The train wreck that is Android security continues…
A new strain of malware by security firm Wandera found in China has the following charming characteristics, according to a recent blog post.
Zero-day threat previously unknown within the mobile security community
Group of at least 50 functioning apps containing the sophisticated RedDrop malware
Apps are distributed from a complex network of 4,000+ domains registered to the same underground group
Once the app is opened, at least seven further APKs are silently downloaded, unlocking new malicious functionality
When the user interacts with the app, each interaction secretly triggers the sending of an SMS to a premium service, which is then instantly deleted before it can be detected
These additional APKs include spyware-like components, harvesting sensitive data, including passively recording the device’s audio, photos, contacts, files and more
RedDrop then exfiltrates this data, uploading it straight into remote file storage systems for use in extortion and blackmailing purposes
This is frightening stuff as it turns the victim’s phone into a bug, compromising phone calls made on the device as well as conversations in the vicinity.
As usual, the key problem here is that the app follows the rules and asks the user to approve a (long) list of permissions which are then used to compromise the device. Many users don’t bother to read/think about these permission prompts, leading them to basically invite the malware authors to take over their device.
Security pros need to make their users aware of the need to read and think about security prompts EXTRA carefully on their Android devices.
It sometimes seems to me that a lack of data is not the issue when patrolling your networks for signs of evil badness… it is quite the opposite – operating systems, security logs and other sources are drowning us in data which we don’t leverage. This talk from DerbyCon 2015, “Intrusion Hunting for the Masses – A Practical Guide” really opened my eyes to a number of ways to leverage data that we already have to look for signs of sophisticated intrusions early in the kill chain. If you manage infosec for your organization or are in the bad guy hunting business, I highly recommend this information and idea packed 45 minute talk by Dave Sharpe (@sharpesecurity). I love stuff like this – you don’t have to make huge investments in new hardware or software to do this kind of analysis and the potential payoffs are pretty big. Best con-talk I have watched in a long time.
What security people need to understand is that the end users are not the problem. The end users are our customers (and one of the main reasons we have jobs). The problem arises from the increasing sophistication of attackers and their tools and ruses. In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money). Since then, the attackers have been getting better and better at their jobs. They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails. They do their homework, mining social media for personal and business information to make their clickbait more convincing. End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.
I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks. It has a great return on investment for just about every organization.
We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them. Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).
End users are not stupid. They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day. We have to step up our efforts to protect them, not call them a problem. That’s what we get paid for.
There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely. My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment. Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs. This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs. For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.
I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier. MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.
It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine. If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection. So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.
Another day, another Android vulnerability which allows malicious actors to inject malicious code into Android applications without triggering cryptographic safeguards. And another reason to refrain from using app stores other than Google Play for the time being.
Some spear phishing wisdom from Security BSides SFO today…
Rohyt Belani of PhishMe told an interesting story highlighting just how much research attackers do when choosing their targets and crafting spear phishing payloads. In an attack on an energy company, employees received an email appearing to be from the company’s HR department offering information on discounted health care premiums for employees with more than 3 children. The only employees to receive the message? The two people at the company with 4 or more children.
This raises two issues for InfoSec professionals…
First, the attackers are doing their homework, people. They are taking the time to craft their social engineering payloads in ways that target very specific targets. This means (IMHO) that they are extremely motivated – most probably by money or ideology.
Second, our coworkers are helping the attackers with their targeting by sharing all sorts of personal information via social networking platforms. We need to educate them about:
+ The fact that their social media profiles are visible not only to friends and family, but also bad guys who will use that information to craft their attacks. The “familiarity cues” which we tend to use to determine whether a message or request is from a friend or a foe just don’t work anymore.
+ Their ability to control who sees their social networking information by using the privacy features offered by Facebook, LinkedIn, and to a lesser extent, Twitter. They need to think about what they are posting and who will see it – not only to protect the company, but to protect the privacy of themselves and their families.
While we put all sorts of technical solutions in place to protect our systems and information from malware, our users are the front line defense against the most serious threats we face. Educating them to be aware of how their actions both inside and outside the office affect the organization’s security is one of the most important tasks we face as InfoSec professionals.
