PayThink 'Self-protection' can shield banks from new Android BankBot card malware

Recently, the Dutch company Securify came across a new sample of the BankBot Android mobile banking malware.

While older samples of BankBot mainly targeted Russian financial institutions, the latest sample shows that BankBot now targets European and American institutions as well. More specifically BankBot now targets over 420 leading institutions in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.

BankBot is a banking Trojan horse that poses as an apparently benign consumer banking application. When the application is installed and run, it asks for administrative privileges. Once these privileges are granted, the icon disappears from the home screen. From that moment, the device is compromised and BankBot attempts to steal the customer’s credentials (e.g., username and PIN) and debit or credit card information.

Bloomberg News

BankBot tries to steal banking credentials by using a well-known technique called overlay. The malware creates a window that mimics the look and feel of the targeted mobile banking app, and it aims to trick users into entering their credentials. This overlay window is positioned on top of the target app when the user launches it. Because the fraudulent overlay window is created to look exactly like the target app, the user usually believes they are interacting with their institution’s genuine mobile banking app.

The BankBot malware comes with a list of names of mobile banking apps that it targets, and it compares names in this target list against the names of apps running on the Android device of the user. When BankBot detects that a running app is present in its target list, it generates the overlay window and positions it on top of the target app to deceive the device’s owner.

Technologists reviewing the following code snippet of BankBot can see exactly how the malware checks whether any of the processes running on the Android device are present in the target list, and how the malware launches the overlay injection routine. The comments in the code have been added by threat analyst Ernesto Corral to simplify reading.

The overlay itself consists of a customized WebView, which is an Android component that can be used to show a web page within an app. The content of the WebView is downloaded on the fly from the C2 server.

Can runtime application self-protection (RASP) offer protection? An analysis of a test shows RASP successfully defends mobile banking apps targeted by BankBot against overlay attacks. As a result, we can safely say that all of the more than 420 apps targeted by BankBot are protected, if so equipped. This is crucial because virtually all currently known malware families use the same deceptive overlay technique as BankBot. A good example of another malware family using this technique is Marcher, one of the most active banking malware families of 2016 according to Kaspersky’s report Financial Cyberthreats in 2016.

Moreover, RASP’s generic overlay protection mechanism ensures “future-proofing”: Any new mobile banking apps that are targeted by BankBot in the future using the same overlay technique, will also be protected.

Even if a banking Trojan should manage to steal a user’s banking credentials (his or her PIN, for instance), the user’s credentials would be of little value to a fraudster, if the app is protected with two-factor authentication, as were apps and devices in this test.

Apps protected in this way use two authentication elements: something the user knows (for example, the PIN) and something the user has (e.g., a cryptographic key stored on the mobile device), which is used to generate one-time passwords. While overlay attacks can be used to target the knowledge factor, they cannot attack the possession factor to steal the cryptographic key.

Analysts at the threat research labs used in this study analyzed the internals of malware such as Bankbot and Marcher. Findings show that at this point, many or most Android mobile banking malware families use the same approach to create fraudulent overlay windows that deceive users.

Based on lab testing, I and the threat research lab team are confident that RASP technology can, if properly developed and with sufficient security features to detect and prevent application-level intrusions, offer protection against all malware families that use this approach. Furthermore, two-factor authentication functionality can ensure that even successful overlay attacks can be thwarted.

via PaymentSource

Read more »

Update your Android now – many holes fixed including ‘BroadPwn’ Wi-Fi bug

Google’s July 2017 security fixes for Android are out.

As far as we can see, there are 138 bugs listed, each with its own CVE number, of which 18 are listed with the tag “RCE”.

RCE stands for Remote Code Execution, and denotes the sort of vulnerability that could be abused by a crook to run some sort of program sent in from outside – without any user interaction.

Generally speaking, RCE bugs give outsiders a sneaky chance to trigger the sort of insecure behaviour that would usually either pop up an obvious “Are you sure?” warning, or be blocked outright by the operating system.

In other words, RCEs can typically be used for so-called “drive-by” attacks, where just visiting a web page or looking at an email might leave you silently infected with malware.

The majority of the July 2017 RCE bugs in Android appear under the heading “Media framework”, which means they are Android flaws that are exposed when files such as images or videos are processed for display.

Like the infamous Stagefright bug in Android back in 2015, bugs of this sort can potentially be triggered by actions that don’t arouse suspicion, because images and videos can unexceptionably be embedded in innocent-looking content such as MMS messages and web pages.

