At a glance.
- Malware uses packet headers to communicate through firewalls.
- LTE networks and users subject to impersonation attacks.
- Transparent Tribe is active.
- Mobile security is commonly sacrificed for expediency.
- VPN apps vulnerable to man-in-the-middle attacks.
Cloud Snooper attacks bypass firewalls.
Sophos describes malware infections that are using a novel technique for bypassing firewalls to communicate with their command-and-control servers. The researchers identified backdoors and kernel-level rootkits on several AWS servers that were successfully receiving and executing commands, even though the AWS Security Groups (firewall rules) were properly configured to only allow inbound web traffic through ports 80 and 443.
The malware is able to do this with a rootkit that uses a Netfilter hook to examine the header of every IPv4 packet sent to the server. These packets contain a source port field which is generally ignored by firewalls, since the source port is irrelevant to the server receiving the traffic. In this case, however, the source port numbers serve as commands for the malware. For example, if the server receives a packet with the source port 6060, the malware will decrypt and execute a file as an application in memory, and then delete the file itself. The process left running in memory is a Trojan called "snoopy." Likewise, the malware will perform different actions if the attacker sends packets with source port numbers 1010, 2020, 7070, 8080, or 9999.
The malware exfiltrates data by sending packets from port 2080 to the Netfilter hook, which modifies the packets' source port numbers so that they say either 80 or 443 before they're sent out through the firewall.
These attacks were observed on both Linux and Windows systems and involved the use of some different samples of malware, but the researchers concluded the attacks were related because they all used the same technique. The researchers aren't sure how the attackers initially placed the malware on the servers. The researchers emphasize that while this instance involved AWS, the same technique "could also be used to communicate with, and remotely control, malware on any server behind any boundary firewall – even an on-premises server." Based on the sophistication of these attacks, Sophos suspects "the malware and its operators were an advanced threat actor, possibly nation-state sponsored."
LTE networks vulnerable to impersonation attacks.
Researchers at Ruhr-Universität Bochum's Horst Görtz Institute for IT Security identified vulnerabilities in LTE (4G) and early 5G networks that could allow an attacker to modify or redirect encrypted IP packets. The researchers call the attack "IMP4GT" (pronounced "impact"), an acronym that was wrought out of "IMPersonation in 4G neTworks." The attack can be used to either impersonate a user towards the network or to impersonate a network towards a user.
The vulnerability stems from a combination of two flaws, one in the data link layer and one in the network layer. The flaw in the data link layer was discovered by the same researchers last year, and relates to a lack of integrity protection for user data. The network layer flaw involves "a reflection mechanism of the IP stack mobile operating system." These features can allow an attacker to "create an encryption and decryption oracle that enables an adversary to perform a full impersonation of the phone or network on the user plane."
All devices that use LTE are vulnerable to IMP4GT, but the researchers stress that the attack is difficult to carry out and requires the attacker to be in relatively close proximity to the victim, so most people probably shouldn't worry about it. An attacker would also need to have a fake base station such as an IMSI-catcher along with additional equipment in order to launch the attack. The researchers note, however, that well-resourced attackers could feasibly use this technique against high-value targets.
The vulnerability potentially poses more pressing problems for law enforcement and mobile operators. Since an attacker can impersonate someone else's IP address, investigators may find it more difficult to use Internet activity as reliable evidence. Additionally, mobile operators need to ensure that attackers can't use someone else's mobile identity to access service sites and buy data passes under the victim's name.
Transparent Tribe resurfaces.
Italian security firm Yoroi says the Pakistan-aligned threat group Transparent Tribe appears to be active against targets in India. On January 29th, the threat actor began sending malicious documents posing as pension fund bills for Indian defense personnel, which gives some indication of their intended targets. Transparent Tribe has kept a low profile over the past four years, but Yoroi notes that it may still have been active during that time. TechNadu explains that tensions between India and Pakistan have risen since August 2019.
Meanwhile, Cisco Talos is tracking an ongoing malware campaign involving a new remote access Trojan the researchers have named "ObliqueRAT." Talos believes the malware may have been developed by the same actor who authored CrimsonRAT, although the researchers don't attribute the new malware to any specific group. CrimsonRAT is generally believed by Amnesty International and others to be custom-built and exclusively used by Transparent Tribe, but it's not clear if this campaign is related to the one tracked by Yoroi. This operation also began in January and is targeting organizations in Southeast Asia.
A look at the mobile security landscape.
Verizon released its annual Mobile Security Index for 2020, which found that 83% of organizations say mobile devices are crucial to their business operations, while the number of companies that experienced compromises involving mobile devices is increasing each year. 39% of respondents said they had suffered a mobile-related breach in the past year, and two-thirds of these said the impacts of the breach were major. 29% percent of the organizations said they had "suffered a regulatory penalty as a result of a mobile-related security compromise." In terms of motivations, 62% of respondents said they sacrificed mobile security for expediency, 52% cited convenience, and 46% cited profitability targets. Verizon also determined that organizations that admitted to sacrificing security were twice as likely to be compromised.
Popular VPN apps contain serious vulnerabilities.
VPNpro reports that ten popular free VPN apps in the Google Play Store are vulnerable to man-in-the-middle attacks. Two of the apps use hardcoded encryption keys, while all ten of them failed to encrypt certain sensitive data. Nine out of ten of these apps failed to respond to VPNpro's disclosure and remain vulnerable. One of the apps, SuperVPN, has been downloaded more than one-hundred million times. SuperVPN makes use of unencrypted HTTP to send some VPN data (which was encrypted), but the HTTP traffic contains the plaintext key to decrypt the data. This data contained "sensitive information about SuperVPN’s server, its certificates, and the credentials that the VPN server needs for authentication," which allowed the researchers to impersonate SuperVPN's server.