lookout: securing mobility · 2018-09-06 · august 2016 september 2016 november 2016 march 2017...
TRANSCRIPT
Lookout: Securing MobilityTim LeMaster | John Cuddehe
August 2018
"The views expressed in this presentation are those of the author(s) and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the U.S. Government."
Your users are going mobile.
Starbucks is your fall-back Wi-Fi.
Your mobile device is a gold mine for hackers
ENTERPRISE EMAIL
ENTERPRISE NETWORKVPN, WiFi
ENTERPRISE APPSSaaS, Custom Apps
CREDENTIALSStored, Soft Tokens
PHOTO ALBUMWhiteboard Screenshots, IDs
SENSORSGPS, Microphone, Camera
Lookout 2017 | Confidential and Proprietary
DEVICE NETWORK WEB & CONTENT
PC
Selected, purchased, and managed by user*
Always on cellularUser selected Wi-Fi
Filtered at organizational perimeter
- Secure Web Gateways
Often unfiltered
MOBILE
LAN / corporate Wi-FiVPN when traveling
- On device firewalls- perimeter firewall- TIC
Selected, purchased, and managed by organization
- Administered by IT- Managed by SCCM- OS version control- OS integrity monitoring- Behavioral monitoring
Selected, purchased, and managed by organization
- Anti-Virus- DLP- Vulnerability scanning
APPS
Organizational issued,some BYOD
- Partially managed using MDM
How are you protecting your corporate data?
MOBILE
Lookout 2017 | Confidential and Proprietary
THREATS
SOFTWARE VULNERABILITIES
BEHAVIOR & CONFIGURATIONS
VECTORS
COM
PON
ENTS
OF
RISK
DEVICE NETWORK WEB & CONTENTAPPS
- Spyware & surveillanceware
- Trojans- Other malicious apps
- Out-of-date apps- Vulnerable SDKs- Poor coding practices
- Apps that leak data- Apps that breach org
security policy- Apps that breach
regulatory compliance
- Privilege escalation- Remote jailbreak/root
- Out-of-date OS- Dead-end hardware- Vulnerable pre-installed
apps
- User initiated jailbreak/root
- No pin code/password*- USB debugging
- Man-in-the-middle- Fake cell towers- Spoofed WiFi APs- Root CA installation
- Network hardwarevulnerabilities
- Protocol stack vulnerabilities
- Proxies, VPNs, root-CAs- Auto-joining
unencrypted networks
- Phishing- Drive-by-download- Malicious websites &
files
- Malformed content that triggers OS or app vulnerabilities
- Opening attachments and visiting links to potentially unsafe content
RISK MATRIX
746 Lookout-discovered threats in the Google Play Store (2017)
= Discovered by Lookout in Play Store and subsequently removed by Google.
AppInsite
Mobile malware that opens tunnels through enterprise firewalls. Sleeps while app is in use to evade detection. Up to 1 million downloads.
January 2018April 2017 May 2017 December 2017 February 2018
Malware that spies on victims through otherwise benign apps by downloading malicious plugins. Over 500 apps available on Google Play used the Igexinad SDK.
Apps in Play that pretended to be Bitcoin wallet apps. Tricks users into sending the attacker’s wallet address, not their own, to the payer.
PickBitPocket
50 out of 1000 devices encounter app-based threats
100 in 1000 devices encounter a phishing URL every year
5 in 1000 enterprise devices have been rooted
Igexin skyGoFree
Sophisticated Android spyware created by an Italian company for targeted surveillance.
January 2018
Pallas
Android based mAPTused in Dark Caracal global espionage campaign against military personnel, enterprises, journalists, universities, and activists.
MoneroCryptomining
Drive-by cryptominingcampaign targeting millions of Android users leveraging forced redirects and trojanized apps.
June 2018
Sonvpay
Android apps were “re-packaged” to secretly sign up for premium paid services in the background. Some apps are in Play.
Select Android Threats Discovered Over The Last 12 Months
iOS Security Highlights (2016 - 2018)Jan 2018August 2016 November 2016 March 2017 June 2018September 2016
* Looking at all updates between iOS 9 and iOS 11
Dribble – app that jailbreaks iPhone
Lookout discovered the Dribble client that can jailbreak your iPhone, on apple store. It appears that the app had been in the App Store since July 30th
Fake retail apps in App Store
Fraudsters were able to get fake retail apps into the App Store. Victims were subject to ID and sensitive data theft, including credit card and home address details. In media reports, including Good Morning America, Lookout researchers provided advice to users.
Scareware demanding ransom
Lookout discovered a scareware campaign on iOS where attackers blocked use of Safari until the victim paid the attacker money in the form of an iTunes Gift Card.
Repackaged or modified “++” apps
Sideloaded repackaged or modified apps, such as Facebook++,Instagram+, YouTube++, and Line++. These modified apps can often include unknown or unvetted code, which has not passed Apple’s review and could potentially be malicious.
= Discovered by Lookout.
