Frost & Sullivan recently named Palo Alto Networks the recipient for Asia Pacific Technology Innovation Leadership Award for Security.
Held annually in Singapore, the Awards program recognizes best-in-class companies in Asia Pacific. This program has identified many outstanding companies from the automotive, energy, building & environment industries to the healthcare, information communication technologies and logistics sectors in the region.
Palo Alto Networks achievement was evaluated based on market performance indicators and research conducted by Frost & Sullivan’s analysts.
KP Unnikrishan, Marketing Director, Asia Pacific & Japan for Palo Alto Networks was present at the Award ceremony. Do check out some of the photos from the event below!
(Left) Vivek Vaidya, Vice President, Frost & Sullivan presenting the award to KP Unnikrishnan, Marketing Director, Asia Pacific & Japan for Palo Alto Networks (right).
Mobile app creators are often looking for ways to monetize their software. One of the most common ways to do this is by displaying advertisements to users or by offering in-app purchases (IAPs). Mobile monetization platforms create software libraries that authors can embed into their apps to start earning money quickly. We previously highlighted the dangers of installing apps that enable IAPs using SMS messages, as these apps typically have access to all SMS messages sent to the phone.
While not all SMS-based IAP applications steal user data, we recently identified that the Chinese Taomike SDK has begun capturing copies of all messages received by the phone and sending them to a Taomike controlled server. Since August 1, Palo Alto Networks WildFire has captured over 18,000 Android apps that contain this library. These apps are not hosted inside the Google Play store, but are distributed via third party distribution mechanisms in China.
Background
WildFire captures many samples of mobile malware that intercept and upload SMS messages. Most of these are created by malware authors who set up command and control (C2) servers with third party hosting providers and frequently update their locations to avoid detection.
Among these malware we have found many that are created by “mobile monetization” companies who distribute apps that provide little value but have a high cost to the user. These apps are often installed by tricking users into clicking a pop-up, only to find later that a charge has appeared on their phone bill. Antivirus programs typically identify these apps as malware, the topic of this blog is something different and harder to detect.
Taomike is a Chinese company that aims to become the biggest mobile advertisement solution platform in China. They provide an SDK and services to help developers display rich advertisements with a high pay rate. Taomike has not previously been associated with malicious activity, but a recent update to their software added SMS theft functionality. The apps this library is embedded in may be legitimate and have significant functionality, but their developer’s choice to use this library has put them at risk.
Technical Details: SMS Theft
Not all apps that use the Taomike library steal SMS messages. Our analysis indicates that only samples that contain the embedded URL, hxxp://112.126.69.51/2c.php have this functionality. This is the URL to which the software uploads SMS messages, and the IP address belongs to the Taomike API server used by other Taomike services. We have captured around 63,000 Android apps in WildFire that include the Taomike library but only around 18,000 include the SMS theft functionality.
We believe there are different versions of the Taomike SDK and only some of them include SMS uploading behavior. Based on our data, the version that contains the SMS stealing functions is newer and was released around August 2015. Apps that use earlier versions of the library appear to be safe.
The Taomike library is called “zdtpay” and is a component of Taomike’s IAP system.
Because Android apps are required to list the permissions they need in their manifest file, we can see that this library requires both SMS and network related permissions. The library also registers a receiver named com.zdtpay.Rf2b for both the SMS_RECEIVED and BOOT_COMPLETED actions with highest priority of 2147483647.
Figure 1. Registered receiver for SMS_RECEIVED
The registered receiver Rf2b reads SMS messages whenever they arrive. The message body and sender phone number are collected as shown in Figure 2.
Figure 2. SMS body and sender number read
If the device has just booted, it will start the service MySd2e, which then registers a receiver for Rf2b as shown in Figure 3.
Figure 3. MySd2e Service registers receiver for Rf2b
SMS information collected by the receiver is saved in a hashmap with “other” as the key and sent to a method that uploads the message to 112.126.69.51 as shown in Figure 4.
Figure 4. Information uploaded to IP Address used by api.taomike.com
All SMS messages sent to the phone are uploaded, not just those that are relevant to Taomike’s platform. Figure 5 shows a packet capture of a test message upload. The message content is “hey test msg” as circled with dashed red box.
Figure 5. SMS uploaded via HTTP in pcap
The Taomike library makes contact with the following URLs, but only the “2c.php” path is used to capture SMS messages. The rest appear to be used for other parts of the IAP functionality in the library.
