Lookout: Securing Mobility Tim LeMaster | John Cuddehe August 2018 "The views expressed in this presentation are those of the author(s) and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the U.S. Government." Your users are going mobile. Starbucks is your fall-back Wi-Fi. Your mobile device is a gold mine for hackers ENTERPRISE EMAIL ENTERPRISE APPS SaaS, Custom Apps CREDENTIALS PHOTO ALBUM Stored, Soft Tokens Whiteboard Screenshots, IDs ENTERPRISE NETWORK SENSORS VPN, WiFi GPS, Microphone, Camera How are you protecting your corporate data? APPS DEVICE NETWORK WEB & CONTENT Selected, purchased, Selected, purchased, LAN / corporate Wi-Fi Filtered at and managed by and managed by VPN when traveling organizational organization organization perimeter - On device firewalls - Anti-Virus - Administered by IT - perimeter firewall - Secure Web Gateways - DLP - Managed by SCCM - TIC PC - Vulnerability scanning - OS version control - OS integrity monitoring - Behavioral monitoring Selected, purchased, Organizational issued, Always on cellular Often unfiltered and managed by user* some BYOD User selected Wi-Fi - Partially managed using MDM MOBILE Lookout 2017 | Confidential and Proprietary MOBILE VECTORS RISK MATRIX APPS DEVICE NETWORK WEB & CONTENT THREATS - Spyware & - Privilege escalation - Man-in-the-middle - Phishing surveillanceware - Remote jailbreak/root - Fake cell towers - Drive-by-download - Trojans - Spoofed WiFi APs - Malicious websites & - Other malicious apps - Root CA installation files COMPONENTS OF RISK OF COMPONENTS SOFTWARE VULNERABILITIES - Out-of-date apps - Out-of-date OS - Network hardware - Malformed content that - Vulnerable SDKs - Dead-end hardware vulnerabilities triggers OS or app - Poor coding practices - Vulnerable pre-installed - Protocol stack vulnerabilities apps vulnerabilities BEHAVIOR & CONFIGURATIONS - Apps that leak data - User initiated - Proxies, VPNs, root-CAs - Opening attachments - Apps that breach org jailbreak/root - Auto-joining and visiting links to security policy - No pin code/password* unencrypted networks potentially unsafe - Apps that breach - USB debugging content regulatory compliance Lookout 2017 | Confidential and Proprietary Select Android Threats Discovered Over The Last 12 Months April 2017 May 2017 December 2017 January 2018 January 2018 February 2018 June 2018 Monero Igexin AppInsite PickBitPocket skyGoFree Pallas Cryptomining Sonvpay Malware that spies Android apps were on victims through Mobile malware that Apps in Play that Android based mAPT Drive-by Sophisticated “re-packaged” to otherwise benign opens tunnels through pretended to be used in Dark Caracal cryptomining Android spyware secretly sign up for apps by enterprise firewalls. Bitcoin wallet apps. global espionage campaign targeting created by an Italian premium paid downloading Sleeps while app is in Tricks users into campaign against millions of Android company for services in the malicious plugins. use to evade sending the military personnel, users leveraging targeted surveillance. background. Some Over 500 apps detection. Up to 1 attacker’s wallet enterprises, forced redirects and apps are in Play. available on Google million downloads. address, not their journalists, trojanized apps. Play used the Igexin own, to the payer. universities, and ad SDK. activists. 746 Lookout-discovered threats in the Google Play Store (2017) 50 out of 1000 devices encounter app-based threats 100 in 1000 devices encounter a phishing URL every year 5 in 1000 enterprise devices have been rooted = Discovered by Lookout in Play Store and subsequently removed by Google. iOS Security Highlights (2016 - 2018) August 2016 September 2016 November 2016 March 2017 Jan 2018 June 2018 Trident Vulnerabilities* Dribble – app that Fake retail apps in Scareware Repackaged or iOS 11.3.1 Jailbreak Lookout discovered jailbreaks iPhone App Store demanding ransom modified “++” apps three zero-day vulnerabilities, one in Lookout discovered the Fraudsters were able to Lookout discovered a Sideloaded repackaged iOS jailbreaks are always Safari and two in the iOS Dribble client that can get fake retail apps into scareware campaign on or modified apps, such being sought and worth kernel. Exploited by jailbreak your iPhone, on the App Store. Victims iOS where attackers as a lot of money. Apple attackers to silently apple store. It appears were subject to ID and blocked use of Safari Facebook++,Instagram+ closes them quickly when implant Pegasus that the app had been in sensitive data theft, until the victim paid the , YouTube++, and public. surveillanceware. the App Store since July including credit card and attacker money in the Line++. These modified 30th home address details. In form of an iTunes Gift apps can often include media reports, including Card. unknown or unvetted Pegasus Good Morning America, code, which has not Surveillanceware* Lookout researchers passed Apple’s review provided advice to users. and could potentially be The most sophisticated malicious. attack we’ve seen on any endpoint. A full take of data off the iOS device and device’s 8 in 1000 devices encountered a man-in-the-middle threat surroundings. 