black hat usa 2014 - a practical attack against virtual desktop infrastructure (vdi)

Practical Attacks against Virtual Desktop Infrastructure (VDI) Solutions

Michael Shaulov, CEO

Daniel Brodie, Sr. Security Researcher

Lacoon Mobile Security


1

About Daniel

§  10 years of security research §  From PC to Mobile

§  Researcher and developer at Lacoon Mobile Security §  Developing a virtual execution-based app behavioral analysis framework of mRATs and

mobile malware

§  Analysis of iOS and Android vulnerabilities and exploits

§  BH 2013: “A Practical Attack against Mobile Device Management (MDM) Solutions”


2

About Michael

§  Decade of experience researching and working in the mobile security space

§  From feature-phones to smartphones

§  Mobile Security Research Team Leader for Defense Contractors

§  CEO and co-founder of Lacoon Mobile Security

§  BH EU, BH USA, RSA Conf, GovWare …


3

Quick Disclaimer

This talk is NOT about:

§  Dismiss VDI value as an enterprise mobile solution

§  Specific vendor implementation

This talk is about:

§  Quantify risks that can compromise VDI sessions

§  Provide a framework to assess and mitigate the risks


4

Agenda

§  Mobile VDI 101

§  Practical Mobile Threats against

VDI

§  Augmenting VDI with Defense-in-

Depth Mobile Security

§  Conclusions

Threat 2

Grabbing credentials locally / Android

Threat 3

Screen-scraping/ Android

Threat 4

MitM Session Hijacking / iOS


5

In the Wild mRAT Key-loggers / Android Threat 1

Mobile VDI 101


6

Mobile VDI Motivation Key Requirements for BYOD / CYOD

§  Enablement

§  DLP / Lost Device

§  Intrusion


7

Enablement Simplify IT support of BYO devices

It can meet the increasing demand for BYO initiatives by delivering apps and desktops as an on-demand service.


8

DLP / Lost Device

X No content is saved on the device

On-demand session


9

Intrusion “Virtual desktop security to protect sensitive information

Centrally secured virtual desktops and apps in the datacenter reduce the risk of data loss or intrusion when delivered to any device. Corporate access remains secure while intellectual property and sensitive private information stays safe.”

Good Marketing


10

VDI Architecture - Example


11

VDI Players 2 major mobile VDI enterprise players: §  Citrix §  VMware


12

Threats to Mobile VDI Solutions


13

Threat 1 Using an mRAT for its Keylogging Capabilities


14

Emails

App Data

Contact Lists, Call & Text Logs

What is a Mobile Remote Access Trojan (mRAT)

Key Logger

Screen Scrapper

Memory Scrapping

Files and Photos

Microphone and Camera

Track Location


15

Recent High-Profiled Examples


16

mRAT Spectrum

$300K-$12M Government -> Terrorists / Activists

Free - $300 Cybercriminal -> ?

Free - $100 Everyone -> Everyone

Surveillance / Monitoring Tools Darknet mRATs Gov / Mil mRATs


17

mRAT Spectrum

$300K-$12M Government -> Terrorists / Activists

Free - $100 Everyone -> Everyone

Surveillance / Monitoring Tools Gov / Mil mRATs


18

“Hacking Team is really a very basic software with a public payload based on CVE bugs PUBLIC. Not different than any commercial spyware on internet. Even with lower features.” -- Mobile Malware Google Group

19


Commercial Surveillance Software

Data sample

Mobile devices communicating through corporate WiFi access points, connected to the Checkpoint firewall

Traffic from 95 gateways (~90 enterprises)

20


Survey: mRATs in the Enterprise A Lacoon-Checkpoint Research

21



mRAT Network

Signatures CP Threat

Cloud

22


How common are mobile threats in the Enterprise?

% By Country 41.8

6.6

5.3

4.9

4.9

3.9

3.3

US

MX

NO

TM

EC

FR

BR

Key Findings: Number of infected Devices

•  290 •  Median: 2 infected devices / enterprise

mRATS found

•  16 used •  Most common: Spy2Mobile, Mspy, Mobile

Spy, Bosspy

Types of OS •  90% Android •  10% iOS

Country infection rates •  Spread across 30 countries

The full report coming soon…

Stay tuned @LacoonSecurity.


23



24

Recap

§  Looked at the two solutions §  Test servers (citrixcloud, pivot3’s testdrive)

§  Vmware is more of a slim VDI while Citrix has

additional capabilities

§  Very configurable

§  Both provide a myriad of clients and logging in

capabilities


25

Threat 1 Using a Widely Popular mRAT on an Android-based Device

§  Keylogging for data or authentication info

§  mSpy §  Lacoon-Checkpoint “mRATs in the Enterprise” survey

§  Mostly used in the enterprise

§  Detected in 19 countries, such as USA, Britain, and France

Cost: >$50

26


mSpy

Different Keylogging options

§  Repackage keyboard – done on SwiftKey in 2013 §  Used by mRAT’s as a custom keyboard

§  MitM on the active input method – grant yourself the BIND_INPUT_METHOD permission §  Pretty complicated and requires elevated privileges

