Anatomy of a Targeted Attack against MDM Solutions (and What Can You Do About It) Michael Shaulov, CEO michael@lacoon.com Twitter: @LacoonSecurity

Collapse The collapse of the corporate perimeter

Targeted devices Why mobile devices are targeted

Demo How mobile malware bypasses current security solutions

Mitigation Detection, remediation & building a secure BYOD/HYOD architecture

Agenda

•  Protecting organizations from mobile threats

•  Industry leading behavioral protection and mitigation solution

•  Protecting tier-1 financial, manufacturing, legal and defense organizations

•  Cutting edge mobile security research team

About Lacoon Mobile Security

The Collapse Of The Corporate Perimeter

> 2011

The Collapse Of The Corporate Perimeter

“More than

60% of organizations enable BYOD” Gartner, Inc. October 2012

TARGETED MOBILE THREATS

Mobile Devices: Attractive Attack Target

Eavesdropping

Extracting contact lists, call &text logs

Tracking location

Infiltrating internal LANs

Snooping on corporate emails and application data

The Mobile Threatscape B

usin

ess

Impa

ct

Complexity

Consumer-oriented. Mass. Financially motivated, e.g.: Premium SMS Fraudulent charges Botnets

Targeted: Personal Organization Cyber espionage

Mobile Malware Apps

mRATs / Spyphones

The Mobile Threatscape

mRATs / Spyphones

High End: Government / Military grade Mid Range: Cybercrime toolkits Low End: Commercial surveillance toolkits

Recent High-Profiled Examples

Commercial mobile surveillance tools

Data sample •  1 GB traffic sample of spyphone targeted traffic,

collected over a 2-day period

•  Collected from a channel serving ~650K subscribers

•  Traffic constrained to communications to selected malicious IP address

Survey: Cellular Network 2M Subscribers Sampling: 650K

Infection rates:

June 2013:

1 / 1000 devices

Survey: Cellular Network 2M Subscribers Sampling: 650K

Survey: Cellular Network 2M Subscribers Sampling: 650K

Mobile Device Management

(MDM) & Secure

Containers

MDMs and Secure Containers

3 features:

l  Encrypt business data l  Encrypt communications to the

business l  Detect Jailbreak/ Rooting of

devices

HOW ATTACKERS BYPASS

MDM SOLUTIONS

DEMO

Let’s Test…

Overview

Infect the Device

Install Backdoor

Bypass Containerization

Exfiltrate Information

Step 1: Infect the device

Step 2: Install a Backdoor / aka Rooting

Administrative Every process can run as an administrative (root) user if it is able to triggr a vulnerability in the OS

Vulnerability Each Android device had/ has a public vulnerability

Exploit Detection mechanisms don’t look at apps that exploit the vulnerability

Step 3: Bypass Containerization

Jo, yjod od sm r,so;

Storage

Jo, yjod od sm r,so;

Storage

Step 3: Bypass Containerization

Jo, yjod od sm r,so;

Hi, This is an email

Storage Memory

Step 3: Bypass Containerization

Jo, yjod od sm r,so;

Hi, This is an email

Storage Memory

Exfiltrate information

Step 3: Bypass Containerization

MITIGATION TECHNIQUES

Current Solutions: FAIL to Protect

Mitigation: Current Controls

Mobile Device Management (MDM)

Multi-Persona

Wrapper

Active Sync

NAC

Mitigation: Current Controls

Mobile Device Management (MDM)

Multi-Persona

Wrapper

Active Sync

NAC

Detection: Adding Behavior-based Risk

Malware Analysis

Threat Intelligence

Vulnerability Research

Detection: Adding Behavior-based Risk

Malware Analysis

Threat Intelligence

Vulnerability Research

Application Behavioral

Analysis

Device Behavioral

Analysis

Vulnerability Assessment

Detection: Adding Behavior-based Risk

Malware Analysis

Threat Intelligence

Vulnerability Research

Application Behavioral

Analysis

Device Behavioral

Analysis

Vulnerability Assessment

Lacoon Mobile Security

Thank You.

Stop by: Booth 940 Email me: michael@lacoon.com Twitter: @LacoonSecurity