Weekly Threat Report 10th October 2016

Created:  10 Oct 2016
Updated:  10 Oct 2016
This report is drawn from open source reporting between the dates of 3rd-6th October.

Threat assessment and trend analysis


Dresscode Masquerading as Legitimate Android App

Risk of Trojanised Android apps

A family of mobile malware known as 'Dresscode' has been masquerading as legitimate Android apps since April, according to cybersecurity researchers. Over 3000 apps with embedded Trojans, including games, skins and phone optimisation tools, have been identified on sale from Android app stores, including 400 in the Google Play store alone.

How dresscode works

Once installed by an unwitting user, the malware will communicate with a command and control server, enabling attackers to issue commands in order to retrieve sensitive data. A device infected with Dresscode could also be recruited as part of a botnet, to enable subsequent DDoS or spam campaigns.

Compromised devices can also act as proxies, relaying traffic between the attacker and networks the device is connected to. This poses risks to a user's home network and other connected devices, particularly if the home router has an easily crackable password. Researchers point out that the rise in 'Bring Your Own Device' to work policies means that corporate networks could also be at risk from Dresscode.

Reducing risks

Google Play claim to have taken the necessary actions to remove Dresscode-infected apps from their store. However, there are likely to be other outlets from which users may unwittingly download this malware. Nevertheless, there are measures you can take to reduce risks, including performing regular OS updates and only downloading apps from legitimate stores and trusted publishers.



Mirai malware source code published online this week

The publication of this source code means less-technically capable actors are now able to quickly start building their own Internet of Things (IoT) botnets.

The Mirai malware was an integral component in the development of the IoT botnet, which played a part in the historically large DDoS attack against Brian Kreb’s website KrebsOnSecurity.


Mirai malware is particularly useful for building botnets. It works by continuously scanning the internet for vulnerable IoT devices. This means anything using default or hard-coded usernames and passwords.

The malware seeks to brute force its way onto these devices, establish communication, and turn it into a bot. The malware is also self-propagating: once it has compromised one IoT device, it goes on to infect additional vulnerable devices to form a botnet.

Weak passwords exploited

Interestingly, the Mirai source code reveals the username and password combinations used to brute force IoT devices, as well as the manufacturers targeted.  In total, there are just 68 username and password combinations written into the code. This is a small figure considering the huge number of IoT devices involved in the botnet which attacked the Kreb’s site.

Manufacturers have learned one important lesson from the Kreb’s DDoS incident - The use of factory set/default passwords limits the security of their devices, making them increasingly vulnerable to attack.

The NCSC has published an industry advisory on CiSP. Register now:


ICS Escalation

US cyber emergency team reports ICS vulnerabilities on the rise

According to US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the most common vulnerabilities included ineffective management of permissions, privileges and access control, as well as improper input validation.

The majority of reported vulnerabilities for 2015 came from the Energy, Critical Manufacturing, Water and Wastewater sectors.

ICS-CERT published 197 advisories and 16 alerts covering 427 vulnerabilities in the fiscal year 2015. This compares to 160 advisories and 38 alerts covering 245 vulnerabilities in 2014. 

Threat Increase October 2016

UK Picture

Although it’s difficult to compare US and UK trends, the annual CERT-UK report for 2015/2016 claims the number of publicly disclosed vulnerabilities and off-the-shelf exploits targeting ICS has similarly increased. 

We anticipate an escalation in the number of attacks against the UK’s CNI in the future, but also an increase in risk awareness.



A large proportion of platform agnostic/cross platform updates were made last week, with a particular focus on Linux and Unix based systems.

Updates for F5 BIG-IP and further updates for OpenSSH were noteworthy.

Patches from Cisco, HPE, EMC and Xen were released to address known vulnerabilities.

Was this report helpful?

We need your feedback to improve this content.

Yes No