Understanding jQuery Security
Submitted September 30, 2016 at 06:22PM by grizzly_wintergreen
via reddit http://ift.tt/2dBBPrE
The Equation Group’s Firewall Exploit Chain
A tale of an interesting source code leak
DressCode and its Potential Impact for Enterprises
Threats to mobile users have grown quickly in the span of only a few months. Trend Micro’s Mobile App Reputation Service (MARS) has counted 16.6 million malware detections as of August 2016, a 40% leap from detections listed in January. The Android platform continues to be particularly susceptible, with one specific malware family called “DressCode” steadily and stealthily spreading since April before reports about it surfaced in August. This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks.
Trend Micro detects this as ANDROIDOS_SOCKSBOT.A and has found at least 3,000 Trojanized apps. The Trojanized apps were hosted by several well-known Android mobile markets, including more than 400 detected on Google Play. They range from the recreational apps like games, skins, and themes to phone optimization boosters. The malicious code only makes for a small part of the app, making it difficult to detect.
Figure 1. According to its Google Play page, this app has been installed 100,000 – 500,000 times.
Figure 2. The structure of the malicious code
Multiple threats possible with DressCode
Once the Trojanized app is installed, DressCode connects with its command and control (C&C) server—in earlier versions the malware authors used a hardcoded IP address for its C&C server, but it has since been replaced by a domain. A background service creates a Transmission Control Protocol (TCP) socket that connects the compromised device with the C&C server and sends a “HELLO” string to finish registering. Once the C&C server replies, a “CREATE, <Attacker IP>, <Port>” command prompts the device to establish a TCP connection between it and the attacker. This allows the device to receive commands from the attacker via the SOCKS protocol.
The compromised device can act as a proxy that relays traffic between the attacker and internal servers the device is connected to—think of it as a tunnel. Since the device is behind the router, it can initiate a TCP connection to the C&C server. After the SOCKS proxy is set up, it can forward commands from the C&C server to other machines connected to the same LAN. The process allows an attacker to connect to its server, even if the internal servers are also located behind the router.
Figure 3. Received commands from the C&C server
Figure 4. Set up a SOCKS proxy to relay traffic between the attacker and internal server
This general purpose tunnel can be used for different purposes, and the device owner—as well as any network he is connected to—is exposed to a variety of security risks.
Figure 5. Infected mobile devices allow clients to bypass a NAT device and attack internal servers
Figure 6. Large botnets can launch powerful DDoS attacks against enterprises and organizations.
Figure 7. Privacy becomes a concern as devices like IP cameras can be hacked
While DressCode’s infection methods and behavior isn’t unique, the number of Trojanized apps that found their way to a legitimate app store is certainly significant. In response to the growing threat, here are some general safety tips to prevent malware from compromising your device:
Users can also benefit from layered mobile security solutions such as Trend Micro™ Mobile Security. The solution has a malware blocker feature that bars threats from app stores before they can be installed and cause damage your device or data. Enterprises should invest in solid mobile device management solutions. Trend Micro™ Safe Mobile Workforce™ offers a virtualized mobile infrastructure where company data is securely stored on corporate servers and separated from personal apps and data.
Trend Micro has already detected samples that infected enterprise users in the United States, France, Israel, and Ukraine—with still more being detected in other countries. These users can successfully avoid the threat with Trend Micro™ Mobile Security for Enterprise. This solution includes device management, data protection, application management, compliance management, configuration provisioning, and other features so employers can balance privacy and security with the flexibility and added productivity of BYOD programs.
Related to SHA1s detected as ANDROIDOS_SOCKSBOT.A:
VESK coughs up £18k in ransomware attack
Exclusive Hosted desktop and cloud provider VESK is staggering back to its feet after paying 29 Bitcoins (£18,600) in a ransomware attack earlier this week.
VESK became aware that one of its environments had been impacted by a ransomware virus on Monday (26 September) at 3am.
This virus was a new strain of the Samas DR ransomware, which affected one of VESK’s multi-tenanted environments. Around 15 per cent of VESK’s clients were on that platform.
Because this was a new strain, VESKs antivirus provider Sophos had not yet been updated to detect it – something other antivirus providers were also yet to do.
Nigel Redwood, chief exec of VESK’s parent company, Nasstar, said: “On Monday the first thing did was search the environment and kill the process. We then spent time to determine quickest route to restore services.
“We decided to do that by running restores from backups and also paying for the decryption keys, to attack the problem from both angles.”
He said the company restored the email, but purposefully didn’t get Citrix up until it could identify where and how it originated form.
“Once we did, we began the process of getting Citrix back online for users.”
The majority of services are now back up for customers, as the decryption process nears completion.
The company will undergo a control and compliance audit with its ethical hacker, and in addition has engaged Falanx to do assist in the audit.
It has notified the Cyber Security Information Sharing Partnership (CISP) which have reported the attack as a criminal activity.
“We are doing everything we can to mitigate against this happening again.”
“We’ve been deeply apologetic to our clients; we have a shift of people working 24/7 to resolve this. Myself and team have also been meeting with customers.”
Ransomware attacks are becoming increasingly prevalent, with security consultant Trend Micro naming it as the biggest threats to companies this year.
Joseph Bonavolonta, an assistant special agent with the FBI, has previously said firms that fall victim to infection from file encrypting ransomware should simply pay the ransom. ®