John Pescatore - SANS Director of Emerging Security Trends
This week’s Drilldown focuses on three items (included below) from NewsBites Issue 36 and Issue 37. The first item focuses on another example of attackers using security software as a vulnerable target to compromise and then use as an attack point against the enterprise. The second two are examples of adding new capabilities to software products to raise the bar against attacks.
The Cerberus malware was observed spreading across an organization by using the company’s Mobile Device Management (MDM) server to propagate itself. Any security or administration tool that is used to distribute software must be the strongest link in the chain--obviously not the case here. Enterprises should (a) require all security product vendors to show evidence of security testing of their product as part of evaluation criteria; and (b) make sure all security and admin servers that distribute software or updates are configured in high-security configurations and that any change in operational software or configuration of those servers is flagged as a high priority alert.
Mozilla Firefox has a small market share in the browser space, but it continues to introduce new security features. The latest is an email alias service. If you trust Mozilla as an intermediary, it can provide one-time email addresses, if needed for website registration, and act as a buffer between the user and the website or application. Apple has done this in the Apple App Store between app developers and app users, and many are familiar with other intermediaries, such as eBay and Amazon, acting as similar buffers. This is not really an enterprise scale service yet, but pointing home users toward it makes sense to reduce phishing risk.
Hackers Infected Company’s Android Devices Through Its MDM Server
(April 29, May 1 and 4, 2020)
A banking Trojan has infected more than 75 percent of a multinational conglomerate’s Android devices. A new variant of the Cerberus malware was placed on the mobile devices by compromising the unnamed company’s Mobile Device Manager (MDM) server.
[Pescatore] Every end-point security agent has a server somewhere behind it, whether it is on premises or in the cloud. If that server is compromised, the security agent turns from a beneficial rootkit to a malicious rootkit. Basic security hygiene for all servers and vigilance on all admin accounts for those servers or cloud services has to be high priority.
[Ullrich] Conventional wisdom says that any system used to configure your infrastructure should live on a dedicated management network. But MDM has to interact with devices on the internet and can be difficult to segregate. Many of these systems are also cloud based, which typically leaves only strong authentication and the often-misplaced trust in vendors as users’ last remaining security controls.
Read more in:
SC Magazine: Banking trojan attack exposes dangers of not securing MDM solutions
Threatpost: Upgraded Cerberus Spyware Spreads Rapidly via MDM
Bleeping Computer: Hackers breach company’s MDM server to spread Android malware
Portswigger: Multinational’s mobile endpoints engulfed by Cerberus banking trojan
Check Point: First seen in the wild - Malware uses Corporate MDM as attack vector
Mozilla Is Developing a Firefox Email Alias Service
(May 1, 2020)
Mozilla is developing an email alias service for its Firefox browser. Firefox Private Relay will be an add-on. It will enable users to easily generate email aliases that they can use to register new accounts, subscribe to newsletters or conduct other business where they do not want to expose their email addresses. Private Relay is currently in closed beta testing; a public beta is expected later this year.
[Northcutt] After reading about this, I applied for the beta. I spend about 15 minutes every Saturday unsubscribing from the useless emails that found my account--some are even cheeky enough to say things like “Wanting to make sure you got my last email.” Now click, and it will take whoever sold my email out at the same time. What is not to like?
[Pescatore] Apple has a similar service for users who don’t want to use their real email address when registering with apps downloaded from the Apple App Store. This is one of those “put all of your eggs in one basket and really, really trust that basket--or watch it very, very closely” kind of scenarios. The Firefox browser has an 8% market share, so it is not going to have a large impact. A simple, more universal approach is just to use a burner freemail address with all apps and websites that require an email address.
Read more in:
ZDNet: New Firefox service will generate unique email aliases to enter in online forms
Zoom made its first acquisition--buying a key management software company, Keybase. Encryption and key management is an important area where Zoom needs to make progress, and seeing Zoom make a buy rather than build decision is a good thing. But while key management is very important, it is only part of the security management functionality needed to keep an enterprise collaboration platform safe and secure. As operational environments begin to stabilize, you should evaluate all video conferencing and online collaboration product renewals for scalability not just in usage levels, but also in user, privilege and security management capabilities.
Zoom Acquires Keybase in Effort to Improve Security Issues
(May 7, 2020)
Video conferencing platform company Zoom has acquired security company Keybase, which will help Zoom implement stronger encryption. The improved encryption service will be available with paid versions of Zoom.
[Pescatore] Zoom is following the path many other fast-growth tech startups (like Microsoft, Salesforce and Google) followed when they were forced by customers to realize security is critical. Zoom is continuing to live up to its CEO’s promise to focus on security and encryption (and especially key management)--something that is easy to do badly and complex to do correctly--especially at scale. Keybase has been around for six years, was early to sign up for bug bounty programs to make sure vulnerabilities in their code were exposed and fixed, and paid for a professional audit of its product and made the results public--all good signs.
[Neely] Keybase focuses on key management, which is essential for getting end-to-end encryption right, and will help address concerns over Zoom’s current security implementation. There are no plans to eliminate the existing functions of Keybase; there are new products planned and updates to Zoom to leverage Keybase’s services. The current ZoomBot client allows users to start a Zoom meeting from their Keybase client.
Read more in:
ZDNet: Zoom acquires encryption startup Keybase
CNBC: Zoom buys Keybase -- its first acquisition -- as part of 90-day plan to fix security flaws
Cyberscoop: Zoom acquires Keybase to beef up encryption, ease security questions
CNET: Zoom security issues: Zoom buys security company, aims for end-to-end encryption
Threatpost: Zoom Beefs Up End-to-End Encryption to Thwart “Zoombombers”
Zoom: Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering