Post of the Week: Explaining the KRACK Vulnerability
In this "Post of the Week" video, we discuss the KRACK vulnerability that targets mobile devices and wireless routers. This vulnerability targets the WPA2 security protocol that allows for encryption between a mobile device and a wireless router. As the mobile device negotiates encrypted communication with the router, an attacker can force the mobile device to use very weak encryption (essentially no encryption at all) and thus see all the traffic between the device and the router. We also talk about ways you can help avoid this problem. Enjoy! Related Resources New Threat May Slip Through the KRACK in BYOD Policies (F5 Labs) Scary Candy Week: KRACK and ROCA
Mazar Bot Overview
Discovered in early 2016, Mazar Bot is spread by sending SMS text messages, via a URL shortener service. Mazar Bot targetedmultiple banks specifically in the German-Austrian region according to attacks that wereencountered in early July 2017. This malware, seen on Android devices,permits itself to access the following device permissions: From Spam to Infection Mazar Bot is used in spam campaigns to gain access to users within a specific region, much like spear phishing. In many cases, the attack isspread via SMS, fake webpages, or email spam. First the malware tricks the user into clicking the link, and then immediately after, the user will face a login page request designed specifically formobile devices. Once the malware has received the needed login information itdisplays installation info and gives an explanation on how to use and install the upcoming application. At this stage users can still question why they should be downloading another app. In order to hide from this suspicion, a php file named “apk-playstore.php” provides some assistance. Mazar Botexplains to the user how to download and use the app. Prompts the user to press the specific link button Gives screen shots that walk through the installation...this allowsthe device to install the application from unknown sources Runsthe application immediately after installation Infection Chain After the malicious application is installed on the end user device, it asks to activate it as device administrator. In most cases the malicious application icon would be deleted and Command and Control communication will commence immediately afterwards. The ongoing communication between device and server would pull device information and look for specific targeted applications. The second stage of communication grants a user infected device with a unique ID for Database maintenance and support of campaign activity. The moment the user would interact with a legitimate bank application, Mazar Bot will cause an overlay and would display another fake page for harvesting more credentials. Interesting observation: Mazarbot (in each of the phishing campaigns) has created tailor-made applications designed specifically to attack a designated bank/organization. For each targeted application, it also creates a specific subdomain, probably for masking and tricking users which were connected to the fake login site. Strings, the C&C connection The interesting part of the apk containssome specific C&C related strings. These strings give an overview of the malware behavior and abilities that it contained. The combination of strings highly support the claim that fraudsters behind the malware plan each campaign specifically for a bank application per campaign. The features presented in the string represent device control and communication interception, allowing access into device cached memory, grabbing personal data, sending SMS, locking device, putting device into sleep mode, reporting and logging all Input/output actions, maintenance of this configuration is represented by unique ID, given by the server. Accepting Credit Cards Additionally, in the strings section, fraudsters are trying their luck by targeting Google play. The overlay that will popup to the user in mid interaction with Google play or Whatsapp, will ask for: Card number CVC Expiration Month+Year Card holder name Credit card type Phone number First, Last Name Phishing SitesStatistics Researched by Kyle Paris According to attacks we've encountered in early July,there wasn't anydistinctive region target for hacked servers. The interesting patterns we did identifywere compiled from groups of 8-10 phishing links with every attack.Each link main domain was slightlydifferent, either by number or a letter, while the subdomain and subfolder remained the same. Here is a table comparing phishing links groups with theirdomain name: Group 1 Group 2 update9091.pw id78087.pw update9092.pw id78086.pw update9093.pw id78080.pw update9094.pw id78084.pw update9095.pw id78083.pw update9096.pw id78088.pw update9097.pw id78085.pw update9098.pw id78089.pwLightboard Lessons: WebSafe and MobileSafe
