Google exposes massive iPhone hacking operation

Google’s Project Zero security team has revealed a vulnerability in iOS that exposed large numbers of users to a hack that allowed the installation of a monitoring implant.

This kind of hack is called ‘zero-day’, the definitions of which vary, but which refers to a vulnerability in a piece of software that leaves it open to exploitation by outside actors. The stated aim of Project Zero is to make zero-day hard and it goes about doing so by trying to find such vulnerabilities. Apparently it always publishes these findings after giving the owner of the software time to address the vulnerability and Apple was told about this one back at the start of February this year.

“Now, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to share these insights into the real-world workings of a campaign exploiting iPhones en masse,” wrote Ian Beer of Project Zero in the blog post detailing the findings. “Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

This is at best very embarrassing for Apple, which prides itself on the relative lack of malware on its close software platforms. The malware was able to install itself on iOS devices if they merely visited an infected website, with no manual download required. Upon successful installation the malware apparently granted the bad guys access to everything on the phone, including passwords, chat histories, etc.

Google is, of course, Apple’s sole rival in the mobile operating system space, so it does seem pretty convenient that it should be discovering iOS vulnerabilities and publicising them. Project Zero’s policy, it seems, is to publish all such findings after an appropriate delay to allow for patching, which it should be stressed Apple did immediately, but you have to wonder whether it’s quite as keen to bring Android’s failings into the public domain.

Matrix themed virus infects 25 million smartphones

A new variant of mobile malware, dubbed ‘Agent Smith’, which re-directs advertising funds to cybercriminals, has been identified and its infected 25 million smartphones already.

Discovered by Check Point, this is a sneaky virus to deal with. Like ‘Agent Smith’ in the Matrix trilogy, the virus has the ability to consume a downloaded app and assume control.

Right now, the user is not being exploited in a direct manner. The presence of the virus does present dangers in terms of eavesdropping or credit fraud, but currently, the cybercriminals are using the virus to collect cash off advertisers through various trusted applications. The application is forced to display more adds than designed with the attackers collecting the additional credits.

“In this case, “Agent Smith” is being used to for financial gain through the use of malicious advertisements,” Check Point said on its blog.

“However, it could easily be used for far more intrusive and harmful purposes such as banking credential theft and eavesdropping. Indeed, due to its ability to hide its icon from the launcher and impersonate existing user-trusted popular apps, there are endless possibilities for this sort of malware to harm a user’s device.”

Check Point estimate that 25 million devices have been infected to date, the majority are in India and other Asia nations, although there have been identified devices in the US, UK and Australia. Although Check Point has not directly stated it, some have suggested the virus can be traced back to Guangzhou, China.

Agent Smith VirusThe virus itself works in three phases. Firstly, the user is encouraged to download a simplistic, free app (usually a minimal function game or sex-app) which contain an encrypted malicious payload. At this point, the malware searches the user’s device for any popular apps on a pre-determined list which can be targets at a later date.

During the second phase, the malicious payload is decrypted into its original form and then abuses several known vulnerabilities without giving any clues to the user. Finally, the malware then attacks the pre-determined applications, extracting the innocent application’s APK file and then patches it with extra malicious modules.

‘Agent Smith’ was first detected in 2016 and the cybercriminals have seemingly been laying the groundwork for a larger attack for some time. It has certainly evolved over this period, and although Check Point has reported the malicious apps to the Google Security team, who is to say there are not more. The danger of ‘Agent Smith’ is that it is incredibly difficult to identify in the first place.

Perhaps this is an oversight in the security world which we will have to address before too long.

As it stands, numerous parties around the world are constantly on the look out for nefarious activity, however, in most cases the assumption is that it will be a state-sponsored attack. This does not seem to be the case here and perhaps why it is very difficult to detect the malware in the first place; everyone is looking for the wrong clues.

In this example, Check Point seem to have caught the suspect firm ahead of time, informing the Google Security team before any genuine damage has been done. That said, 25 million devices is still a substantial number but with the source identified it should be limited.

Smartphone spyware FinSpy is back and thriving

Cybersecurity vendor Kaspersky has reported that FinSpy, a piece of malware that allows private information to be stolen from smartphones, has made a reappearance.

FinSpy spyware is apparently made by German company Gamma Group and sold by its UK sub-division Gamma International to governments and state agencies so that they can spy on their citizens. It has been around for a few years but seems to be experiencing a renaissance, with activity recorded in Myanmar last month.

The recent appearance of FinSpy has brought to light the IOS and Android mobile implants that can install this spyware on mobile devices. This now enables the FinSpy spyware to collect personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from some of the most used messenger services including Facebook, WhatsApp and Skype among others.

The greatest cause for concern is FinSpy’s ability to gain this information even if the phone’s user is running an encryption program. Talking about encryption, FinSpy’s developers have been improving their own encryption to reduce the risk of traceable activity being discovered, the Kaspersky report claims.

“The developers behind FinSpy constantly monitor security updates for mobile platforms and tend to quickly change their malicious programs to avoid their operation being blocked by fixes,” Alexey Firsh, a security researcher at Kaspersky Lab, told Cyberscoop. “We observe victims of the FinSpy implants on a daily basis.”

Kaspersky has also claimed that these implants were detected in almost 20 countries however it’s likely the real number is higher. These new implants appear to be a real threat, with the developers constantly updating the spyware by reducing its trace while improving it to the point where it can break through encryption. FinSpy along with Gamma group are thriving although Kaspersky says it is conducting further investigations to tackle this issue.

Nokia, Cisco, BT, Telefónica and Microsoft among new cybercrime-fighting cabal

34 tech and telecoms companies have signed a pledge to fight cyberattacks from criminal enterprises and nation-states.

