FIREEYE AND LOOKOUT
MOBILE THREAT LANDSCAPE
THE CYBER THREAT INTELLIGENCE EXPERTS
Wes Medley, Federal Architect – FireEye
[email protected]
Tim LeMaster, Security Architect – Lookout
[email protected]
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Agenda
•
Threat Actor Attack Trends
•
Mobile Threat Landscape Trends for 2016
•
2
•
Mobile Credential Theft Malware
•
Android Ransomware
•
SMS Phishing
•
Mobile Malware Distribution Methods
Intelligence Led Security
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
FireEye iSIGHT Intelligence Sources
Attack Trends
•
•
Financial Crime - prior to 2013: “Unsophisticated”
•
Loud and straight-forward
•
Opportunistic
•
Rudimentary toolkits
•
(usually) Basic skills
Since 2013, sophistication has been steadily increasing
•
2014 M-Trends: “the lines are blurring between run-of-the-mill cyber criminals and advanced
state-sponsored attackers”
•
Larger infrastructure, better toolsets, increased focus on persistence
4
Copyright © FireEye, Inc. All rights reserved.
Attack Trends
•
2016: “The line between the level of sophistication of certain financial attackers
and advanced state-sponsored attackers no longer exists”
•
Custom backdoors with unique, tailored configurations per target
•
Increased infrastructure resiliency
•
Counter-forensic techniques
•
Increased interest in inter-banking networks & infrastructure
•
ATMs
Attack Trends (cont.)
•
Email has always been a major target
•
2016 showed an increase in interesting ways to
access email
•
Financial attackers tailor phishing email to
specific client, location or employee
•
Call victims to help them
Mobile Threat Landscape Trends for 2016
•
Mobile Credential Theft Malware
•
Android Ransomware
•
SMS Phishing
•
Mobile Malware Distribution Methods
7
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Mobile Credential Theft Malware
•
Observed considerable growth of mobile device focused malware
•
Increase of overall sophistication of mobile device malware
•
Credential theft mobile malware common feature set
8
•
Collect call logs and cell tower information
•
File system access
•
Bowser and search history
•
SMS listening and interception
•
Camera and microphone access
•
Ability to install and remove apps
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Trends in Mobile Credential Theft Malware
•
Proliferation of mobile Automated Transfer System (ATS) scripts
•
•
9
ATS scripts allow threat actors to transfer money from compromised accounts
Threat actors increased interest in malware that allows two-factor
authentication circumvention
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Mobile Ransomware
•
Mobile ransomware attacks increased significantly in
2016
•
Mobile ransomware attacks occur via malicious apps
disguised as legitimate applications
•
Android ransomware popularity increases
•
Mobile ransomware incorporates more sophisticated
features
10
•
Mobile ransomware does not typically encrypted data on the mobile
devices, it primarily just blocks access to the device
•
Simplocker ( May 2014) was the first mobile malware observed to
incorporate encryption
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Mobile Ransomware
•
Mobile ransomware attacks occur via
malicious apps disguised as
legitimate applications
•
Android ransomware popularity
increases in 2016
•
Mobile ransomware is widely
available on underground forums,
mostly Russian language based
11
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Mobile Malware Distribution Methods
•
Mobile malware is distributed through malicious applications available from third-party and legitimate
application stores
•
In January 2017, Checkpoint detected 20 applications on Google Play of an Android malware know
as HummingWhale
In February 2016, researchers reports a threat actor advertising two private keys of an Apple
Enterprise code signing certificate for sale on the dark web
SMS phishing campaigns continue to be a popular distribution method
•
•
•
12
Malware developers often used adult-themed applications as infection vectors, which are then
subsequently leveraged in law enforcement-themed extortive lures
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Intelligence Led Security
•
Threat Intelligence drives operations and decisions
•
Mature from reactive defense to proactive threat hunting
•
Continuously assessing, training, and integrating enables the Intelligence program
to stay aligned and remain ahead of the next threat
Threat Modeling
Threat Profile
Defensive Planning
Automated Workflows
Tactical Prioritization Schemes
Response Efficiency
Hunt Planning
13
Copyright © FireEye, Inc. All rights reserved.
Intelligence Led Security
Cyber Threat Intelligence-led security programs have quickly moved from a
“bleeding edge” practice embraced by a few to a capability sought by
organizations of all sizes
Tips for creating an intelligence led security program
•
Design a strategy with threat landscape awareness
•
Consider capability level of your program and the individuals charged with executing it
•
Expose your resources to the realities they are likely to face in their daily jobs
•
Update strategic plans to align with overall realities
By creating such an innovative environment, you can stay ahead of the threat
14
Copyright © FireEye, Inc. All rights reserved.