We have captured over 18,000 samples that contain the SMS stealing library since August 2015, meaning the number of affected users is considerable. We expect the number of affected apps and users to increase as more developers incorporate the newer version of Taomike library.
The infected apps are not limited to a single developer or third party store as many developers appear use the Taomike library. Some of the infected apps purport to contain or display adult content.
We do not know how Taomike is using the stolen SMS messages, but no library should capture all messages and send them to a system outside the phone. In version 4.4 of Android (KitKat) Google began preventing apps from capturing SMS messages unless they were defined as the “default” SMS app.
Users outside of China and those that only download apps from the official Google Play store are not at risk from this threat.
To protect Palo Alto Networks customers from the Taomike SMS stealer, we’ve made the following protections available:
Palo Alto Networks WildFire will automatically identify and block malicious APK samples containing the SMS stealing Library
Threat Prevention signature 14798 will detect and block the malicious C2 communication, including the SMS upload traffic from Taomike library
Palo Alto Networks AutoFocus users can identify and investigate this threat using theTaomike tag
Conclusion
Even popular third party monetization platforms are not always trustworthy. When developers incorporate the libraries into their apps they need to carefully test them and monitor for any abnormal activities. Identifying monetization and advertising platforms that behave poorly and abuse their users is something that our industry must to do ensure the safety of all mobile devices and their users.
Acknowledgement:
We greatly appreciate the help from Rongbo Shao from Palo Alto Networks in working on the Threat Prevention signature. We would also like to thank Ryan Olson, Benjamin Small, Richar Wartell, and Chris Clark from Palo Alto networks in publishing the discovery.
Today is Back to the Future day, and the date above, as all fans of the iconic movie know, is what was programmed into the DeLorean time machine. The concept of time travel has long fascinated me, and thinking about this special day got me also thinking about how we deal with cyber threats.The approach to endpoint security still relied upon by most organizations has been largely unchanged for decades. That’s right, signature based malware detection is very old technology. It relies on prior knowledge of a threat in order to detect and eradicate it. Even newer approaches require prior knowledge in the form of indicators of compromise (IOCs) or behavioral patterns to look for. This approach poses significant challenges when it comes to preventing security breaches. If your approach is based on detecting the fact that something bad has occurred, then how can you prevent that bad thing from happening? Do you need a time machine for that?
It turns out our researchers here at Palo Alto Networks have solved that problem. We launched Traps about 12 months ago with the goal to redefine endpoint security by providing the much-needed ability to prevent advanced threats on the endpoint. Traps has been performing amazingly well when it comes to preventing previously unknown threats, without the need for any product updates. The reason for this is because it focuses on preventing the core techniques that are used by all exploits. And we didn’t need a time machine to get there.
Let’s examine the evidence
Exhibit A:
A Traps customer in the banking industry recently reported to us that Traps successfully prevented an Adobe Flash exploit from April 2015. This, in and of itself, is not unusual because we know that Traps prevents exploitation of unpatched vulnerabilities all the time. The interesting part of this story is the version of Traps the customer was running. An early Traps customer, they still had a system running Traps v2.3.6, which was released about a year before this vulnerability and the associated exploits became known. So a version of Traps from March 2014, never updated, prevented a zero day exploit in April 2015.
Exhibit B:
In July 2015 a series of Adobe Flash zero day vulnerabilities were disclosed as the result of an unfortunate data breach. The public was left waiting for patches while attackers began exploiting those vulnerabilities. Even organizations that deployed every security patch immediately upon release were left vulnerable for weeks. However, those organizations running Traps were never vulnerable, regardless of whether patches were deployed. Traps simply prevented the exploit techniques leveraged by all of these exploits.
Figure 1. Adobe Flash zero day timeline, July 2015
I’ll leave it to you to examine the evidence and make your own conclusions. Is the technology that underlies Traps fundamentally powerful and innovative? Or does someone on our R&D team have a DeLorean in the garage? Either way, Traps is redefining the endpoint protection market by enabling organizations to truly prevent unknown exploits and malware.
Meet Donnie Grimes, (ISC)² Global Academic Program (GAP) instructor and vice president of information systems and creator of the master’s program in cybersecurity for the University of the Cumberlands. Oh, and budding sound man. When he’s not teaching, Donnie works on sound engineering and mixing at live events. He’s also starting to learn about staging and lighting.