The Web, while convenient and necessary for business, can be a dangerous and scary place. The good news is that F5 offers a security solution called WebSafe. WebSafe protects against sophisticated fraud threats, leverages advanced encryption, detects client-less malware, and analyzes session behavior in a single solution. MobileSafe is very much like WebSafe except it is uniquely designed and tuned for the mobile environment. The frosting on the cake for all this goodness is that WebSafe and MobileSafe alerts come to our F5 Security Operations Center (SOC) where our team of security experts are hard at work 24x7 to analyze all your threat data and help mitigate the threats to your business. How does WebSafe actually work? What about MobileSafe? Check out this edition of Lightboard Lessons to learn more! Related Resources: WebSafe Data Sheet MobileSafe Data SheetComment les institutions françaises peuvent se protéger contre la cybercriminalité
Les institutions financières sont la première cible des cybercriminels et exposent le plus de données sensibles sur Internet. Un compte utilisateur d’une institution financière héberge à la fois de la donnée financière (le compte bancaire du client) mais aussi les données personnelles et privées du client. Ces deux types de données sont tout aussi sensible, l’un comme l’autre. L’un permettra aux pirates de récupérer facilement de l’argent, l’autre leur permettra de revendre sur le marché noir des données personnelles (numéro de sécurité sociale par exemple). C’est pour cette raison, comme le spécifie KPMG lors d’une récente étude, qu’autant d’institutions financières ont connu une cyber-attaque au cours des deux dernières années, compromettant de nombreux comptes bancaires personnels. La menace vient principalement des malwares ou logiciels malveillants. Ceux-ci sont installés à l’insu de l’utilisateur, sur leur poste de travail dans l’entreprise ou sur leur ordinateur personnel. Pour y parvenir, les pirates ne manquent pas d’imagination. La méthode la plus utilisée est le social engineering; c’est-à-dire l’utilisation des failles humaines et sociales des utilisateurs. Cela va de la clé USB offerte lors d’un salon professionnel, ou de l’envoi d’un mail avec pièce jointe. Une autre méthode très simple qui fait autant de dégâts est le phishing. Une fois ce malware installé, il se connectera régulièrement à un serveur nommé «Command & Control». Celui-ci est le point de contrôle des pirates, leur permettant de lancer leur campagne d’attaque. Une campagne consiste à cibler une institution (financière, gouvernementale, commerciale) et récupérer les informations personnelles de l’utilisateur. Par exemple, les pirates indiqueront aux malwares de cibler la société www.mabanque.fr et plus particulièrement la page d’authentification. Le malware ne se réveillera qu’au moment où l’utilisateur se connectera sur www.mabanque.fr. Une fois les identifiants (utilisateur, mot de passe, OTP …) saisis, le malware les enverra au serveur Command & Control. Cependant, un malware peut être beaucoup plus intelligent, et peut exécuter des actions en lieu et place de l’utilisateur, sans que celui-ci ne s’en rende compte. Prenons comme exemple un virement que l’on souhaite réaliser via le site de notre banque www.mabanque.fr. Lors d’un virement, le client spécifie un compte destinataire et un montant. Le malware modifiera la requête lors de son envoi avec un autre compte destinataire (celui du pirate) ainsi qu’un autre montant. En fonction des méthodes de sécurité mises en place par l’institution financière, l’utilisateur peut ne pas s’en rendre compte. Il est donc important de protéger les clients des institutions financières car ces derniers sont de plus en plus conscients des risques, et sont 48 % à citer les attaques informatiques comme une raison de changer de banque (selon KPMG). Le malware s’installe sur le poste du client. Les solutions de protection doivent donc s’intégrer à ce poste de travail sans que celui-ci ne soit «contrôlé» par l’institution financière. Ces solutions doivent être transparentes, sans nécessiter d’actions de la part de l’utilisateur pour: F5 Networks, via son offre Anti-Fraud Websafe, permet de répondre à l’ensemble de ces problématiques ou menaces. Protéger les identifiants: un identifiant peut être protégé en étant chiffré à la source, c’est-à-dire dans le navigateur ou l’application mobile. La solutions Websafe de F5 Networks permet le chiffrement à la saisie des identifiants afin que le malware ne puisse pas les récupérer en «clair». Celui-ci ne récupérera que des identifiants chiffrés, donc inutiles. Protéger les transactions: une transaction consiste à réaliser une suite d’actions à l’écran (navigateur ou application mobile). La première étape consiste à sélectionner un compte source, puis