Mobile App Wall Of Shame: Quikr

Quikr Local Classifieds
Quikr app logo 
Price : Free
Category : Lifestyle/Shopping
Platform : iOS and Android
Updated : February 12, 2015(Android), 22 January 2015(iOS) 
Version : 7.42(Android), 2.8.2(iOS)
Size : 3.89 MB(Android),10 MB(iOS)
Language : English
Vendor : Quikr India
 
Background:
 
Quikr is India’s largest online and mobile classifieds portal. Like Craigslist, Quikr provides the users with a platform to help them buy, sell, rent and advertise across multiple categories like real estate, jobs, entertainment, education, matrimonial, etc. Quikr also has a mobile app on both the Android and iOS platforms. 
Application Chart (information retrieved from Appannie & xyo.net)
 
Android
iOS
Overall Ranking(India)
20
90
Category Ranking(India)
5 (Shopping)
8 (Lifestyle)
Total number of Downloads
12 Million
108 Thousand 
Rating 4/5
3.5/5
 
A user is required to provide an email address and password when creating an account. After creating an account, the user can the post advertisements on Quikr. The application also provides functionality wherein different users can chat with each other.
 
Vulnerability – Clear text username/password
The current version of Quikr mobile application has a serious data leakage vulnerability. It has been verified that both the current Android and iOS versions of the application are sending username and password information via the HTTP protocol in cleartext. This security vulnerability allows an attacker on the same network to capture the credentials sent by a Quikr user to the application server and thus compromise the user’s account which may lead to posting fake ads on account owner’s behalf, selling and buying products and sending spam messages via chat to other users.
 
The flaw has been confirmed on versions 7.42 (latest versions available on Feb 12, 2015) on the Android platform and version 2.8 (latest version available on Jan 22, 2015) on the iOS platform. 
 
Vulnerability in iOS version
When a user tries to register for an account in the Quikr application, an HTTP request is generated as shown below. In this request, the userid, password and mobile number of the user are sent in cleartext. 
 
Account Registration:
 
[-]  Method: POST
Url: http://services.quikr.com/api?                 method=registerUser&secCode=fd1f2276c71627c35e2a9c5f8838c09c&version=1.5
Host: services.quikr.com
User-Agent: Quikr/2.8.2 CFNetwork/711.1.16 Darwin/14.0.0
Request Body:cityId=23&userId=zscalerappscan%40zscaler.com&password=password123&mobile=9876543210&demail=969eac57dbfc4079a935fadf7ab261d6%40quikr.com
Server Response: AJBiY , N , .E]n3 , i^0%] , 1}qa , K;\OU4
 
 
Similarly, below is the traffic capture when an already existing user tries to login to their account. The userid and password are passed in cleartext.
 
Login:
[-]  Method: POST
Url: http://services.quikr.com/api?method=login&secCode=fd1f2276c71627c35e2a9c5f8838c09c&version=1.5
Host: services.quikr.com
User-Agent: Quikr/2.8.2 CFNetwork/711.1.16 Darwin/14.0.0
Request Body: [email protected]&[email protected]&password=password123
Server Response: 1`QaL , B*RD , , ,
Vulnerability in Android version
 
We will first test the Quikr application installed on a Google Nexus tablet. The Quikr application version available in the Google Play store for the tablet was v6.9. Below is the sample traffic capture when a user tries to register a new Quikr account or login to their existing Quikr account.
 
Account Registration:
 
[-]  Method: POST
Url: http://services.quikr.com/api?method=registerUser&version=1.5&secCode=zXcv80386Mdp1hs0q7o0p9uiLZV37TdF&consumerVersion=7.42&density=2.0&[email protected]
Host: services.quikr.com
User-Agent: QuikrConsumer
Request Body: –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name=”cityId" , , 23 , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="demail" , , [email protected] , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="mobile" , , 8234567890 , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="userId" , , [email protected] , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="opf" , , json , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="password" , , [email protected]
Server Response: {"login":{"auth":1,"code":"usercreated","message":[{"direct":"New user created"}],"email":"[email protected]","mobile":"8234567890","city":"23","name":"","UserSession":"PGR8fU59OHVzOWMhfFI+fll0Qj5mdnIjRXd0Rm57T0dZPXw\/Q0RDYCE4amJ5L3R5PHVdTGpORSY6KDhjbl40LlliaztN","emailCRC":null,"cityName":"Bangalore","cityId":"23","app_notif_status":1,"sound_preference":1,"notif_alarmtime":"08:00 PM","userClassification":null,"isSharedPB":0,"isSharedFB":0,"userType":1,"numAlerts":0,"numAds":"0"}}
 
Login:
[-]  Method: POST
Url: http://services.quikr.com/api?method=login&version=1.5&secCode=zXcv80386Mdp1hs0q7o0p9uiLZV37TdF&consumerVersion=7.42&density=2.0&[email protected]
Host: services.quikr.com
User-Agent: QuikrConsumer
Request Body: –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="demail" , , [email protected] , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="userId" , , [email protected] , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="opf" , , json , –s2retfgsGSRFsERFGHfgdfgw734yhFHW567TYHSrf4yarg , Content-Disposition: form-data; name="password" , , password123
Server Response: {"login":{"auth":1,"code":"success","message":[{"direct":"You are successfully logged in"}],"email":"[email protected]","mobile":"8234567890","city":"23","name":"","UserSession":"PGR8fU59OHVzOWMhfFI+fll0Qj5mdnIjRXd0Rm57T0dZPXw\/Q0RDYCE4amJ5L3R5PHVdTGpORSY6KDhjbl40LlliaztN","emailCRC":null,"cityName":"Bangalore","cityId":"23","app_notif_status":1,"sound_preference":1,"notif_alarmtime":"08:00 PM","userClassification":"0","isSharedPB":0,"isSharedFB":0,"userType":1,"numAlerts":0,"numAds":"0"}}
 
As you can see in the above requests, all communication between the mobile app and server is in sent via cleartext, which includes sensitive user information.
 