§  Input Manager Service is a native process, hooking it at the InputDispatcher->dispatchOnce will give you access to all input events §  Practically all Android ROMs use default symbol visibility

27


Threat 2 Grabbing Credentials Locally on Android

28



§  Keylogging has it’s own problems

§  Target the client itself to grab whatever credentials you need


29


1.  Run a Privilege Elevation vulnerability 1.  TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…

2.  Exploit does not leave identifiable root marks

2.  Enable jdwp debugging on all the apps installed on the device

3.  Connect as a debugger to the VDI client

4.  Set a breakpoint on a function that handles the credentials


30

31


Debugging the Session against the VDI Client

Enabling jdwp debugging on apps

§  By ptrace-ing the init process to dynamically change the ro.debugabble property §  Similar to what setpropx does

§  By starting the jdwp thread by yourself in the relevant process §  Easily done by calling the dvmJdwpStartup with ptrace

32


Possibilities to hook apps

JDWP easy way to simply sit on a specific java function after enabling debugging

XPosed / Cydia Substrate Also great way to dynamically hook a function without needing to resort to debugging

§  Uses a small jar injected into every process by zygote to initiate hooking, dalvik changes not neccesary

Native code hooking Through ptrace debugging or so-injection

§  Either by having a relevant native function somewhere in the stack

§  Also very useful for hooking ART

33


Threat 3 Screen Scraping against Android

34


Two possible methods §  Leverage the clipboard access support

§  Record the screen automatically when the mRAT detects that the VDI client is connected

Threat 3 Screen Scraping against Android

35


Screen Scraping using Clipboard Access Support

Run a Privilege Escalation vulnerability §  TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…

§  Exploit does not leave identifiable root marks

Monitor the current foreground activity using standard Android APIs getRunningTasks/getForgroundApp

Inject keyboard events to cause content to be copied from the file to the clipboard

§  Using InputManager’s injectInputEvent (as root/system) we can inject input events

§  Specifically Ctrl+A, Ctrl+C will work for most interesting applications

36


37


Screen Scraping using Clipboard Access Support

Inside the VDI client Data extracted from VDI client

Screen Scraping using Screen Recording

1.  Run a Privilege Escalation vulnerability §  TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),…

§  Exploit does not leave identifiable root marks

2.  Monitor the current foreground activity using standard Android APIs §  getRunningTasks/getForgroundApp

3.  Start recording the screen using one of the recording apis (go into depth)

§  4.4 has a nice new screenrecorder – but possible even earlier by accessing framebuffer

§  SurfaceView.setSecure would need to be patched on 4.2 and up


38

Threat 4 Man-in-the-middle (MITM)

39


User VDI Credentials

Authorized

List of services & Organizational policy

Request for Service A

VDI

40


VDI Protocol Flow

Server

User Inserts VDI creds SSL Connections

VDI Client

Mobile Device

41


Malicious Configuration Profiles

Proxy/VPN Certificate Authority

42


Threat #4: MitM against iOS

This is an email with a phishing link to a configuration profile. It will be replaced with a screenshot.

VDI Server

More possibilities with MitM attacks

§  Duplicating the actual screen/input stream to a separate machine §  VmWare Horizon Viewer uses either a proprietary protocol or RDP

§  Citrix Receiver uses a proprietary protocol called ICA – not widely analyzed yet

§  Simulate commands to the client and/or server §  Can be used to do implementation specific actions, including gaining VPN credentials, etc…

43


Building the necessary

44


mobile security strategy

VDI depends on the integrity of the host system §  Protects the data as long as the device is uncompromised

§  If the underlying device is compromised, so is the VDI solution

Conclusions

45


A multi-layer approach to mobile security. Detect. Assess. Respond to Mobile Threats.

A Layered Mobile Security Approach

46


A Layered Mobile Security Approach

47


•  Assess Device, Configurations, Apps •  Reduce attack surface

Accurate mitigation and dynamic access control of compromised devices, using a rich toolbox: •  Integration to MDM, NAC and SIEM •  On-device remediation and on-demand network mitigation

•  Device, Application, Network anomaly detection •  Mobile AV, advanced app reputation analysis •  Detect and classify advanced threats (Zero-day, APT, malicious

applications, etc)

Advanced Mobile Threat Detection

Mobile Vulnerability Assessment

Mobile Risk Mitigation

Thanks to those that helped on the Lacoon-Checkpoint mRATs in the Enterprise Survey!

Lacoon §  Pavel Berengoltz

§  Shai Yanovski

§  Shalom Bublil

§  Shayna Tichler

§  Amir Kessler

§  Noam Modai

Checkpoint §  Inna Myslyuk

§  Gali Carmel

§  Ron Davidson

§  Inbar Raz

§  Alon Kantor

48


Thank You! Email: [email protected]

Twitter: @LacoonSecurity


49

black hat usa 2014 - a practical attack against virtual desktop infrastructure (vdi)

Mobile

lacoon mobile security

lacoon mobile security

risks lacoon mobile

govware lacoon mobile

mobile security space

mobile researcher

mobile spy

agenda mobile vdi