THANK YOU
COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Lookout
Mobile Threat Landscape…
Tim LeMaster
April 2017
[email protected]
Your mobile device is a gold mine for hackers
ENTERPRISE EMAIL
CREDENTIALS
Stored, Soft Tokens
ENTERPRISE NETWORK
VPN, WiFi
ENTERPRISE APPS
SaaS, Custom Apps
PHOTO ALBUM
Whiteboard Screenshots, IDs
SENSORS
GPS, Microphone, Camera
Agenda
https://pages.nist.gov/mobile-threat-catalogue/application.html#page
Multiple attack vectors utilized
End user jailbreak/root
Malicious jailbreak/root
OS vulnerabilities exploitation
Data on stolen devices
Apps
OS
Network
Malicious apps
Non-compliant apps
App vulnerability exploits
Data leakage
Malicious MitM attacks
Anomalous Root CA
Mobile OS Summaries
Android
Android Patches
• 102 patched CVEs in Apr
•
79 high or critical
• 104 patched CVEs in Mar
•
78 high or critical
• Android Security Advisory 2016-03-18
•
Rooting app – Kernel vuln
• Deployment challenges
• Older devices not getting updates
https://source.android.com/security/bulletin/2017-03-01.html
iOS
iOS Patches
iOS Status
• iOS version 10.3.1 released 3 Apr
• WiFi chip vulnerability patch
• iOS version 10.3 released 27 Mar
• 91 CVEs patched
• Scareware for Ransom
• Safari browser pop-ups loop
• iOS version 10.2.1 released 23 Jan
• 22 CVEs patched
• Need employees to update…
https://support.apple.com/en-us/HT207617
Configuration Profile Change
iOS 10.3 Behavior Change
1. Click on link to profile
2. Install profile (which contains VPN and
root CA)
3. Ignore scary warnings
4. Navigate to Settings -> General ->
About -> Certificate Trust Settings ->
find the newly installed root CA and
turn it "on”
5. Traffic is now decrypted/analyzed by
attacker
Mobile Risk Highlights…
•
Alternative App stores
•
Fraudulent/Fake Apps
•
Pegasus for Android AKA Chrysaor
•
PluginPhantom
•
ViperRAT–surveillanceware
•
App take downs
Lots of alternative app stores…
Pegasus/Chrysaor Spyware
Pegasus for Android
•
Worked jointly with Google
•
Lookout app corpus analysis
•
Unique IOCs
•
APK based malware
•
Doesn’t require root
•
•
Does try privilege escalation
May use WAP for infection
PluginPhantom
DroidPlugin Dynamic Loader
•
Used for targeted surveillanceware
•
Repackaged Android Apps
•
None on Google Play
•
Dynamically Load Malicious APK
•
Extract files, access mic/camera, track
location, receive files… (Sounds familiar)
•
DES encrypted C2
ViperRAT
Surveillanceware
•
Social media for targeting
•
Fake Profile as young women
•
Build trust
•
Install app for easier communication
•
Multi-stage malware
•
•
Dropper for profiling
•
2nd stage is more capable
Extract files and Photos
210 Lookout-discovered threats in the
Google Play Store (2016)
1
4
13
3
1
2
167
July 15
August 4
September 7
September 30
October 19
October-November
November 25
BouncerBounce
OverSeer
DressCode
DressCode
TcemuiPhoto
Uploader
WakefulApp
Download
XRanger
Malware that works
around Google’s
review process to
plant malicious apps
in Play Store.
Spyware targeting
foreign travelers
searching for
Embassy locations.
Steals contact
and location data
Can make the
device a proxy for
network traffic on
corporate networks.
We discovered
more apps on Play
injected with this
trojan.
Lookout discovered
this malware family
in fake versions of
popular apps on
Play.
= Discovered by Lookout in Play Store and subsequently removed by Google.
Malware hidden in
"File Explorer" app
that had gotten into
Play, downloads
and launches
additional apps.
167 apps in Play
infected with this
app dropper.
Apps that exhibit sensitive behaviors
ACCESS TO SENSITIVE DATA
Apps that access sensitive corporate or employee
data, including PII
DATA EXFILTRATION
Apps that upload sensitive data to external
servers
DATA SOVEREIGNTY VIOLATIONS
Apps that violate data sovereignty regulations or
send data to risky geographies
USE OF CLOUD SERVICES
Apps that access cloud storage providers, social
networking services, or peer-to-peer networks
INSECURE DATA HANDLING
Apps that don’t use proper encryption when
storing or sending data
VULNERABILITIES
Applications with known vulnerabilities
What can we do about all of this?
Gartner Market Guide for Mobile Threat Defense Solutions
”It is becoming increasingly important that security leaders look at
the anti-malware, mobile threat defense solutions market, the
products available and how they should be used.”*
This Gartner report is available upon request from Lookout
Lookout Mobile Endpoint Security meets all four functional capabilities, including:
Behavioral Anomaly Detection
Vulnerability Assessment
Network Security
App Scan
Source: Gartner Market Guide for Mobile Threat Defense Solutions, John Girard and Dionisio Zumerle, July 2016
*Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of
Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
What about Data Protection?
Data privacy controls limit what Lookout can see
MDM
Device ID
THREAT DETECTED
MDM
MDM Device ID:
ID101519905000
USERNAME:
JOHN SMITH
EMAIL:
[email protected]
PHONE NUMBER:
+1 (555) 455-0000
IMEI:
0150880990440000
LOOKOUT CONSOLE
THREAT DETECTED
FedRAMP
How is it applicable to Mobile
•
Data analysis and correlation
•
Data Protection
•
Privacy
•
Cloud Provider protection
•
SaaS provider
•
SSP, 2FA, Logging, patching,
encryption…
Six platform principles for securing mobility
Global endpoint presence
Powered by the cloud, not the device
Over 100M mobile sensors worldwide have sent security
telemetry to Lookout.
Lookout customers carry a powerful security cloud in their
pocket that won’t affect device battery or performance.
Machine-intelligence driven
Low TCO with no heavy lifting
Machine intelligence drives predictive security
detections that evade signatures and behavioral
analysis.
We’re non disruptive to install, no additional headcount needed,
and we’ve trained people within an hour
Privacy by design
Delightful end-user experience
Personal data stays personal by analyzing the underlying
software, not the user. FedRAMP compliant.
We know how to build products that people love – we have
millions of happy customers.
Questions