ZAP Analysis:
ZAP in action – Android
ZAP in action – iOS
This flaw was identified using the Zscaler Application Profiler (ZAP). ZAP is a free online tool that can be used to analyze mobile applications for vulnerabilities and privacy issues as seen in the above screenshots.
Conclusion:
We continue to find new popular applications in the Apple and Google app stores that are leaking device data and sending out sensitive user information in cleartext. This is a good argument for the use of one time passwords when establishing accounts on mobile apps. As a user, you can never know with certainly if your credentials are being transmitted/stored securely. By leveraging a password manager and ensuring that passwords are unique for all apps, at least you can be assured that if your credentials are compromised due to poor app security, only that specific account will be impacted.
Credit: Lakshmi Devi.

Link: https://www.zscaler.comhttps://www.zscaler.com/blogs/research/mobile-app-wall-shame-quikr

Mobile App Wall Of Shame: Shaadi.com

Shaadi.com
Price : Free
Category : Social
Platform : iOS and Android
Updated : Mar. 9, 2015 (Android), Mar. 10 2015 (iOS)
Version : 4.2.2 (Android), 4.2.1 (iOS)
Size : 8.28 MB (Android), 17.7 MB (iOS)
Language : English
Vendor : People Interactive (I) Pvt. Ltd.
Background:
 
Shaadi.com is the world’s largest matrimonial website, active since 1995. This matrimonial site permits individuals to post their profiles and responses including horoscope, caste, language and religion. Shaadi.com provides applications designed for the two main mobile platforms – iOS and Android.
Application Chart (information retrieved from Appannie & xyo.net):
 
Android
 
iOS
Global Ranking
15
92
Category Ranking
12 (Social)
24 (Social networking)
Total number of Downloads
~1 million
 ~0.3 million
Rating
3.9/5
2.7/5
A new user is required to register by providing an email address and a password, along with basic personal details. After registering the account, the user can surf profiles created by others. The application also provides a chat facility.
Vulnerability – Cleartext username/password
 
Login screen
The current version of the Shaadi.com application has a serious security flaw. It has been verified that both the iOS and Android versions of the application transmit the username and password via HTTP in cleartext. This flaw allows an attacker to capture the credentials sent by a user to the application server and thus compromise the user’s account, which may lead to compromise of user’s personal data. The service also provides premium accounts to paid customers. 
The application was tested on both the Android and iOS platforms. The vulnerability has been confirmed on Android (v4.2.2 – latest version, updated on Mar. 9, 2015) and iOS (v4.2.1 – latest version, updated on Mar. 10, 2015).  
Vulnerability in iOS version
When a user tries to register for an account on the Shaadi.com application, an HTTP request is generated. In the request the userid, password and mobile number of the user is sent in cleartext as seen below:
Account Registration
 
[-]http://www.shaadi.com/registration/user/?regmode=app&OS=native-iphone
Method: POST 
Host: www.shaadi.com 
User-Agent: native-iphone|4.1.0 
Request Body: form_referral_url=&form_url=http%3A%2F%2Fwww.shaadi.com%2Fregistration%2Fuser%3Fregmode%3Dapp%26appver%3D4.1.0%26os%3Dnative-iphone%26deviceid%3D—%257C—&form_name=MOB_DR_SEO_REG1&frompage=From+Reg+Page&go=&olmt_home_regpage=&hid_year=&oscode=2&email=fnzscalerlnzscaler%40gmail.com&password1=p%40ssword123&postedby=Self&first_name=fnzscaler&last_name=lnzscaler&gender=Male&day=01&month=01&year=1994&community=No+Religion&mother_tongue=Konkani&countryofresidence=USA&contact_tel_number=Landline+No.
 
Similarly, when an already existing user tries to login to his account by providing his username and password, these credentials are also being sent in cleartext. Below is the traffic capture when a user tries to login to an existing account:
 
Login
 
[-]http://www.shaadi.com/native-apps2/user/[email protected]&[email protected]&appver=4.1.0&os=native-iphone&deviceid=—%7C— 
Method: GET            
Host: www.shaadi.com            
User-Agent: Shaadi/462 CFNetwork/711.1.16 Darwin/14.0.0            
Server Response: {“status":"200","data":{"sid":"7B16D793AFF0443EE1320F85EFD1B4C51425446439","abc":"0CE03847FB4B0C981EB552E34E1C96B61425446522|ZSH82845405|","premium":false,"gender":"Male","age":"21","memberstatus":"ToBeScreened","memberlogin":"ZSH82845405","photograph_status":"photo_request","update_available":false,"has_notification":"N","has_chat_notification":"N","content_settings":{"eoi":"Y","acc":"Y","msg":"Y","nf1":"N","dr":"Y"},"display_name":"SH82845405","username":"SH82845405","email":"[email protected]","use_connect":1,"upgrade_message":"UPGRADE TO PREMIUM","support_telephone":"1860-200-3456","payment_telephone":"1860-200-3456"},"expdt":"20150403002202","banner_images":{"banner_search_results":{"title":"Become a Premium Member & connect directly via","subtitle":"EMAIL, CHAT & PHONE","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_search_results_male_free_high.png"},"banner_accepted":{"title":"Upgrade to Premium & start chatting with your Accepted Members!","subtitle":"","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_accepted_free.png"},"banner_inbox_single":{"title":"1 Member like your profile!","subtitle":"Become a Premium member & write back to them today","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_inbox_single_male_free_high.png"},"banner_inbox_multiple":{"title":"#count# Members like your profile!","subtitle":"Become a Premium member & write back to them today","details":"","version":"","img":"http:\/\/img.shaadi.com\/community\/images\/app\/banner_inbox_multiple_male_free_high.png"}}} 
 