un destinataire, puis de saisir un montant. Tout ceci prend un temps «humain» (saisie, déplacement de la souris …). La solution Websafe de F5 Networks permet de contrôler cette saisie et de s’assurer qu’elle se rapproche d’une saisie «humaine». Détecter le phishing: il est impossible d’empêcher un pirate de télécharger le site de www.mabanque.fr et de le déposer sur un serveur Web pirate. Idem, il est impossible d’empêcher ce hacker d’envoyer une campagne d’email aux clients de cette institution et de leur demander de s’authentifier sur le site pirate www.mabamque.fr (changement du N par un M). Par contre, la solution Websafe de F5 Networks permet d’identifier la présence d’une copie du site et de fermer ce site (dans la mesure du possible). De plus, Websafe de F5 Networks permet de connaître les utilisateurs ayant saisi leurs identifiants sur ce site pirate, et donc de les informer ou bloquer leur compte temporairement. La fraude en ligne est la menace principale des institutions financières et celles-ci doivent s’en protéger. F5 Networks propose des solutions innovantes couplées à des offres de services (SOC) permettant de garantir une analyse temps réel des menaces et d’adapter la sécurité mise en place (campagne de phishing, campagne de malware …). Pour cela, F5 Networks s’appuie sur ses SOC et sur son LAB (www.f5.com/labs).
F5 Anti-Fraud Solutions: Frictionless Protection for the Masses
Anti-Fraud Solutions: Why F5? In 2013, F5 Networks grew its security portfolio to include advanced Anti-Fraud services with the acquisition of the Israeli-based security company Versafe. At the RSA Conference in San Francisco this week, we have a section of our F5 booth dedicated to the Anti-Fraud solution where we are talking about the technology, answering questions and demonstrating the capabilities all week. If you cannot make it to the conference or even if you attended but missed us at our booth, that’s not a problem. I’ll fill you in on some of the details. First, just walking around the RSA Conference, it’s clear that there is no shortage of anti-fraud solutions on the market. The number is mind blowing and continuously growing. As new threats emerge, new technologies are introduced to combat them. But if you look at the approaches each company takes, they are often quite different. So that begs the question: why F5? Well, from a feature and function standpoint, we cover a wide range of web-based fraud detection and protection capabilities. The WebSafe solution, which protects web-based applications, safeguards against various forms of malicious activity including phishing attacks, Man-In-The-Middle, Man-In-The-Browser and Trojan activity such as web injections, form hijacking, page modifications and transaction modification. But what makes the solution unique is that it enables 100% coverage of the user base in a completely clientless manner, without impacting the user experience. We inject our obfuscated code via an iRule, into the web application code as part of the response data. In other words, the solution is completely frictionless, which is key differentiator number one. And because the solution leverages common browser-based technologies, we protect users who are navigating from all types of devices: laptops, PCs, tablets, smart TVs, mobile devices, etc. As long as the user is navigating with a standard web browser, they will be protected. This is key differentiator number two. From a deployment standpoint, today the WebSafe solution is implemented via an iRule on an F5 device (either physical or virtual), so there is no need to introduce changes to the web applications our customers are looking to protect from online fraud. This saves time when deploying the solution because there is no need to engage web development resources which are often outsourced or already engaged in critical projects. Our ability to deploy without these web application changes equates to savings and is key value proposition number three. As a matter of fact, many F5 customers can leverage their current F5 investment and deploy the Anti-Fraud services on their existing infrastructure, requiring no additional hardware investment: differentiator number four. Lastly, WebSafe provides protection against online fraud without a client install and with no change in the online users’ experience. Introducing CAPTCHAs, popups, etc is often too intrusive to the end user, so we are looking to protect the users without introducing friction in the process. Summary If you are at the RSA Conference, stop by booth 1801. We would be happy to demonstrate our Anti-Fraud solution and help to enhance your fraud protection capabilities. If you are not at RSA, look for further details here. We will be posting more details about F5’s Anti-Fraud solutions throughout the coming weeks.You Never Know When...
