Attacks/Breaches
2/28/2012
08:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Startup Targets The Attackers Behind The APT

Former McAfee execs in new stealth venture will demonstrate an APT-type targeted attack against a smartphone at RSA Conference

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- A former McAfee executive who spearheaded much of the security firm's advanced persistent threat (APT) research will demonstrate here tomorrow a targeted attack against a smartphone that uses an exploit created by his new startup.

Dmitri Alperovitch, who is CTO of CrowdStrike, a company still in stealth mode that he co-founded with former McAfee CTO and EVP George Kurtz, will show an exploit his team built using malware from an infamous Chinese remote access tool (RAT) used by APT-type attackers. The attack basically spies on and stalks an Android smartphone user's calls, physical location, apps, and data.

"We are trying to highlight that adversaries are going to do the same thing they do on a PC -- and repeating it on a mobile device," says George Kurtz, who is president and CEO of CrowdStrike. "A smartphone is always on, it's always with me, and it has voice, video, phone, a connection to my network, and my sensitive documents. It's always connected, and always has power. It's the ultimate spying tool if you can commandeer it."

Alperovitch and CrowdStrike's Adam Meyers, the former director of cybersecurity intelligence for SRA International, took a piece of Android malware generated by the RAT and reverse-engineered it to create their own RAT for the attack. "In one fell swoop we commandeered a RAT," Alperovitch says. "And we built our own command-and-control infrastructure for it."

The attack works like this: The attacker sends a phishing SMS message to the victim's smartphone, purporting to be from his mobile provider and saying it's time to renew his data plan by clicking an included URL. Once the victim clicks on the URL to "renew" his service, the phone is infected and the attacker gains root access to the smartphone, allowing it to bypass the app permissions step in the Android. It drops the RAT tool and starts the process of snooping on the user via his smartphone.

The attack uses a weaponized vulnerability in Webkit as well, and the RAT to gather GPS data and potentially record phone conversations. "It's an end-to-end mobile attack," Alperovitch says.

Alperovitch concedes that the attack was no small feat. The researchers also wrote their own shellcode on the phone; overall, it took about three weeks of reverse-engineering and exploit-writing to execute the attack just for the Android. Such an attack model could be used against any Webkit-based phones, including iOS, according to CrowdStrike.

"This is the way attacks have been operating in the PC world for a decade. It's probably already happening in mobile, but we don't have visibility in it because the apps can't see that deeply. We don't know the full scope of the situation," Alperovitch says.

CrowdStrike is focused on the attackers behind targeted attacks and, according to Kurtz, will use "big data" technologies to help businesses and governments protect their intellectual property from APTs. The company will drill down on the attributes and tactics of the attackers. CrowdStrike recently secured $26 million in Series A funding.

"You have an adversary problem, not a malware problem" in these attacks, Alperovitch says. "We were getting frustrated about the industry's way of solving the problem. It is looking at a gun or bullet as opposed to the shooter."

The key is to make it more costly for that human being sitting behind the exfiltration stage of the hack, Kurtz says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web