Vulnerability in Android version
 
Account Registration
 
[-]http://www.shaadi.com/registration/user/?regmode=app&OS=native-android 
 
Method: POST            
 
Host: www.shaadi.com            
 
User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Nexus 7 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36            
 
Request Body: form_referral_url=&form_url=http%3A%2F%2Fwww.shaadi.com%2Fregistration%2Fuser%3Fregmode%3Dapp%26os%3Dnative-android%26deviceid%3D–%7C–%26appver%3D4.1.3&form_name=MOB_DR_SEO_REG1&frompage=From+Reg+Page&go=&olmt_home_regpage=&hid_year=&oscode=1&email=vulapps%40zscaler.com&password1=p%40ssword1234&postedby=Self&first_name=fnzscaler&last_name=lnzscaler&gender=Male&day=10&month=10&year=1985&community=Spiritual+-+not+religious&mother_tongue=Marathi&countryofresidence=USA&contact_tel_number=Landline+No. 
 
Login
 
[-]http://www.shaadi.com/registration/user/login-submit 
 
Method: POST            
 
Host: www.shaadi.com            
User-Agent: Mozilla/5.0 (Linux; Android 5.0.2; Nexus 7 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36            
Request Body: go=&email=vulapps%40zscaler.com&password=p%40ssword123&autologin=0&autologin=Y
 
ZAP analysis:
 
ZAP in action – Android
ZAP in action – iOS
Conclusion
The list of mobile applications in Google Play and the iTunes App Store that send out sensitive information in cleartext continues to grow. Therefore, it is extremely important to keep separate passwords for different applications and never use the password of your financial applications anywhere else.
Credit: Lakshmi Devi.
 

Link: https://www.zscaler.comhttps://www.zscaler.com/blogs/research/mobile-app-wall-shame-shaadicom

Mobile App Wall Of Shame: Wattpad

Wattpad
Price : Free
Category : Books & Reference
Platform : Android
Updated : Mar. 23, 2015
Version : 4.21
Size : 11.18 MB
Language : English
Vendor : Wattpad.com
Background:
Wattpad is the world’s largest community for readers and writers and was established since 2006. Users are able to post articles, stories, fan fiction and poems about anything they like. The content includes work by undiscovered writers, published writers, new writers, or people just looking for somewhere to write all their ideas down. Users are able to comment and like stories or join different groups. Wattpad has released dedicated applications for Android, iPhone, Blackberry and iPad.
 
Application chart (Courtesy: Appannie, xyo.net)
 
 
Android
Global Ranking
170
Category Ranking
5 (Books & Reference)
Total number of Downloads
~42 million
Rating
4.5/5
Before using the app, a user is required to create an account in Wattpad by providing an email address and password. After creating an account they can post stories, read other user’s posts, follow users and like or comment on existing content. The application also provides feature to sync Gmail, Facebook and Twitter accounts with a Wattpad account. There is also a provision to send private messages to other users from within Wattpad.
 
Vulnerability: cleartext username/password
 
Wattpad app
The current version of Wattpad for Android application has a major security issue. By analyzing the traffic during the user registration as well as the account login process, it has been observed that user credentials are being sent to the server via HTTP. Anyone who monitors the network traffic can easily get a hold of the username/password being sent to the application server and compromise the user’s account. As the application permits users to buy books, an attack could also result in financial loss.
When a user tries to register for an account using the Wattpad Android application, or subsequently login, clear text user credentials as sent via an HTTP request as shown below. 
 
  Account registration:
 
[-]http://www.wattpad.com/v4/users 
Method: POST
Host: www.wattpad.com
User-Agent: Android App v4.19.17; Model: Nexus 7; Android SDK: 21; Connection: WiFi; Locale: en_US;
Request Body: type=wattpad&username=fnzscaler&password=p%40ssword123&email=vulapps%40zscaler.com&language=1&fields=token%2Cga%2Cuser%28username%2Cdescription%2Cavatar%2Cname%2Cemail%2Cverified%2Cfollower%2Cfollowing%2CbackgroundUrl%2CvotesReceived%2CnumFollowing%2CnumFollowers%2Clanguage%2Cinbox%28unread%29%2Chas_password%29
Server Response: {“token":"52708887:2129beadf9030d8725750694ec5ee4a1928dbed9891db7bfa0bc432713037a7b","user":{"username":"fnzscaler","name":"","description":"","avatar":"http:\/\/a.wattpad.com\/useravatar\/b.128.jpg","language":1,"verified":false,"votesReceived":0,"numFollowing":0,"numFollowers":0,"backgroundUrl":"","inbox":{"unread":0},"email":"[email protected]","has_password":true,"follower":false,"following":false},"ga":{"logged":"1","created":"20150316","group":0}}
 
Likewise, when an existing user tries to login, the username/password will be sent in cleartext.
Below is the traffic capture for a login session.
 