110 in 1000 devices encountered a sideloaded app 29, on average, vulnerabilities disclosed each iOS update* * Looking at all updates between iOS 9 and iOS 11 = Discovered by Lookout. Kill Chain over Phishing Link 9 Many Major Threats Start With Phishing Pegasus (August 25th 2016) Chrysaor (April 23rd 2017) ViperRat (February 16th 2017) Frozen Cell (OCtober 5th 2017) SpyWallerV2 (January 10th 2018) TropiCTrooper (November 16th 2017) JadeRAT (OCtober 20th 2017) SoniCSpy (August 10th 2017) Dark CaraCal/Pallas (January 18th 2018) Desert Storm (April 16th 2018) Stealth Mango/Tangelo (May 15th 2018) • Stealth Mango & Tangelo • Threat Overview • Country of origin : Pakistan • Threat actor : Members of the Pakistani military (Op C Major / Transparent Tribe) • Platforms targeted: iOS, Android, Windows • Attack vector : social engineering, physical access • Targets (Primary) • Pakistan officials & citizens • Afghanistan officials & citizens • Other regional people from Balochistan and nearby cities • Targets (inadvertent) • U.S. officials and civilians • Australian and British Diplomats • NATO members • Iranian officials and civilians Phishing message sent through Facebook Messenger. 12 Stealth Mango Capabilities •Records phone calls & environment audio •Takes screenshots, captures keystrokes •Retrieves –contacts lists, SMS Messages, calendar events, browsing history, installed apps, device information –Videos, Images, and Audio Files on ext storage •Tracks device via GPS •Very configurable - record more or less data •Tries to upload databases of popular apps –Facebook, Skype, Instagram, Instagram, Tinder, WhatsApp, etc. Stealth Mango Data Exfiltration Analysis of the EXIF metadata contained in stolen images found that many contained information identifying the phone’s make and model on which they were taken. While this doesn’t definitely mean victims were using these makes and models, it is interesting to note that the majority are from iPhones. Breakdown of the media types of exfiltrated content. Stealth Mango Data Exfiltration - Samples A redacted snippet of the original photo taken of exfiltrated image from the U.S. Central Command Afghan Assistant Minister of Defense. Exfiltrated content was found to contain military photos including a series of The full detailed report is available from images from an event with military attendees from numerous countries https://blog.lookout.com/stealth-mango including U.S. Army personnel. How Do We Address the Threat? Gartner Market Guide for Mobile Threat Defense Solutions Mobile malware is on the rise “The signs are clear that mobile threats can no longer be ignored.” “By 2019, mobile malware will amount to one-third of total malware reported in standard tests, up from 7.5% today." The Gartner document is available upon request from Lookout. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. Source: Gartner Market Guide for Mobile Threat Defense Solutions, Dionisio Zumerle and John Girard, August 2017 Lookout Mobile Endpoint Security - How It Works INCIDENT RESPONSE SECURITY POLICY LOOKOUT SECURITY CLOUD LOOKOUT CONSOLE Organizational Data CONDITIONAL ACCESS X ! X Lookout MES Solution Capability Features 1. Malware and vulnerability Detection • Automated analysis using Machine Learning • Data exfiltration • Sideload detection 2. Risky/Non-compliant application visibility • Insecure data handling • Policy enforcement / Blacklisting • Enterprise application upload • SSL strip/downgrade 3. MITM detection • Certificate validation • Root/Jailbreak detection - Fingerprint analysis 4. OS Analysis • iOS version, ASPL visibility and policy • USB debug mode 5. Device configuration risk • Device encryption enabled • Inspect all outbound URLs 6. Phishing Protection • Regardless of source 7. API support • SIEM connectors, MDM integration Our massive global device network allows us to apply big data