While MDM has been a boon for enterprises mobile devices in the enterprise, threat actors have figured out how to use it too.
Talos discovered that malicious actors have figured out how to use MDM for malicious purposes.
Mobile Device Management (MDM) functionality has been a boon for the enterprise. It allows an organization much more control over the devices on their network. However, as we discovered in 2018, it has also opened the door to well-funded malicious actors.
When it comes to mobile malware, mobile operating systems can be a hard nut to crack. The walled garden that has been created around the mobile operating system has, for the most part, protected it against malicious apps.
That is not to say that malicious actors haven’t tried to attack mobile phones. There have been malicious apps discovered in the official app stores, but in most cases attackers have been confined to compromising devices that have been unlocked or “jailbroken,” or if available, allow third-party apps.
So while the walled garden can be secure, it can also be a prison. The downside to this level of restriction, and the security it provides, is that you can only install apps from an official app store, or if available, leave your device open to all third-party apps. This becomes a problem for businesses that create proprietary applications that they only want their employees to access, but also want to keep their devices secure.
To address this need, MDM systems were introduced. This allows a business to take company mobile phones, install profiles registered to their company, and ultimately install apps of their choosing. MDM often provides other enterprise-friendly features as well, such as the ability to control device settings, prevent access to unwanted web sites, or find lost devices.
There’s no doubt that MDM is a powerful tool. Powerful enough that Cisco Talos has discovered malicious actors have figured out how to use it for malicious purposes.
A snapshot of security incidents
What are the most common security incidents organizations are facing?
Our colleagues in the Cisco Cognitive Intelligence group ran the numbers for us. Here’s a snapshot of the top five categories, taken from July 2018.
By and large, botnets and RATs dominate the security incidents. Included in this category are threats such as Andromeda, and Xtrat.
The second largest threat category is cryptomining, which contains incidents that unveiled unauthorized Monero and Coinhive miners, among others.
What’s most noticeable about this snapshot is how small a proportion banking trojans make up. This will no doubt change as Emotet activity picks up.
We will revisit this metric in future reports to see how it changes.
Our researchers at Talos discovered devices in India that had been compromised using an open source MDM system. The attackers had managed to get malicious profiles onto the devices and push out apps with the purpose of intercepting data, stealing SMS messages, downloading photos and contacts, and tracking the location of the devices, among other things.
The apps included modified versions of popular apps such as WhatsApp and Telegram that had extra features added — or “sideloaded” — onto them, allowing the attackers to monitor conversations on each compromised device.
How these devices fell prey to this attack remains a mystery. It’s possible that the attackers had physical access to the devices, allowing them to install a profile that gave them control. However, it’s also possible that the attackers used social engineering to trick the users into installing the profile.
This malicious alert may have arrived by email or text message, attempting to fool the user into thinking that they were required to install the malicious profile. Even so, the user would be required to follow a series of instructions and click through a number of prompts before the device was fully compromised.
There’s no doubt that this is a potent and concerning attack method. Luckily it’s also rare. The attack campaign uncovered by Talos is the only publicly known campaign of this particular type. It is also difficult to carry out, considering the number of steps a user is required to go through in order to configure a device for malicious activity. But given the potential rewards, Talos is already seeing more mobile device attacks, carried out by well-funded threat actors.
Ironically, the best protection against a malicious MDM is...MDM.
Organizations should ensure that company devices have profiles rolled out to them that can monitor and prevent the installation of malicious profiles or apps from third-party app stores.
It’s also important that users are made aware of the MDM installation process, and that they are educated about these attacks to avoid them installing a malicious MDM.
What happened to ransomware?
Back in 2017, it seemed like ransomware would dominate the threat landscape for a long time to come. Threats like SamSam, and Bad Rabbit had grabbed the headlines, demanding cryptocurrency payments, or else they lose all their data. Flash forward a little more than a year, and things have certainly changed.
Ransomware has been usurped from its throne, largely by malicious cryptomining.
Why the sudden change? With ransomware, only a small percentage of victims pay the ransom. And even if they did, it was just a one-time payment, not a source of recurring revenue.
Even more risky, law enforcement agencies throughout the world began to crack down on ransomware attackers. As arrests tied to ransomware went up, adversaries were drawn to less risky attack types.
That’s not to say ransomware is gone; we saw a few such threats crop up in 2018. GandCrab continued to make its presence known, and Ryuk was spread via Emotet and Trickbot infections. So while ransomware is no longer king of the hill, it still remains, requiring vigilance to avoid outbreaks.
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious- MDM.html https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious- MDM-Part2.html