An old article gets new life. #TBT Back in 2012 I wrote an article titled Bait Phone. It was about cops dropping mobile phones with a tracking device and following the stealing culprit for an arrest. Like Bait Car but with a smartphone. Over the weekend, I noticed that the article was blowing up but couldn’t figure out why: I even tweeted out on Monday: At the time, I didn't realize something else was at play. Then I decided to do a twitter search: And found that a video with the same name as my blog post was trending: Bait Phone 2 - basically a stun gun with a remote. Over 2.2 million YouTube views in less than a week. It’s a prank video where they have a remote zapper to sting the culprits when they grab & walk away with the phone. One guy - who had it in his pocket - denied taking it until he was personally shocked. When I did a Google search over the weekend, my article was still at the top but now the article is like #13 listed (maybe even lower) and the video has taken the top spot. You never know when an old article might pop due to some other circumstances. At least folks are reading it and not totally bailing! Fun stuff. psIs Slempo/GM-Bot the new standard for mobile malware?
Introduction Slempo/GM-Bot requires little introduction, as it has been the focal point of many recent publications, and is a well known threat in the world of mobile malware. In most cases Slempo/GM-bot presents itself as “Adobe Flash Player Update”, this disguise is very popular in the mobile malware sphere, and used in order to trick the user into granting the malicious application administrator privileges. Upon the user’s acceptance the malware is installed on the device and is capable of controlling it. Among the malware’s many functionalities are: Intercept, redirect and block SMS messages and calls Lock and unlock the device Wipe the device Display it’s own content over legitimate applications Send stolen user credentials (obtained by displaying fake content) back to the Command & Control server. After completing initial installation, the malware will contact its Command & Control server, send it a list of all applications installed on the device and various other device information, and will download a configuration file which it will save locally on the device at the following path: /data/data/%App_Name%/shared_prefs/AppPrefs.xml This configuration file contains the applications that the malware targets for credential harvesting, and the fraudulent content that performs that harvesting. Fig. 1 – Device data and installed applications sent to C&C server. Encoded Configuration & Fraudulent Activity The encoded configuration file which is downloaded from the Command & Control server contains the targeted application names and content to be displayed to the victim upon activation of a targeted application, as can be seen below: Fig. 2 – A snippet of the encoded configuration file Fig. 3 – Decoded configuration snippet showing fraudulent HTML content to be displayed on top of the targeted application and harvest user’s credentials. When the malware detects activation of a targeted application, the fraudulent content contained in the configuration file is displayed to the victim on-top of the targeted application: Fig. 4 – Fraudulent content displayed on top of legitimate application. After entering his credentials into what the victim perceives to be the legitimate application, the malware then sends the credentials to its C&C server, as seen below: Fig. 5: Victim’s credentials are sent to the C&C server. Targets Slempo targets many various financial and non-financial applications worldwide, as can be seen in the chart below: Fig. 5: Slempo Target Distribution. NOTE: Applications which are not region or country specific are categorized as “Other”. Known Slempo/GM-bot Sample MD5s: 288ad03cc9788c0855d446e34c7284ea e740233e0a72be4db2dcd5d5b7975fa0 3ef8e4ea08e9eff6db3c9ebf247a97b5 45e66a89db86309673d33b1aa4047fd1 a5387f3487c0749394def743a7345c47 f90cded5ec2a6c29b636945af85e3069 Mitigation To learn more about F5 fraud protection and how F5 can mitigate threats such as Slempo, please read the MobileSafe datasheet as well as the WebSafe datasheet.Wearing Emotions on Your Sleeve...Literally