8 in 1000 devices encountered a man-in-the-middle threat
110 in 1000 devices encountered a sideloaded app
29, on average, vulnerabilities disclosed each iOS update*
Trident Vulnerabilities*Lookout discovered three zero-day vulnerabilities, one in Safari and two in the iOS kernel. Exploited by attackers to silently implant Pegasus surveillanceware.
The most sophisticated attack we’ve seen on any endpoint. A full take of data off the iOS device and device’s surroundings.
Pegasus Surveillanceware*
iOS 11.3.1 Jailbreak
iOS jailbreaks are always being sought and worth a lot of money. Apple closes them quickly when public.
Kill Chain over Phishing Link
9
Pegasus (August 25th 2016)Chrysaor (April 23rd 2017)
ViperRat (February 16th 2017)Frozen Cell (October 5th 2017)
SpyWallerV2 (January 10th 2018)TropicTrooper (November 16th 2017)
JadeRAT (October 20th 2017)SonicSpy (August 10th 2017)
Dark Caracal/Pallas (January 18th 2018)Desert Storm (April 16th 2018)
Stealth Mango/Tangelo (May 15th 2018)
Many Major Threats Start With Phishing
12
• Stealth Mango & Tangelo• Threat Overview
• Country of origin : Pakistan• Threat actor : Members of the Pakistani military (Op
C Major / Transparent Tribe)• Platforms targeted: iOS, Android, Windows• Attack vector : social engineering, physical access• Targets (Primary)
• Pakistan officials & citizens• Afghanistan officials & citizens• Other regional people from Balochistan and nearby cities
• Targets (inadvertent)• U.S. officials and civilians• Australian and British Diplomats• NATO members• Iranian officials and civilians
Phishing message sent through Facebook Messenger.
Stealth Mango
•Records phone calls & environment audio•Takes screenshots, captures keystrokes•Retrieves–contacts lists, SMS Messages, calendar events, browsing
history, installed apps, device information–Videos, Images, and Audio Files on ext storage•Tracks device via GPS •Very configurable - record more or less data•Tries to upload databases of popular apps–Facebook, Skype, Instagram, Instagram, Tinder,
WhatsApp, etc.
Capabilities
Stealth Mango Data Exfiltration
Analysis of the EXIF metadata contained in stolen images found that many contained information identifying the phone’s make and model on which they were taken. While this doesn’t definitely mean victims were using these makes and models, it is interesting to note that the majority are from iPhones.
Breakdown of the media types of exfiltrated content.
Stealth Mango Data Exfiltration - Samples
A redacted snippet of the original photo taken of exfiltrated image from the U.S. Central Command Afghan Assistant Minister of Defense.
Exfiltrated content was found to contain military photos including a series of images from an event with military attendees from numerous countries including U.S. Army personnel.
The full detailed report is available from https://blog.lookout.com/stealth-mango
How Do We Address the Threat?
Gartner Market Guide for Mobile Threat Defense Solutions
Source: Gartner Market Guide for Mobile Threat Defense Solutions, Dionisio Zumerle and John Girard, August 2017
The Gartner document is available upon request from Lookout.Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with thehighest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements offact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Mobile malware is on the rise
“The signs are clear that mobile threats can no longer be ignored.”
“By 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today."
X
X
INCIDENT RESPONSE
OrganizationalData
LOOKOUT SECURITY CLOUD
LOOKOUT CONSOLE
SECURITY POLICY
!CONDITIONAL ACCESS
Lookout Mobile Endpoint Security - How It Works
Lookout MES Solution
Capability Features1. Malware and vulnerability Detection • Automated analysis using Machine Learning
2. Risky/Non-compliant application visibility
• Data exfiltration• Sideload detection• Insecure data handling• Policy enforcement / Blacklisting• Enterprise application upload
3. MITM detection • SSL strip/downgrade• Certificate validation
4. OS Analysis • Root/Jailbreak detection - Fingerprint analysis• iOS version, ASPL visibility and policy
5. Device configuration risk • USB debug mode• Device encryption enabled
6. Phishing Protection • Inspect all outbound URLs• Regardless of source
7. API support • SIEM connectors, MDM integration
2008 2009 2010 2011 2012 2013 2014 2015 2017
1MDEVICES
12MDEVICES
37MDEVICES
70MDEVICES
150M+DEVICES
2016
Our massive global device network allows us to apply big data analytics to the mobile security problem
Every month tens of millions of devices contribute new security telemetry • Application inventories • Application binaries • Firmware fingerprints • Network connection activity • Threat detection events
Approach mobile security as a big data problem
Web Crawlers App store APIs
Dynamic Analysis
Static Analysis
Reputation Analysis
Malware Assessment
Capability Assessment
Exploit Assessment
150M+SENSORS
50K+NEW APPS PER DAY
50M+APPS ANALYZED
~5KAPPS CONVICTED PER DAY
ACQUIRE ANALYZE PROTECT
Binary Similarity
Mobile Sensors
• Founded in 2007
• Focused exclusively on securing mobility
• Security for organizations and consumers
• FedRAMP in-process – DHS sponsor
• 114 Mobile Security focused patents
OUR PARTNERS
Thank YouQuestions?