Login:
 
[-]http://www.wattpad.com/v4/sessions 
Method: POST
Host: www.wattpad.com
User-Agent: Android App v4.19.17; Model: Nexus 7; Android SDK: 21; Connection: WiFi; Locale: en_US;
Request Body: type=wattpad&username=fnzscaler&password=p%40ssword123&fields=token%2Cga%2Cuser%28username%2Cdescription%2Cavatar%2Cname%2Cemail%2Cverified%2Cfollower%2Cfollowing%2CbackgroundUrl%2CvotesReceived%2CnumFollowing%2CnumFollowers%2Clanguage%2Cinbox%28unread%29%2Chas_password%29
Server Response: {"token":"52708887:2129beadf9030d8725750694ec5ee4a1928dbed9891db7bfa0bc432713037a7b","user":{"username":"fnzscaler","name":"","description":"","avatar":"http:\/\/a.wattpad.com\/useravatar\/b.128.jpg","language":1,"verified":false,"votesReceived":0,"numFollowing":0,"numFollowers":0,"backgroundUrl":"","inbox":{"unread":0},"email":"[email protected]","has_password":true,"follower":false,"following":false},"ga":{"logged":"1","created":"20150316","group":0}}
 
ZAP Analysis:
Zap in action.
Conclusion:
 
The rapidly growing list of applications that do not implement even the most basic security checks makes it necessary for users to take care when accessing their accounts on public networks. It is also important important to avoid password reuse in multiple applications.
Credit – Lakshmi Devi.
 

Link: https://www.zscaler.comhttps://www.zscaler.com/blogs/research/mobile-app-wall-shame-wattpad

Signed CryptoWall 3.0 Variant Delivered Via MediaFire

IntroductionRansomware has evolved immensely over the past few years, with CryptoLocker being the ground breaking strain reaping huge profits for cybercriminals. According to a report in December 2013, the CryptoLocker malware authors collected 27 million USD worth of bitcoins from their victims over a period of 3 months. Looking at the success enjoyed by the CryptoLocker strain, it’s not surprising that many new copy cat variants including CryptoWall emerged in the wild starting in late 2013.CryptoLocker suffered a major setback and the number of infections were reduced to nearly zero post Operation Tovar. This gave way to a worthy successor in CryptoWall, which has since evolved into one of the nastiest and most successful strains of Ransomware in the wild today.The following are some of the notable features responsible for the success enjoyed by CryptoLocker and CryptoWall variants:Asymmetric (public-key) encryption to encrypt user documents, making recovery infeasibleHolding user files hostage with a timer that increases the ransom amount over timeRansom collected in bitcoins or as pre-paid cash vouchersUsage of anonymizing networks like Tor & i2pRecent ‘crypt4’ campaign – CryptoWall 3.0CryptoWall has been known to arrive via spammed e-mail attachments, exploit kits and drive-by downloads. Recently, we started seeing a new campaign involving multiple signed CryptoWall 3.0 samples in our Cloud Sandboxes being downloaded from a popular file hosting service, MediaFire.A quick Open Source Intelligence (OSINT), search lead us to this e-mail campaign where the attachment contains a Microsoft Compiled HTML help (CHM) file that leads to the download and execution of the the latest CryptoWall 3.0 variant hosted on MediaFire. The CHM file downloads and executes the CryptoWall executable from a hardcoded MediaFire location as seen in screenshot below:Malicious CHM file – Extracted HTML codeSome of the file names we have seen in this campaign:IPv6_updater.exeIPv4_updater.exeflashplayer17_ga_install.exeAnalysis of the new variantThe CryptoWall 3.0 payloads that we saw getting downloaded as part of this campaign were all signed by a valid certificate belonging to MDG Advertising as seen in the screenshot below:Valid MDG Advertising certificate used to sign CryptoWall 3.0The malware performs following file system changes to ensure persistence:Dropped files%USER%\APPDATA\7cc6cc79.exe [random alphanumeric name]%USER%\Start Menu\Programs\Startup\7ddfa86e.exe [random alphanumeric name]Registry entryHKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run dd574bd = “%USER%\APPDATA\7cc6cc79.exe"It also deletes the original copy of itself.The malware then attempts to connect to the Command & Control (C&C) server to report the infection via a POST request as seen below:C&C communication – Register infectionIt uses RC4 encryption for the data being sent in the POST request. The original data is of the format{1|crypt4|UniqueMD5Hash|2|1|2|PublicIP}- "crypt4" string represents the Campaign ID- "UniqueMD5Hash" is calculated from Computer Name, Volume Serial Number, Processor & OS informationThe RC4 key is generated by doing a simple alpha-numeric sort on a string stored inside the binary as seen in the screenshot below. The unsorted RC4 key is also sent as part of the POST request.RC4 Key encrypted POST request to C&C serverThe malware then performs another POST request and in response it gets RC4 encrypted Tor domain & public key to use for encrypting the victim files. The Tor domain is leveraged for the decryption instruction. Screenshots below, show the original communication & decrypted response:C&C communication – Requesting Public KeyC&C communication – Decrypted response with public keyUpon successful encryption of the files on the victim machine using the public key, it reports back the number of files that were encrypted to the C&C server. The information collected by the C&C server is leveraged to present a more personalized decryption instruction page that includes user’s operating system, public IP address, and the number of files encrypted as seen below.Personalized ransom payment pageThe ransom amount requested in our case was $500 USD and to prove authenticity, the malware authors also offer the victim a "Decrypt 1 file for FREE" option, which is limited to a 512 kilobyte file.Below is the geo distribution of the CryptoWall C&C servers we oberved in the past week:CryptoWall C&C serversCryptoWall C&C country distributionCompromised WordPress sites used for C&C communicationWe are also seeing an increase in the number of compromised WordPress sites being used for CryptoWall C&C communication. Below are some of the locations where the malicious scripts are being hosted on these servers:/wp-content/plugins/revslider/temp/update_extract//wp-content/uploads/wpallimport/uploads//wp-content/themes/pptitan/You can get full list of the Compromised WordPress sites that we have oberved in past one week here.ConclusionCryptoWall remains a potent threat to enterprises and individual users alike. Traditional AntiVirus applications continue to struggle against this nasty strain of ransomware, as once the infection is successful, there is very little AV vendors can do, even by adding signatures reactively. A hybrid and multi-layered security approach is required to counter this threat.Taking regular backup remains the most effective counter measure against ransomware.Deepen Desai & Avinash Kumar