Imagine if your emotions and feelings could be measured, tracked and included in a data graph. I'm sure you've heard the saying 'wearing your heart on your sleeve' to indicate that someone expresses their emotions freely or exposes their true emotions without caution. This can be good in that you become open and vulnerable when showing your true feelings but can jade areas like composure in situations where you might be frustrated or irritated. I tend to be fairly open with my emotions. There are a few stories about the origin of the saying going back to the Middle Ages. Emperor Claudius II felt unattached men make better warriors so he outlawed marriage. To alleviate some of the grievances, every year during the Roman festival honoring Juno, he'd allow temporary coupling where men drew names to determine who would be their lady friend for the year. The man would wear her name on his sleeve for the festival. Around the same time, when knights performed jousting matches, they'd dedicate their match to a lovely lady of the court. By wearing her hanky around his arm, he was signaling that he was defending her honor. And in Shakespeare's Othello, Iago confesses, For when my outward action doth demonstrate The native act and figure of my heart In complement extern, ’tis not long after But I will wear my heart upon my sleeve For daws to peck at. I am not what I am. – Othello, Act 1, Scene 1, 61–65 Whatever the origin, humans are emotional creatures. We typically make choices based on emotion, even though we'd like to think it was a rational decision. We may try to hide our emotions as to not upset or reveal something to another person. Often called a Poker Face. But imagine if your emotions and feelings could be measured, tracked and included in a data graph. Other than a polygraph. Daydream no more. There are now wearables that track your emotions. This is not your father's old-skool mood ring but devices that read your current emotional state and attempts to sooth and lower stress levels by encouraging deep breaths and relaxation techniques to get you through the haze. Sensors that gather skin temperature, sweat gland activity and blood pulse along with movement gauge your activity level. From that, it generates a graph on your mobile phone so you can see when your stress levels peaked and the mood at the time. You can see real time or over the course of the day. Emotional analysis in your pocket...or sleeve if you got one of those runner's arm band things. I'm sure someone will create a shirt that has color changing sleeve threads depending on a person's emotional state. The Iagonaut. This is not the future but today. A Fitbit captured the moment of a broken heart during a relationship ending phone call. This man was wearing his Fitbit when the unexpected call came and his daily graph tells the whole story: Koby (@iamkoby) shared his heart wrenching moment (and graph) on Twitter and it saturated the internet. The red arrow indicates the moment that the news hit him. Instantly, his heart rate jumped from 72 to 88 beats per minute and stayed high for the rest of the day. Clearly this healthy, athletic person was under duress and if you couldn't tell by the yellow peak marks, he had trouble sleeping that night. Talk about exposing your emotions with technology. Would you share your sleeve with the world? ps Related: Fitbit captures exact moment man's heart breaks The Origins of Wearing Your Heart on Your Sleeve Forget fitness, this wearable tracks your emotions Connecting the Threads The Digital Dress Code Wearables Head to Tail Gartner Says Worldwide Wearable Devices Sales to Grow 18.4 Percent in 2016 Technorati Tags: iot,wearables,emotions,humans,stress,sensors,silva,f5 Connect with Peter: Connect with F5:
Tinbapore: Millions of Dollars at Risk
Detected by F5 WebSafe security solutions during November 2015, Tinbapore attack has put millions of US dollars at risk. F5 Security experts investigation revealed that Tinbapore is actually a new variant of the good old Tinba Malware that so far was targeting financial institutions in the Europe, Middle East, and Africa (EMEA) region and the Americas. The original Tinba malware was written in the assembly programming language and was noted for its very small size (around 20 KB including all Webinjects and configuration). The malware mostly uses four system libraries during runtime: ntdll.dll, advapi32.dll, ws2_32.dll, and user32.dll. Its main functionality is hooking all the browsers on the infected machine so it can intercept HTTP requests and perform web injections. Newer and improved versions of the malware employ a domain generation algorithm (DGA), which makes the malware much more persistent and gives it the ability to come back to life even after a command and control (C&C) server is taken down. This new variant of Tinba, Tinbapore, now creates its own instance of explorer.exe that runs in the background. It differs from most previous versions in that it actively targets financial entities in the Asian Pacific (APAC), which was previously uncharted territory for Tinba. To download your copy of the Tinbapore variant analysis report, click here.Yasuo-Bot–the flexible mobile banker targeting Russia and East-Europe
