Threat assessment and trend analysis
Dresscode Masquerading as Legitimate Android App
Risk of Trojanised Android apps
A family of mobile malware known as 'Dresscode' has been masquerading as legitimate Android apps since April, according to cybersecurity researchers. Over 3000 apps with embedded Trojans, including games, skins and phone optimisation tools, have been identified on sale from Android app stores, including 400 in the Google Play store alone.
How dresscode works
Once installed by an unwitting user, the malware will communicate with a command and control server, enabling attackers to issue commands in order to retrieve sensitive data. A device infected with Dresscode could also be recruited as part of a botnet, to enable subsequent DDoS or spam campaigns.
Compromised devices can also act as proxies, relaying traffic between the attacker and networks the device is connected to. This poses risks to a user's home network and other connected devices, particularly if the home router has an easily crackable password. Researchers point out that the rise in 'Bring Your Own Device' to work policies means that corporate networks could also be at risk from Dresscode.
Google Play claim to have taken the necessary actions to remove Dresscode-infected apps from their store. However, there are likely to be other outlets from which users may unwittingly download this malware. Nevertheless, there are measures you can take to reduce risks, including performing regular OS updates and only downloading apps from legitimate stores and trusted publishers.
Mirai malware source code published online this week
The publication of this source code means less-technically capable actors are now able to quickly start building their own Internet of Things (IoT) botnets.
The Mirai malware was an integral component in the development of the IoT botnet, which played a part in the historically large DDoS attack against Brian Kreb’s website KrebsOnSecurity.
Mirai malware is particularly useful for building botnets. It works by continuously scanning the internet for vulnerable IoT devices. This means anything using default or hard-coded usernames and passwords.
The malware seeks to brute force its way onto these devices, establish communication, and turn it into a bot. The malware is also self-propagating: once it has compromised one IoT device, it goes on to infect additional vulnerable devices to form a botnet.
Weak passwords exploited
Interestingly, the Mirai source code reveals the username and password combinations used to brute force IoT devices, as well as the manufacturers targeted. In total, there are just 68 username and password combinations written into the code. This is a small figure considering the huge number of IoT devices involved in the botnet which attacked the Kreb’s site.
Manufacturers have learned one important lesson from the Kreb’s DDoS incident - The use of factory set/default passwords limits the security of their devices, making them increasingly vulnerable to attack.
The NCSC has published an industry advisory on CiSP. Register now: www.ncsc.gov.uk/cisp
US cyber emergency team reports ICS vulnerabilities on the rise
According to US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the most common vulnerabilities included ineffective management of permissions, privileges and access control, as well as improper input validation.
The majority of reported vulnerabilities for 2015 came from the Energy, Critical Manufacturing, Water and Wastewater sectors.
ICS-CERT published 197 advisories and 16 alerts covering 427 vulnerabilities in the fiscal year 2015. This compares to 160 advisories and 38 alerts covering 245 vulnerabilities in 2014.
Although it’s difficult to compare US and UK trends, the annual CERT-UK report for 2015/2016 claims the number of publicly disclosed vulnerabilities and off-the-shelf exploits targeting ICS has similarly increased.
We anticipate an escalation in the number of attacks against the UK’s CNI in the future, but also an increase in risk awareness.
A large proportion of platform agnostic/cross platform updates were made last week, with a particular focus on Linux and Unix based systems.
Updates for F5 BIG-IP and further updates for OpenSSH were noteworthy.
Patches from Cisco, HPE, EMC and Xen were released to address known vulnerabilities.