Link: https://www.zscaler.comhttps://www.zscaler.com/blogs/research/signed-cryptowall-30-variant-delivered-mediafire

2016 Security Predictions

 
As the year comes to a close and winter sets in, we like to look back at the year that was and do our best to prepare for the year ahead. What would the holiday season be without yuletide cheer, excessive commercialization and of course…security predictions? Yes, it’s time to join my colleagues in the security industry, peer into my magical crystal ball and provide a glimpse of what is to come. Grab a nice hot beverage, curl up next to the fire and enjoy!
PII is the new hotness
2015 continued the trend of major retail data breaches resulting in bulk debit and credit card theft, but it also marked a shift that will accelerate in 2016. In the coming year, expect attackers to move away from targeting financial information and instead target personally identifiable information (PII). In 2015, we continued to see credit/debit card theft at the likes of America’s Thrift Stores, The Trump Hotel Collection, Hilton Hotel properties, Service Systems Associates, Hershey Park, Harbortouch and White Lodging, but in 2015 we also learned of major breaches in the healthcare (Anthem and CareFirst BlueCross BlueShield) and government (Office of Personnel Management) sectors that targeted PII. The quest for PII is being driven by two separate groups of attackers. While nation states desire PII for espionage, criminals are also shifting to PII as it is generally more valuable than credit and debit cards, which are getting more challenging to harvest in bulk due to greater awareness of the problem and new technology. Why would a social security number be of greater value than a credit card number, which can be used directly to procure goods and services? PII is highly sought after in the underground as it can be leveraged to commit financial fraud such as applying for credit, submitting false medical/insurance claims or filing fraudulent tax refunds. Whereas credit cards can be easily cancelled, changing one’s name, address and social security number generally isn’t an option, so the stolen data remains valuable for a longer period of time. The shift will be motivated in part by the push to move to Chip and PIN (aka EMV) debit and credit cards, which combat RAM scraping malware with tokenization. Don’t however expect credit and debit card fraud to disappear entirely as EMV technology has seen slow adoption in the US, despite an October 2015 deadline and the technology does nothing to combat card not present (online) theft. In 2016, attackers will increasingly target sectors known to store bulk PII including finance, healthcare and government entities to harvest valuable PII.
Trusted Partner Attacks 
Breaking in through the front door isn’t always the best option as it tends to be be well defended. The same is true in cyber attacks. A head on assault is expected, but companies rely on a plethora of technology partners and often communicate with them through trusted digital channels. History suggests that enterprises aren’t doing enough to ensure that trusted partners maintain their security to the same standards that would be demanded if those services were delivered internally. In the past we have seen this with the Target breach which occurred when Fazio Mechanical, an HVAC vendor was compromised. Likewise, the OPM breach began with a compromise at KeyPoint Government Solutions. Compromised partner networks aren’t always used to directly access another network but can also play an indirect role in a broader attack. For example, attackers that ultimately targeted JPMorgan Chase, Scottrade and E-Trade for money laundering also compromised G2 Web Services LLC, which specialized in monitoring and blocking fraudulent banking transactions. Once inside the G2 network, they could ensure that their money laundering schemes went undetected. Enterprises are increasingly outsourcing technology to streamline costs in areas that are not a core focus. For attackers targeting a supplier that often has lesser security controls than the larger entity that it serves, a successful compromise can be a gold mine. Not only does the breach provide a backdoor into the original target, but it also opens doors to other enterprises being serviced by the same vendor. Hackers have learned from successful attacks exploiting such relationships and will accelerate their focus in this area in 2016. Enterprises need to extend security policies and procedures beyond their own systems and personnel. Trusted partners should be expected to adhere to the same security controls and be subjected to audit and penetration tests to ensure that they are adhering to agreed upon standards.
Ransomware 2.0 goes corporate
Ransomware has managed to hit a sweet spot. Users are all too willing to begrudgingly pay an expensive but not excessive ransom in exchange for the return of their precious data. Even the FBI are recommending that it’s easier to pay than fight. The wildly profitable CryptoLocker has attracted many clones since it was largely knocked offline following Operation Tovar. Many of these clones, including more popular variants such as CryptoWall and TorrentLocker largely followed the proven formula but we’re starting to see variations such as ransomware focused on Linux and mobile platforms. The former is especially important as it’s more likely to impact the websites and code repositories of enterprises, who in our experience are also very willing to pay up rather than risk losing critical intellectual property. Expect ransomware to become increasingly corporate focused in 2016 and as it does, enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realize that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket…and be paid.