As a teacher, his favorite classroom moments are those times when he’s able to witness students’ reactions as they realize they start to grasp a difficult concept. He reflects, “Seeing their faces light up and being a small part of contributing to a student’s development makes teaching the best job in the world.” He especially enjoys teaching information security courses, where the field is constantly evolving as the threat landscape changes.
His university launched its graduate cybersecurity program in 2012, thanks in large part to Grimes, who spearheaded curriculum development. Donnie shares (ISC)2’s belief that aligning curriculum with industry certifications is a key to closing the skills gap and will ultimately result in a stronger, more employable workforce.
Seeing the value in aligning courses with industry certifications, he based the school’s curriculum upon the CISSP, with one course centered upon each of the CISSP CBK domains. He did so because he believes that helping students graduate with certifications will help them get their feet in the door when applying for jobs. When he heard about the (ISC)2 Global Academic Program, Grimes said, “I instantly knew that I wanted to associate my university’s graduate program with the GAP.”
A key philosophy that drives his teaching is that lifelong learning is essential not only to securing a job, but also to being effective once you’ve got one. He believes the education and certification approach provides students with the best chance of both employability and professional success. “Certifications do not replace education,” he asserts, “but they do help to validate a candidate’s knowledge in a given domain and puts him/her on a path for continual learning.”
He advises, “Never forget that you’re in a field that will require you to update your education continually. Graduate programs, like the one we offer, will provide you the skills that you will need throughout your career. Certifications, which GAP schools provide opportunities for, will hold you accountable and force you to keep your skills fresh.”
Read our recent blog about GAP school the University of the Cumberlands here. And if you’re ever in Williamsburg, Kentucky, be sure to attend a show Donnie is working. You just might like what you hear.
Today at the CSX North America conference in Washington DC, ISACA released its annual Advanced Persistent Threat Survey of 660 cybersecurity professionals across the globe. Advanced persistent threats (APTs) continue to capture the spotlight in the wake of their successful use to launch several high-profile data breaches. The third in a series of studies from ISACA’s Cybersecurity Nexus (CSX ) that are designed to uncover information security professionals’ understanding and opinions of APTs, technical controls, internal incidents, policy adherence and management support, this report reveals positive trends since the 2014 survey.
The good news is that improvements can be seen in the level of awareness of the unique aspects of APTs and the benefits of addressing them through a variety of countermeasures. A strong correlation clearly exists between the perceived likelihood of an APT attack on the enterprise and the enterprise’s adoption of improved cybersecurity practices. Yet, not all avenues for APT intrusion are fully locked down. Mobile device security is lagging, despite acknowledgment that the “bring your own device” (BYOD) trend increases APT risk, and a preference is seen for technical controls over education and training, even though many successful APT attacks gain entry by manipulating individuals’ innate trust and/or lack of understanding.
Every year, the damage and costs related to cyberattacks multiply at a shocking rate. Major cyberattacks targeting financial, retail, healthcare, government and the entertainment industries have resulted in tens of millions of exposed records, billions spent on remediation and significant damage to many brands. Cybercriminals continue to exploit individuals and enterprises while increasing profits from more than US $300 billion in 2012 to an estimated US $1 trillion in 2014. Juniper Research has predicted that their profits will top US $2 trillion in 2019.
Social engineering remains at the center of APT activity to gain footholds into information systems. Early efforts began with phishing, then evolved to spear phishing, and proceeded on to whaling, which often included an attachment or a link that contained malware or an exploit. However, over the past three years APTs have moved on to the Internet as the main attack vector (e.g., web sites, social media and mobile applications).
As the threat vector continues to evolve, concern remains due to the fact that many organizations are dependent on interconnected relationships to perform key business functions, yet 75 percent of respondents have not updated agreements with third parties for protection against APTs. Gaps in third-party relationships have resulted in many significant breaches because attack visibility is limited. This may be a contributing factor to survey data indicating that 28 percent of respondents have been subject to an APT attack.
However, overall positive change is occurring as a result of the recent high-profile breaches. There has been a significant increase in leadership involvement. Nearly two-thirds of the survey participants (62 percent) indicate that their organizational leadership is becoming more involved in cybersecurity-related activities, and 80 percent see a visible increase in support by senior management. This is a significant positive first-step in the combating the APT.
One thing is clear: to ensure organization cyber resiliency, action is needed from the boardroom to the break room. Everyone plays an important part.
Montana Williams Senior Manager of Cybersecurity Practices, ISACA