The Ivanti Threat Thursday Update for July 13, 2017: Android Under Attack

Greetings. Android devices face threats from two different types of malware, one of which traces its roots back to 2015. Meanwhile, old technologies lead to new threats to Internet of Things (IoT) devices. Read more below, and please let me know what you think, about current cybersecurity events and/or this Ivanti Threat Thursday Update. Thanks in advance.

Android Under Attack: CopyCat Infects 14 Million Devices

In a July 6 blog post, researchers at Check Point Software Technologies Ltd. announced they had identified “a mobile malware” they dubbed “CopyCat.” The malware “infected 14 million Android devices, rooting [gaining root access to or privileged control over] approximately 8 million of them.” “CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code…that allows the malware to control any activity on the device.”

CopyCat takes control of an infected device, then generates fraudulent advertisements, advertising referrals, and apps. “These activities generate large amounts of profits for the creators of CopyCat, given the large number of devices infected by the malware.” The hackers behind CopyCat generated “approximately $1.5 million in fake ad revenues in two months” during 2016. “While CopyCat infected users mainly in Southeast Asia, it spread to more than 280,000 Android users in the United States.”

Android Under Attack: SpyDealer Steals from More Than 40 Android Apps

In a separate July 6 blog post, researchers at Palo Alto Networks announced their discovery of “an advanced Android malware” they dubbed “SpyDealer.” That malware “exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature.” SpyDealer first “uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.” The malware has also been around in various forms since at least October 2015.

Apps affected include Facebook, Line, Skype, Tango, Telegram, WeChat, WhatsApp, Viber, and the Android Native and Firefox Browsers. “SpyDealer is only completely effective against Android devices running versions between 2.2 and 4.4, as the rooting tool it uses only supports those versions. This represents approximately 25% of active Android devices worldwide. On devices running later versions of Android, it can still steal significant amounts of information, but it cannot take actions that require higher privileges.”

What We Say: The majority of infected devices were apparently “jailbroken,” or unlocked by users who want to run apps or make modifications not authorized by device manufacturers. Check Point said that there is “no evidence” CopyCat made its way into the Google Play app store. For maximum safety, make sure that mobile users only download and install apps from vendors’ official app stores.

Old Technology Presents New Security Threats for the IoT

Message Queuing Telemetry Transport, or MQTT, was created in 1999 as a machine-to-machine messaging protocol optimized for low-bandwidth communications. Today, as Dark Reading reported on July 10, today, MQTT is “becoming prevalent in the Internet of Things realm,” and putting connected IoT devices and enterprises at risk.

“Security researcher Lucas Lundgren via an Internet scan last year found around 65,000 IoT servers using [MQTT] worldwide on the public Internet wide open to attack with no authentication nor encrypted communication.” Those servers manage a wide variety of resources, “including airplane coordinates, prison door controls, connected cars, electricity meters, medical devices, mobile phones, and home automation systems.”

Lundgren “was able to read in plain text the data sent back and forth between those IoT devices and their servers,” and said that he “could see prison doors open and close.” At the upcoming Black Hat USA cybersecurity conference in Las Vegas, “Lundgren plans to demonstrate how an attacker could compromise exposed MQTT-based servers and issue phony commands in order to alter their operation or outcomes of their IoT-attached equipment.”

What We Say: The IoT is rife with cybersecurity risks, especially to enterprise supply chains. As GovTechWorks reported on July 12, a 2015 SANS Institute study found that “as much as 80 percent of cyber breaches originate in the supply chain.” Underwriters Laboratories (UL), the American National Standards Institute (ANSI), and the Standards Council of Canada (SCC) are developing a standard, “Software Cybersecurity for Network-Connectable Products.” This and other efforts will likely help—but not anytime soon. Meanwhile, IT and cybersecurity decision makers at enterprises using IoT devices should ensure that those devices are segratated from critical IT resources and made as secure as possible.

Survey: Cybersecurity Spending Grows, but Doesn’t Get Ahead of Threats

For new research announced July 12, Enterprise Strategy Group (ESG) surveyed more than 400 IT and cybersecurity professionals. Among those respondents, “72 percent feel cybersecurity analytics and operations is more difficult today than it was two years ago.” The same percentage feels “that the rapidly evolving threat landscape and growing volumes of security alarms are the most common challenges facing enterprises today.”

Respondents may be spending more on cybersecurity, but think that hackers and attackers are still winning the cybersecurity arms race. According to ESG, “89 percent of organizations use external threat intelligence, but IT professionals are still feeling that cyber adversaries are moving faster than network defenders can keep up. These challenges are amplified due to almost half of the organizations reporting a problematic shortage of cybersecurity skills, and admitting they still rely on manual processes and individuals to aggregate and analyze threat intelligence.” ESG also found that “31 percent of organizations are looking to use threat intelligence to help automate remediation tasks.”

“While analysts work to combine more and more external threat data with internal data and events, organizations will continue to feel as though they are falling behind their adversaries. This need to combine and leverage data is driving automation.” As ESG Senior Principal Analyst Jon Oltsik put it, “One of the reasons today’s approach to cybersecurity operations is not working is because it is based on too many tools and manual processes.”

What We Say: The ability to automate remediation is critical to the success of any defense-in-depth strategy, especially given the dearth of skilled, experienced cybersecurity staff available for hire. And the best available cybersecurity decisions are based on the best available threat intelligence, internal and external. The effectiveness of your cybersecurity strategy is ultimate determined by how well your team can see the complete environment, know its current threat posture, and act to protect users and resources and remediate successful attacks. Proven frameworks and guidelines, such as the Center for Internet Security (CIS) Critical Security Controls and the “Top 4 Mitigation Strategies” from the Australian Signals Directorate can help you to deliver defense in depth, without incurring excessive levels of “expense in depth.”

Ivanti: Here to Help

Ivanti solutions help protect your enterprise from all manner of cybersecurity threats, old, new, and yet to come. We can help you to deliver true defense in depth across all your enterprise’s most critical IT endpoints and resources, fixed and mobile. And Ivanti enables automation of multiple cybersecurity tasks and functions, to make your team more effective and productive. (Our recent acquisition of RES Software underscores our commitment to improving automation for cybersecurity and all of IT.)

Right now, select combinations of Ivanti cybersecurity solutions are available to new and current Ivanti customers at discounts of up to 30 percent. Check out the offer details, as well as the free trials of Ivanti patch management solutions we offer. Learn more about our solutions for mobile device management and protection against ransomware and malware. See how we can help modernize your supply chain. And keep reading our Patch Tuesday and Threat Thursday updates, so we can help keep you up to date—even about threats you might have thought to be out of date.

ransomware attack