The extortion data breach
The Sony Pictures, Ashley Madison and Hacking Team breaches all share a common theme – the goal of the attacks was to humiliate the respective companies and perhaps inflict financial damage. There did not however appear to be a profit motive in any of the attacks. Sony Pictures, after already having proven to be a vulnerable target after two successful attacks against the Play Station Network, had it’s dirty laundry aired by hackers allegedly backed by the North Korean government as retaliation for producing a satirical movie about their leader. Ashley Madison and Hacking Team are believed to be the victims of hacktivists that disagreed with their corporate philosophies. Despite what has been stated by the media, there is little to suggest that these were sophisticated attacks. Rather, once the attackers were able to gain access to the internal network, they were able to roam freely and collect troves of sensitive data from email and file servers, which was then dumped online. Criminals have no doubt taken notice of the extreme damage that small teams have been able to achieve and know all too well that some would be willing to pay millions to stay out of the headlines. This is one prediction that is likely already taking place but we’ve yet to hear about it as the attackers have held up their part of the bargain to remain quiet in exchange for the hush money.
No AV? No problem.
Foreshadowing the death of antivirus (AV) is hardly a bold prediction. Even AV executives are calling for it. While you won’t see a sudden wholesale move away from AV, as it remains the first line of defense for corporate PCs, we’re now hearing with some regularity, CTOs shifting away from paid AV solutions to ‘good enough’ free AV or solutions baked in at the O/S level, such as Microsoft’s Windows Defender or Apple’s File Quarantine (aka XProtect). As enterprises adapt to the Post-PC era, running an end user device without AV is no longer seen as a risky bet. OS X machines rarely run AV in a corporate environment and on iOS devices it’s not even an option. Enterprises realize that AV is focused on known vulnerabilities and they must free budget dollars to shift to more dynamic security controls capable of identifying and protecting against 0day and targeted attacks. With limited budgets, expect fewer enterprises to open the checkbook for host based AV, instead reallocating the funds to solutions such as network/cloud based sandboxing solutions.
Android finally cleans up it’s act
Android is well on it’s way to becoming the Windows of the mobile malware world. With 99% of mobile infections, Android is the only game in town when it comes to infected tablets and smartphones. Love it or hate it, Apple’s walled garden and refusal to allow downloads from third party app stores has paid security dividends. Sure, Google Play has Bouncer and he’s done a fine job of keeping the miscreants out, but that’s of limited value when users are willing to go to shady Chinese app stores to save a buck on Candy Crush. Google clearly knows that this will hurt them in the long run, especially in the enterprise space and began making changes with Marshmallow, the latest Android flavor when they switched to Granular App Permissions to make it more clear what control an app ultimately gains when installed. This however was a small step and Google will need to get much more aggressive going forward. Not wanting to lose ground in the enterprise, where Apple has now pivoted, they have little choice. While cutting off third party app store access altogether would alienate too much of the user base, expect the next iteration of Android to to start cracking down on third party app stores. Since Jelly Bean 4.2, embedded cloud based anti-virus scanning was added through the Verify Apps feature. While yet another improvement, this is clearly not enough as we regularly identify and blog about apps from alternate Android app stores that are malicious in nature. Google will need to take more drastic steps and a likely change is restricting the permissions available to apps not vetted through the Google Play submission process.  Expect side-loaded apps requesting Administrator permissions to become a thing of the past.  Some developers will push back, but Google will have little choice if they want to get malware under control. Google will also begin to mandate acceptable timeframes for patches and firmware upgrades, which are now largely under the control of the OEM partners. It does little good when new security features are added, but they’re unavailable to users with non-Nexus devices. These steps won’t eliminate Android malware, especially with Android’s slow O/S upgrade cycle, but they will raise the bar for third party app stores, just as Bouncer did for Google Play.
Terrorists catch the hacking bug
This last prediction is one that saddens me to write, but I feel is inevitable and one that can’t be ignored. Terror organizations are continually searching for new avenues to instill fear and they require significant funding to further their hateful agendas. Skilled hackers can aid on both fronts. Cyber attacks can clearly be used by terrorists to obtain intelligence for future attacks and we’re already seeing early signs of cyber attacks being used to cause physical damage. Last year, hackers caused significant damage to a German steel mill when they disabled systems responsible for controlling a blast furnace. This wasn’t just kids playing around either, as the attacks reportedly required substantial knowledge of industrial control systems in order to succeed. With almost all industries reliant on computerized systems, the potential attack surface is enormous. Hacking is also extremely lucrative. The CrytoLocker ransomware authors for example were able to make millions in just a few short months. Such potential is surely in the sights of terror organizations, especially those such as ISIS, which have shown a new affinity for being tech savvy when it comes to recruiting and propaganda. Sadly, terrorists won’t necessarily need to acquire the necessary skills themselves as there are no shortage of cyber criminals all too willing to rent their skills out to the highest bidder and look the other way.