There’s also an RCE bug in Android’s built-in FTP client – this one affects all Android versions still getting patches, from 4.4.4 all the way to 7.1.2.

We’re not sure how easy it is to trigger this bug, but we’re assuming it’s tricky to exploit because Google gives it only a moderate rating.

(Mild risk ratings are unusual for RCEs – they usually attract a high or critical rating because there’s a lot at stake if an RCE vulnerability does get exploited.)

“Proximate attacker” warning

The most intriguing bug this month, however, is an RCE flaw in the Broadcom Wi-Fi code that’s used by Android devices equipped with certain Broadcom wireless chips.

According to Google, “a proximate attacker [could] execute arbitrary code within the context of the kernel”.

In plain English, that means a crook who’s within Wi-Fi range could fire off booby-trapped network packets at your Wi-Fi hardware, trigger a bug in the wireless device…

…and end up with the same programmatic powers as the Android operating system on your device.

Given that the Android kernel is responsible for keeping your apps apart, for example by preventing the new fitness app you just installed from sneaking a look at your browsing history, a security compromise inside the kernel itself is about as serious as it gets.

Unfortunately, we can’t yet give you any real detail about the Broadcom RCE patch.

The researcher who found the bug will be presenting his findings at the end of July 2017 at the Black Hat 2017 conference in Las Vegas.

Until then, all we really have are teasers for his forthcoming talk, and a the funky-sounding name BroadPwn for the vulnerability.

(Understandably, no one who’s about to unveil a cool exploit at Black Hat wants to risk giving away a TL;DR version before the talk takes place – that would be like leaking the names of the Oscar winners a week before the awards ceremony.)

Interestingly, back in April 2017, a number of security issues in Broadcom wireless firmware were found to affect both iOS and Android devices – so if you’re an iPhone user, don’t be surprised if this month’s Google patches are quickly followed by a security patch from Apple, too.

What to do?

As usual, we’re going to repeat our usual mantra: “Patch early, patch often.”

What we can’t tell you is when the vendors of devices other than Google’s own Nexus and Pixel phones will be ready with their patches – if you’re worried, ask your vendor or the carrier who supplied your device.

Also, we can’t give you a handy list of the thousands of different Android devices out there that not only include Broadcom wireless cards but also have firmware that’s affected by the BroadPwn bug.

Once again, if you are worried, ask your supplier or mobile carrier.

Having said that, we can offer you Sophos Mobile Security for Android, 100% free of charge: although it won’t patch the abovementioned security holes for you, it will stop you from browsing to risky websites and from downloading booby-trapped adware and malware apps.

A good Android anti-virus not only makes it harder for crooks to push risky content onto your device but also stops them pulling you towards phishing pages, survey scams and other criminally oriented websites.

via nakedsecurity

Read more »

Sophos continues to work at protecting customers from the WannaCry ransomware attack – here’s what you need to know.

Sophos continues working to protect customers from the WannaCry ransomware attack. That effort has been successful, but we continue to receive many questions about how this attack happened, what we must do to defend our organizations, and, of course, what’s next?

This article is designed to answer those questions.

What happened?

A fast-spreading piece of ransomware called Wanna (also known as WannaCry, WCry, WanaCrypt, WanaCrypt0r and Wana DeCrypt0r) held computer systems hostage around the globe Friday. National Health Service hospitals (NHS) in the UK was hit hard, with its phone lines and IT systems being held hostage. From there, the attack spilled across the globe.

It encrypted victim’s files and changed the extensions to: .wnry, .wcry, .wncry and .wncrypt. It then presented a window to the user with a ransom demand:

Analysis seems to confirm that the attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. It uses a variant of the ShadowBrokers’ APT EternalBlue Exploit (CC-1353). It also uses strong encryption on files such as documents, images, and videos.

This was different from past ransomware attacks. Why?

There were some unique aspects to the WannaCry attack. Typical ransomware infections happen after the victim clicks on a malicious email attachment or link. In this attack the malware was able to exploit a remote code execution (RCE) vulnerability that allowed it to infect unpatched machines without users having to do anything.

Because of that, this was able to spread in the same rapid fashion as the worm outbreaks common a decade ago, such as Slammer and Conficker.

Specifically, WannaCry exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

Organizations running older, no-longer-supporter versions of Windows were particularly hard hit. In fact, Microsoft took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone. The software giant said in a statement:

We know some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.

Is this over?

