When the binary is executed, it will connect back to its C2 server. It will check the remote C2 against the local library file and attempt to update the local library if an outdated file is present. The check is made by the HTTP request CheckLibrary.aspx, as shown in Figure 8. 6 6

7 The remote library that is downloaded contains the remaining portion of the Trojan code. Figure 8: The GET request checks f or the latest library component of the XsserRAT Trojan Figure 9 illustrates the strings and functions indicating capabilities for logging and remote updating by the downloader. Figure 9: XsserRAT downloader functionality At the time this threat advisory was published, the C2 had been taken down and attempts by the Trojan to download its extra library (in the lab environment) failed. Instead, PLXsert statically analyzed the missing library component. The library includes the main functionality of the XsserRAT Trojan, shown in Figure 10, such as functions to exfiltrate phone information, SMS text messages, email and other sensitive data. 7 7

8 Figure 10: The data exfiltration functions within the library component of XsserRAT Trojan Once the user has been infected, the malicious actor will receive sensitive information about the user s device, providing an opportunity to perform follow-up attacks such as extortion or other social engineering-related attacks against a company or organization. Figure 11 shows a web archive of the maliciously hosted XsserRAT on a Cydia source. This source is where the Trojan was hosted and where subsequent callbacks were made. Figure 12 shows open source data on the xsser.com domain history. Figure 11: A query to a wayback machine, shows the Xsser.com domain was serving malware as early as January 7, 2014 8 8

9 Figure 12: Open source data on the xsser.com domain history PLXsert has been able to verify that the xsser.com domain has been used extensively and modified to serve malware since at least January 7, 2014. There are also multiple randomlygenerated subdomains with dates older than January 7, 2014. 1.6 / PREVENTING INFECTION / End-users will find it very difficult to detect whether their phones are under attack from malware such as Xsser mrat. The best approach is prevention. Several common sense protection measures apply: Avoid the use of free Internet hot spots. They can be readily compromised or set up to entrap unknowing users. Even if a free Wi-Fi SSID is familiar or known, it may be indistinguishable from a malicious one. Disable automatic Wi-Fi connections and disable Wi-Fi in public places. Disabling will prevent victimization by tools that impersonate known SSIDs. 9 9

0 When possible, use a virtual private network (VPN) service. VPNs provide protection against eavesdropping and man-in-the-middle attacks. Enable two-factor authentication when possible in any application that requires the input of user credentials. Two-factor authentication adds a layer of protection. Ignore sudden or unexpected communications that contain generic salutations, grammatical errors in URLs, unexpected attachments and attachments sent from unknown entities. Do not click anything in these communications. Do not respond with sensitive information without verifying the origin of such requests or communications. It is difficult to detect GSM and CDMA attacks; however, any sudden requests to install, upgrade or download applications should be distrusted. Certificate errors in websites or login errors in phone applications are an indicator of possible malicious activity. In addition, sudden signal intensity changes could indicate cell tower impersonation or tampering. Use peer-to-peer proximity networking technology to help avoid infrastructure eavesdropping or tampering, but be aware that attackers may join these networks and sniff traffic. Do not install any application from an untrusted and unsigned source. Caution will reduce the attack surface when mobile devices are being targeted. Do not jailbreak phones. Jailbreaking exposes the ios to a wide range of attacks. Consider the use of commercial phone applications that warn, discover and interrupt malicious processes. 10 10

1 1.7 / CONCLUSION / The use of sophisticated attack methods against unsuspecting mobile device users shows the extent to which veteran criminals with resources will go to target mobiles phones. Only a well-funded and coordinated multi-member organization can execute such a campaign. Campaigns like this provide a warning message for the types of methods that can be used against users for the purpose of surveillance or profit. Attack vectors involving mobile technology include DDoS, compromise of the Internet infrastructure, man-in-the-middle attacks, customized malicious mobile operating system payloads, possible cellphone tower eavesdropping technology and social engineering. 11 11

The Prolexic Security Engineering and Research Team (PLXsert) monitors malicious cyber threats globally and analyzes these attacks using proprietary techniques and equipment. Through research, digital forensics and post-event analysis, PLXsert is able to build a global view of security threats, vulnerabilities and trends, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, along with best practices to identify and mitigate security threats and vulnerabilities, PLXsert helps organizations make more informed, proactive decisions. Akamai is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations 2014 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 10/14. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information