Password reuse attacks decline
And now for some good news. Password reuse attacks will begin to decline. Attackers are quite happy to compromise virtually any site even if it’s not the endgame as they can generally recover information and resources that will aid in other attacks. It’s always of great benefit for an attacker when they’re able to uncover a database of unencrypted usernames and passwords, because human nature suggests that those same credentials are used at many, many other sites. Most people use a handful of passwords at best, therefore attackers will write scripts to attempt automated logins at popular social networking, banking, etc. sites to see if the credentials can be reused. This presents a real challenge for end users as they have no control over how their credentials are stored or secured once they’re turned over and in the event of a compromise, changing passwords to every site where those same credentials were used is generally an impossibility. Think of your favorite password that you’ve used over the years. How many sites have you used it on? You lost count, didn’t you. Fortunately, this is starting to change thanks in large part to the smartphone. Smartphones can be many things but they make for a handy secure, always with you, data repository. As such, people are starting to adopt password managers such as 1Password, LastPass, etc., as they have user friendly smartphone apps that present a convenient option for always having sensitive data such as passwords within easy reach. Advancements in biometrics are also helping the cause with consumer grade fingerprint scanners now becoming a standard feature on modern smartphones. This not only makes accessing that password repository quicker and more user friendly, but also finally makes it an option to do away with passwords altogether. While not as user friendly, most major Internet layers are also adding two-factor authentication as a standard option. Finally, the average user has realistic authentication options that don’t involve sticky notes.
Say goodbye to browser plugins
The love affair with browser plugins has been on the decline and we’re finally at a point where the average user can do away with them once and for all. Flash had a particularly tough year after Firefox disabled the plugin by default after the Hacking Team breach revealed the existence of new Flash 0days. Facebook’s Security Chief also piled on asking “Adobe to announce an end-of-life date for Flash”. This after Steve Jobs famously refused to include Flash on iOS, claiming that it had been the “number one reason Macs crash” and had “one of the worst security records”. The bashing certainly isn’t unfounded with browser plugins remaining the number one way that Exploit Kit authors target PCs, primarily targeting Java, Flash and PDF vulnerabilities. At least for websites, Flash is on life support, Java died a couple of years ago and PDF plugins are no longer required as bowser vendors have baked in native support. Competitors like SilverLight never fully caught on and web apps that would historically have used custom plugins for playing video or screen sharing, have now migrated to HTML5. Not supporting plugins was one things that mobile browsers got right from the get go. In 2016, expect all major browsers to get serious about finally killing off plugin support by default.
The encryption showdown
Encrypted communications have long been the bane of law enforcement and those in the intelligence communities. As privacy concerns mount, thanks in part to the Snowden revelations, leveraging strong encryption for messaging and data storage is no longer the realm of geek speak. It is an expected feature and is quickly becoming a differentiating feature. iOS now encrypts data by default and Android while lagging behind, is fighting to get there. Popular chat applications like WhatsApp tout encryption as a key feature and Apple’s iMessage app, which features end-to-end encryption and no central key store, is often referenced by law enforcement when arguing for a ‘back door’. 2016 will be the year this battle comes to a head. While politicians used to dance gingerly around the topic given the privacy abuses exposed by the Snowden revelations, recent terrorist attacks have brought this issue front and center. Multiple pieces of legislation are sure to be introduced that will propose weakened encryption protocols or procedures to grant law enforcement access to decrypted communications as needed. As we’ve learned however, you can’t be ‘mostly secure’ any more than you can be ‘kind of pregnant’. Weakening encryption to benefit law enforcement will also reduce security for everyone and if the US government mandates a ‘backdoor’, you can be rest assured that China, Russia, [pick a country] will be demanding the same for their citizens. This is one battle that will have serious repercussions for years to come. Here’s to hoping that Apple, Google, Microsoft, Yahoo! and the like manage to prevail.
Should be another action packed year on the cyber security front. See you next year!
Michael Sutton
CISO
Zscaler
 