According to a recent study by security firm Symantec, you are far more likely to encounter malware when visiting religious web sites than when visiting, ahem, adult sites. In an article describing the finding, Network World had this to say:
Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site–a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs.
Apple has been getting some grief over the past week or so for their handling of the “FlashBack” trojan which infected over 500,000 Mac users worldwide. Well, yesterday, they released a new Java patch to address Flashback, and it has some interesting properties:
It looks for and removes FlashBack
It requires users to specifically enable Java on their systems
It automatically disables Java if no Java applets are run for “an extended period” – some bloggers are stating that this period is 35 days.
I’m glad Apple is taking these steps – if users are not using Java, disabling it will protect them from the rising tide of Java based malware that is out there. I just hope that the process for re-enabling Java when needed is made easy for the non technical user. It would be nice if Apple added a feature to “Software Update” which would be a little more proactive in nagging users to install security related updates as well.
So, remember a few weeks back, when the tech press got really silly, warning us that hackers could set our HP printers on fire remotely? Well, it turns out that there was a security story about HP printers, but the press really missed the boat on what was actually important. At the 28th Chaos Communications Congress (held in Berlin last week), the Columbia University researchers whose work was totally misconstrued by the press presented their work. No, hackers cannot set your printer on fire – but they can install malware on hundreds of millions HP printers shipped since 2005, either by connecting to the printer and replacing its normal firmware with evil firmware or by getting one of your users to print out a specially crafted document which also carries their nefarious code. Once this hack is done, your printer will become a silent (but deadly) bridgehead into your network.
UPDATE: Here’s a list of all of the printers affected by this vulnerability.
The researchers had two demos. In the first, they caused the infected printer to silently send a copy of every document it printed to an attacker’s printer out on the Internet. Demo two had the infected printer acting looking for internal systems vulnerable to a Windows XP exploit and then acting as a relay for the attacker to control them from outside the firewall. This was pretty scary stuff… let’s say I send a crafted document purporting to contain a 50% off coupon for a local restaurant to your users… how many times (and on how many printers) would this get printed?
This hack is made possible by the fact that some HP printers allow their firmware to be updated without any authentication or digital signature and that all of the code within the printer runs as a super user. It also points out the need for anti malware protections for embedded devices like printers, routers and the like. The guys at Columbia are working on a project to do this.
As an aside, these same researchers scanned the Internet for accessible HP printers – they found over 75,000 of them, located at private companies, governments, educational institutions and in other places. Infecting just a small percentage of these systems would provide someone with a very stealthy botnet that would be extremely difficult to remove. The researchers feel that it may be possible for the attackers to install their code permanently, so that the only ways to get rid of the infection would be by replacing (soldered on surface mount) hardware components or trashing the printer altogether,
So… what to do?
First, update your HP printers’ firmware to the latest (December 2011 or later) firmware version, which can be found over on the HP support website. The new drivers require printer firmware updates to be digitally signed by HP.
Next, make sure that your printers cannot be accessed from the Internet. For most of my readers, I don’t think this will be an issue, but you never know… scan your Internet facing IPs for port 9100, which is used to submit print jobs and firmware updates to HP printers.
Third, limit where your printers can send traffic to… is there any good reason to allow a printer outbound access to the Internet? Not that I can think of. Putting printers on an isolated VLAN which can ONLY talk to the print server limits the damage that can be done using this attack. Of course you really need to make sure that your print servers are patched and properly isolated as well – and when eas the last time you took a look at your print servers?
We’ve all got some work to do, people but more importantly, we need to look at embedded systems like printers, routers, access points, and the like in a new way – as potential malware targets with the computing power to take down our networks and no antivirus protection. I can just about guarantee that the bad guys will be researching this in 2012 – it is just too juicy a target to ignore.
If you are a security pro or are responsible for printers in your organization, I’d recommend spending an hour watching the video of this presentation to get the full story.
So, you just found a USB thumb drive that someone left behind on a bus/train/taxi/spaceship… read this article BEFORE you plug it in to your computer… and, come to think of it, before you use a thumb drive to store anything remotely important or private.