Mobile financial malware needs little introduction, since 2010 mobile malware is on the rise. The first mobile Trojan launched was ‘Zitmo’ (Zeus-In-The-Mobile. A Mobile version of the most common PC Trojan – ZeuS) which was then followed by many different variants of mobile Trojans with a financial focus such as mToken, Perkele, iBanking, and more. Nowadays, the majority of mobile Trojans mostly target Android devices using different techniques to gain administration permissions on the victims’ device, steal users TANs (Transaction Authorization Number), intercepting SMS messages containing OTPs, performing credential grabbing, presenting fraudulent content, performing automatic money transfers and more. The main technique employed by Mobile Banking Trojans, which infect mobile phones and steal passwords and other data when the victim logs onto their online bank account, is by posting its own their own fraudulent content over the actual legitimate application being presented to the user – known as an “Overlay”, which is usually hard-coded into the malicious package. Yasuo-Bot takes this technique one step further, and dynamically displays fraudulent content “on the fly” by receiving it directly from its Command and Control based on its configuration. This departure from earlier mobile malware design adds a dimension of flexibility to the malware and its operator, allowing for much greater tailoring and customization ability of the fraudulent content; and a far greater number of targets that the malware can potentially attack without greatly increasing package size. The malware will present itself as one of several legitimate application such as “Google Play” in an attempt to fool the user into granting it administrator privileges: Upon the victims’ agreement, the malware will gain a vast array of all-encompassing system permissions. Including, but not limited to: Full internet access Read, write and send SMS messages Change device settings (including device password) Lock and unlock the device Make phone calls Display own content over other applications Access to contacts list, call history, browser history and bookmarks, and device location Once the malware has gained system administrator permissions it will send the Command and Control server a request for a configuration file, along with some general information about the victim. Including: Android OS version Device IMEI Phone number Country information Bot Version The returned configuration file contains the list of applications targeted for overlay, and is saved locally on the victims device. When the malware detects a targeted application is activated, it will request application-specific fraudulent content from the Command and Control and display it to the user instead of the legitimate application the user activated: Fraudulent content is displayed to the user “on-top” of the legitimate application: Once typed in by the victim, the entered credentials are sent back to the Command and Control server, along with the “application” they were harvested from: But Yasuo’s bag of tricks doesn’t end there! One variant encountered goes so far as to target several default Android applications which are present on virtually all android devices, alongside its set of targeted banking applications, in an attempt to get to the users credentials: Chrome browser Facebook application Android default settings application Android default phone application Android default SMS application When this variant detects a targeted (non-banking) application is activated it will display a prompt to the user, once the user clicks through, it will display a second prompt where the user is asked to “choose his bank”. When the users chooses, he will then be redirected to a Phishing page identical in content and layout to the overlay pages the malware will display upon the activation of a targeted banking application. To summarize, this new and actively evolving malware brings much greater flexibility and customization ability to its authors and operators, with the ability to target a virtually endless number of legitimate applications and the ability to dish out tailor-made fraudulent content for each application without greatly increasing the size of the malware package. F5 SOC will continue to investigate and monitor this new and emerging threat, and report on any new variants or new functionality encountered. To download the full Mobile Malware Analysis Report please click here. Known Yasuo-Bot samples (MD5): ab9032ed5625667068a96119ddca8288, 8be9f7867e9e32e996629b5a6c11b16c, 39526ecbe6c6186a3d0b290afa2f3764, e68826f3e2d5f5b1e3e31ab5b04331cb