Link: https://www.zscaler.comhttps://www.zscaler.com/blogs/research/2016-security-predictions

The Rise in SSL-based Threats

Overview
The majority of Internet traffic is now encrypted. With the advent of free SSL providers like Let’s Encrypt, the move to encryption has become easy and free. On any given day in the Zscaler cloud, more than half of the traffic that is inspected uses SSL. It is no surprise, then, that malicious actors have also been using the SSL protocol in their activities over the last several years. The increasing use of SSL creates problems for organizations that are unable to monitor SSL traffic, as they must rely on less-effective techniques like IP and domain blocking in an attempt to identify and block threats.
In this report, we will outline trends we have seen in the use of SSL in the malware lifecycle and in adware distribution, based on a review of traffic on the Zscaler cloud from August 2016 through January 2017. What follows is a graphic illustrating our findings, and an analysis of recent activities.
 
Malicious SSL Activity
During the six-month period, the ThreatLabZ research team observed that the Zscaler cloud blocked an average 600,000 malicious activities each day that used SSL, including exploit kit traffic, malware and adware distribution, malware callbacks, and other malicious traffic.
Figure 1. Total SSL blocks, August 2016 – January 2017
In our cloud, we observed an overall increase in malicious SSL traffic in nearly all categories — a trend we expect to continue — with periodic spikes, such as those in early August and late November, when SSL malware blocks reached nearly two million a day.
Browser Exploits and Payload Delivery
Exploit kit (EK) authors are more frequently including SSL in the infection chain at some point. Previous malvertising campaigns have been observed in which EKs took advantage of SSL-enabled advertising networks to inject malicious scripts into legitimate webpages. EK authors may also abuse services that provide free SSL certificates to add HTTPS support to their maliciously controlled domains. This maneuver enables them to bypass the SSL integrity checks built into modern web browsers.
Figure 2. SSL web exploit monthly total hits, August 2016 – January 2017
Figure 3. SSL web exploit blocks, August 2016 – January 2017
During the observation period, we saw an average of 10,000 hits per month for web exploits that included SSL as part of the infection chain.
Phishing
Figure 4. Phishing blocks, August 2016 – January 2017
Phishing campaigns have been increasingly using SSL in their attacks. Many phishing attacks involve hosting the phishing page on a legitimate domain that has been compromised. Since the number of legitimate sites that support SSL is constantly increasing, so are the number of SSL-enabled phishing attacks. This rise presents a significant threat, because organizations, in an attempt to thwart ransomware and other phishing schemes, have implemented security hardware solutions to detect and block phishing, but few of them support SSL inspection.
Malware Families That Use SSL
Several years ago, it was rare to see malware using SSL to encrypt command-and-control (C&C) mechanisms. As malware design has become more sophisticated, and with the near ubiquity of SSL on the Internet, it made sense for malware authors to begin using SSL to hide their activities. Some malware families have gone further, using anonymity services such as Tor to hide the location of their C&C servers, connecting to (otherwise legitimate) HTTP Tor gateways via SSL.
Botnets typically use self-signed SSL certificates, frequently using the names and information of real companies to try to appear legitimate. The SSL Blacklist (https://sslbl.abuse.ch/) is a project that tracks the SSL certificates used by malware authors.
Figure 5. Malware callbacks over SSL, September 2016 – January 2017
Corresponding with the increase in malicious payload deliveries in November 2016, we also observed an increase in blocked malicious SSL traffic during that time.
In our analysis, we came across many malware families that were using SSL for malicious purposes. Some of the recent and notorious malware families actively using SSL are:
Dridex/Dyre/TrickLoader
The Dridex, Dyre, and TrickLoader banking Trojans are capable of communicating to the C&C servers via SSL using its own SSL certificate. These family previously used the common browser hooking technique for callbacks, but the latest versions can perform redirects via local proxy or local DNS poisoning to fake websites, controlled by the attacker.
Vawtrak
Vawtrak is a well-crafted piece of malware supporting the VNC and SOCKS proxies, screenshot and video capturing, and extensibility with regular updates from C&C servers. Vawtrak samples contain code for downloading and validating SSL certificates and are capable of initiating an HTTPS connection. The malware contains a list of HTTPS-secured hosts that contain updated lists of live C&C servers.
Gootkit
Gootkit is a stealth banking trojan with backdoor and spyware capabilities that uses fileless infection and communications over SSL. Gootkit intercepts user data via web injections into HTTPS traffic.
Adware
A common function of adware is to inject unwanted advertisements into web traffic. These advertisements can also lead to malicious infections, as exploit authors frequently take advantage of less-scrupulous advertising networks to distribute exploit redirect scripts. Securing web traffic with SSL/HTTPS prevents this distribution in most cases. Adware installed on a client machine would not be able to perform a man-in-the-middle attack with a self-signed certificate due to the HTTPS safeguards included in modern browsers.
However, in several notable cases, major adware distributions have circumvented these safeguards to inject advertisements into HTTPS traffic. The two most high-profiles examples are the Superfish and PrivDog adware distributions, which were first abusing SSL in 2015. Both of these adware programs install a self-signed root CA certificate onto the victim’s computer, and intercept all web traffic in order to inject advertisements into web pages. PrivDog in particular was a serious concern because it did not validate SSL certificates on its end of the proxy, allowing users to inadvertently navigate to websites with invalid SSL certificates, exposing them to additional threats.
Adware variants have also started to host their files on HTTPS sites. We came across a family of adware called InstallCore, which was doing this kind of activity. InstallCore is a Potentially Unwanted Application (PUA) that installs a program to display and/or download unwanted advertisements and toolbars, and tracks a computer’s web usage to feed the victim undesired ad pop-ups; some versions can even hijack a browser’s start or search pages, redirecting the user to a different site or search engine.
InstallCore is often delivered by tricking the user into installing the Flash plugin or a Java update. In some cases, InstallCore is delivered by misdirected download buttons. These fake pop-ups of the Flash player or download buttons appear on content distribution sites, like torrent sites, or free software sites that work on HTTPS.
Figure 6. Fake Flash download pop-up
Conclusion
Due to the rising use of SSL encryption to hide exploit kits, malware, and other threats, it is important to have a security infrastructure that can detect and block these threats. The problem is that SSL inspection is compute-intensive, so even organizations whose security appliances support SSL inspection often disable this feature, as its use would slow traffic throughput to unacceptable levels. Dedicated appliances for SSL inspection are available, but their price puts them out of reach for many organizations. SSL inspection is built into the Zscaler security platform, which, due to its scale, can inspect all SSL traffic without latency.
Research by: Derek Gooley, Jithin Nair, Manohar Ghule

Link: https://www.zscaler.comhttps://www.zscaler.com/blogs/research/rise-ssl-based-threats-1

Threatpost News Wrap, March 27, 2017

The latest Wikileaks dump of Apple hacking tools, the LastPass vulnerabilities, and a new Android security report are discussed.

Link: https://threatpost.com/threatpost-news-wrap-march-27-2017/124555/

US-CERT Warns HTTPS Inspection May Degrade TLS Security

Security tools that proxy and inspect HTTPS traffic create a blindspot for network administrators trying to determine whether communication between clients and servers is secure.

Link: https://threatpost.com/us-cert-warns-https-inspection-may-degrade-tls-security/124375/