The thing they signed is called the Cybersecurity Tech Accord and its creation seems to have been prompted by the growing trend of cyber-horridness coming from places like Russia and the apparent need for great global coordination to combat it. Microsoft seems to be taking the lead on this project, which is fair enough since its OS is the recipient of most of this aggro, but a fairly broad range of major tech companies have jumped on-board.

“The devastating attacks from the past year demonstrate that cybersecurity is not just about what any single company can do but also about what we can all do together.” said Microsoft President Brad Smith. “This tech sector accord will help us take a principled path towards more effective steps to work together and defend customers around the world.”

Here are the four cornerstones to this group effort as detailed in the announcement:

Stronger defense

The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.

No offense

The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.

Capacity building

The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.

Collective action

The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.

“The Tech Accord will help to protect the integrity of the one trillion connected devices we expect to see deployed within the next 20 years,” said Carolyn Herzog, General Counsel at Arm. “It aligns the resources, expertise and thinking of some of the world’s most important technology companies to help to build a trusted foundation for technology users who will benefit immensely from a more security connected world.”

Here’s the full list of signatories and they must be serious about this because they’ve made a corporate video and everything: ABB | ARM | AVAST | BITDEFENDER | BT | CA TECHNOLOGIES | CISCO | CLOUDFLARE | DATASTAX | DELL | DOCUSIGN | FACEBOOK | FASTLY | FIREEYE | F-SECURE | GITHUB | GUARDTIME | HP INC | HPE | INTUIT | JUNIPER NETWORKS | LINKEDIN | MICROSOFT | NIELSEN | NOKIA | ORACLE | RSA | SAP | STRIPE | SYMANTEC | TELEFONICA | TENABLE | TRENDMICRO | VMWARE

Intel hit with class action suit over CPU defects

Law firm Doyle APC has filed a class action lawsuit against Intel for the design defect found in all of Intel’s x86-64x CPUs.

2018 has not been a great year for Intel so far, as the last week or so has simply been a tsunami of bad news concerning security vulnerabilities in its x86-64x CPUs. Considering the extent of the Intel’s woes, it wasn’t going to be too long before a class action appeared, and here it is; Garcia, et al. vs. Intel Corp, Case No. 18-cv-00046, (ND Cal).

The case itself aims to represent any US purchaser of Intel CPUs containing the defect, or purchasers of a device containing one of these Intel processors. The defect is actually down to what Intel must have through was a clever bit of engineering. The kernel mode attempts to guess what the user will do next, known as ‘speculative execution’, having certain programmes on stand-by to increase speed and performance. This action potentially exposes kernel data, one of the most sensitive parts of a computer.

Since the vulnerability was initially exposed, Intel has been rushing to develop a patch, essentially closing the threat, though it is believed it will degrade performance at the same time. Intel claims 90% of processor products introduced within the past five years will be fixed by the end of this week, and for the average user, the impact on performance will be minimal. This has also been echoed by Intel’s customers:

Apple:

“Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.”

Microsoft:

“The majority of Azure customers should not see a noticeable performance impact with this update. We’ve worked to optimize the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied.”

Google:

“On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”

Amazon:

“We have not observed meaningful performance impact for the overwhelming majority of EC2 workloads.”

This has been disputed by some commentators as the ‘speculative execution’ feature is believed to be one of the primary drivers of increased performance. Only time will tell.

Doyle APC’s ambulance chaser impersonation should of course been expected, though Intel has been the main recipient of attention so far. AMD and ARM are two other suppliers who have also admitted to vulnerabilities, though neither has gotten anywhere near the same amount of consideration. The flaw may not impact these products as much as Intel, or the severity of AMD and ARM defects has not been truly uncovered just yet.

Android ransomware is biggest mobile malware threat – Nokia

Nokia has published its latest Threat Intelligence Report, which shows that ransomware attacks went through the roof this year, largely via Android devices.

The Nokia report looks at malware infections found in mobile and fixed networks by its NetGuard security produce, which by no coincidence whatsoever announced a major new version today. It derives data from over 100 million devices.

The biggest security issue faced by mobile networks this year has been ransomware, as typified by WannaCry and NotPetya. Two thirds of mobile malware comes via Android devices – mainly smartphones – which Nokia attributes this to the prevalence of side-loading apps from third party app stores. Third party app stores account for 96% of the app market in China, apparently.

Nokia malware device breakdown

 

Nokia malware android breakdown

 

Nokia malware China app store breakdown

This is an issue because it bypasses Google’s own efforts to clean up the Play Store by enabling side-loading, which makes it much easier to trick users into downloading malware hiding as a Trojan within apparently legit apps. This is in addition to traditional ways of getting people to install dodgy software vie links in emails and text messages.

Nokia, of course, reckons it has the answer to all this cyber-misery. The latest version of NetGuard Security Management Center is going big on automation and analytics to try to make is a more predictive process for CSPs. We’re told the volume of security incidents is just too great for mere human beings to stay on top of and we need some artificial intelligence to help us out.

“More sophisticated attacks, growing network complexity and the proliferation of IoT and other devices make it nearly impossible for security teams to monitor, react to and resolve today’s threats quickly and effectively,” said Ron Haberman, head of Emerging Products in Nokia’s Applications & Analytics business group.

“Nokia’s extensive heritage and expertise in network communications technologies and network-based security uniquely positions us to address these unprecedented security challenges. Our Security Management Center helps service providers streamline business processes, reduce costs and proactively address security threats before they impact end users or businesses.”

The clear vested interest in combining these two pieces of news doesn’t diminish the underlying point. It’s hard not get the feeling that we’re losing ground in the battle against cyber-baddies and clearly need to raise our game. Technologies such as Nokia’s may be part of the solution but companies need to prioritise security more than they currently are.