Unlikely. With the code behind Friday’s attack in the wild, we should expect copycats to cook up their own campaigns in the coming days to capitalize on the money-making opportunity in front of them. We also expect aftershocks Monday as employees at affected company’s who weren’t there Friday return to work and fire up their computers.

What is Sophos doing to protect customers?

Sophos continues to update protections against the threat. Sophos Customers using Intercept X and Sophos EXP products will also see this ransomware blocked by CryptoGuard. Please note that while Intercept X and EXP will block the underlying behavior and restore deleted or encrypted files in all cases we have seen, the offending ransomware splash screen and note may still appear.

Is there anything I need to do?

You’ll want to ensure all of your Windows environments have been updated as described in Microsoft Security Bulletin MS17-010 – Critical. Microsoft is providing Customer Guidance for WannaCrypt attacks. As noted above, Microsoft has made the decision to make the Security Update for platforms in custom support only — Windows XP, Windows 8, and Windows Server 2003 — broadly available for download:

Windows Server 2003 SP2 x64	Windows Server 2003 SP2 x86
Windows 8 x64	Windows 8 x86
Windows XP SP2 x64	Windows XP SP3 x86	Windows XP Embedded SP3 x86

As we always say, patching is critical. For Sophos customers, keep checking the Wana Decrypt0r 2.0 Ransomware Knowledge Base where we’ll be issuing updates.

via sophos

Read more »

Update your iPhone to avoid being hacked over Wi-Fi

It’s only been five days since Apple’s last security update for iOS, when dozens of serious security vulnerabilities were patched.

As we mentioned last week, the recent iOS 10.3 and macOS 10.12.4 updates included numerous fixes dealing with “arbitrary code execution with kernel privileges”.

Any exploit that lets an external attacker tell the operating system kernel itself what to is a serious concern that ought to be patched as soon as possible – hesitation is not an option.

After all, it’s the kernel that’s responsible for managing security in the rest of the system.

Sophos Home

Free home computer security software for all the family

Learn More

Take this analogy with pinch of salt, but an exploit that gives a remote attacker regular user access is like planting a spy in the Naval corps with a Lieutenant’s rank.

If you can grab local administrator access, that’s like boosting yourself straight to Captain or Commodore; but if you can own the kernel (this is not a pun), you’ve landed among the senior Admiral staff, right at the top of the command structure.

So make sure you don’t miss the latest we-didn’t-quite-get-this-one-out-last-time update to iOS 10.3.1:

iOS 10.3.1

Released April 3, 2017

Wi-Fi

Available for: iPhone 5 and later, 
               iPad 4th generation and later, 
               iPod touch 6th generation and later

Impact:        An attacker within range may be able to 
               execute arbitrary code on the Wi-Fi chip

Description:   A stack buffer overflow was addressed 
               through improved input validation.

CVE-2017-6975: Gal Beniamini of Google Project Zero

This is rather different from the usual sort of attack – the main CPU, operating system and installed apps are left well alone.

Most network attacks rely on security holes at a much higher level, in software components such as databases, web servers, email clients, browsers and browser plugins.

So, attacking the Wi-Fi network card itself might seem like small beer.

After all, the attacks that won hundreds of thousands of dollars at the recent Pwn2Own competition went after the heart of the operating system itself, to give the intruders what you might call an “access all areas” pass.

Nevertheless, the CPU of an externally-facing device like a Wi-Fi card is a cunning place to mount an attack.

It’s a bit like being just outside the castle walls, on what most security-minded insiders would consider the wrong side of the moat and drawbridge.

But with a bit of cunning you may be able to position yourself where you can eavesdrop on every message coming in and out of the castle…

…all the while being ignored along with the many unimportant-looking peasants and hangers-on who’ll never have the privilege of entering the castle itself.

Better yet, once you’ve eavesdropped on what you wanted to hear, you’re already on the outside, so you don’t have to run the gauntlet of the guards to get back out to a place where you can pass your message on.

What to do?

As far as we know, this isn’t a zero-day because it was responsibly disclosed and patched before anyone else found out about it.

Cybercrooks have a vague idea of where to start looking now the bug that has been described, but there’s a huge gap between knowing that an exploitable bug exists and rediscovering it independently.

We applied the update as soon as Apple’s notification email arrived (the download was under 30MB), and we’re happy to assume that we’ve therefore beaten even the most enthusiatic crooks to the punch this time.

You can accelerate your own patch by manually visiting Settings | General | Software Update to force an upgrade, rather than waiting for your turn in Apple’s autoupdate queue.

via nakedsecurity

Read more »