Arming up for future threats

Within the last few weeks, a massive number of vulnerabilities have been publicly disclosed. More or less every attack vector has been affected - operating systems, hardware and apps. As the speed of development of vulnerabilities consistently increases, the race between attackers and organizations’ SecOps teams is on. By solely relying on static hash-based solutions, there is only one outcome for any organization - to lose.

SecOps teams need as much information as possible to increase security across all endpoints in an organization. For example, every single operating system can provide device forensics as a solid foundation through unified endpoint management (UEM) for assessing device security. Publicly available vulnerability databases can be matched against the hardware information, the currently installed operating system, and its patch level. SecOps teams combined with Mobility teams can identify devices running on outdated OS versions, enforce updates, and apply tiered compliance actions. Decision-makers can also replace devices that no longer receive OS updates and imply an operational risk to the organization.

Overview of OS risk, based on device count and CVEs applied to each single release:

 

photo-1

 

Utilizing MobileIron Threat Defense (MTD) local actions policy for vulnerable OS versions:

 

photo-2

 

During the Covid19 pandemic, a lot of researchers, hackers, script kiddies etc. have spent time looking for vulnerabilities in operating systems, apps, protocols. Those findings have either been reported directly to the vendors, published on the dark net or sold to appropriate platforms. One of the most well-known platforms is no longer accepting new vulnerabilities, due to the influx of submissions. 

 

photo-3

https://twitter.com/Zerodium/status/1260541578747064326

 

But what does this mean? The prices for such vulnerabilities will drop, and the number of 0day-attacks will significantly increase soon. One Forbes contributor even predicts the largest cyberattack in history could happen within six months.

As proof of those assumptions, Apple released iOS 13.5 release and Unc0ver released its latest update for jailbreaking the device. Compared to checkra1n, this jailbreak is untethered and adds persistence after device reboots. An additional threat vector is added to every single device without MTD. A video of MTD in action can be found here.

https://unc0ver.dev
https://checkra.in

Frameworks intentionally created for device forensics or device acquisitions by federal agencies or their subsidiaries will be modified and turned into an attack framework. Although those new frameworks will be developed for educational purposes, from an attacker point of view those frameworks only have one intention:

 

Remote control of an end-user

An unfriendly external device acquisition, leading to a full device compromise, is not that easy to accomplish based on the hardened operating systems. So the attacker needs to do proper research and subsequently weaponize himself with the appropriate tools as outlined by the Cyber Kill Chain (source: https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf). Although this model no longer reflects the disappearing perimeter of mobile devices, the approach is similar. Attackers tend to manipulate the end-user to carry out specific actions on behalf of the attacker. They use websites with a look and feel of an organization to convince users to install an "update" of an app or "driver" to ensure future compliance. This requires the end-user to follow perfectly designed and outlined steps to download and install configuration profiles or trust developer certificates, which are the universal keys for a multi-layered attack. Mobileiron UEM can retrieve those configuration profiles, and MobileIron Threat Defense can determine whether the configuration profile is managed by UEM or installed by the end-user. Same applies for detecting manually trusted developer certificates, self-signed, hence publicly untrusted, SSL certificates on the devices.

 

It’s all about visibility

Importing available threat data into an existing SIEM solution will provide organizations the opportunity to compose aggregated views/analytics and identify new attack vectors. More importantly, it solves the issue of a lack of visibility into mobile devices. Based on visibility, organizations can adapt their security measures and processes, which are in place for other endpoints. Using additional capabilities of SOAR platforms increases the speed of identifications and responses significantly. Using those technologies can equip SecOps teams with the required information, extracted from different data sources, in order to improve their security operations automation.

In conclusion, organizations need to gear up to fight back against cyberattacks. Establish an additional layer of endpoint security on mobile devices. Don’t rely on hash-based solutions, as the detection and protection need to be aligned to the speed with which attackers are finding and abusing new vulnerabilities. Same applies to mitigation actions - actively fight back against any attack with mobile threat defense - preferably integrated into your UEM app, which should be installed on every single device.

Any organization can enroll an unlimited number of new users and devices on MobileIron’s UEM platform at no additional cost through June 15, 2020. Click here to learn more or register for a series of upcoming webinars.

Stefan Feicke

Stefan Feicke

Senior Sales Engineer at MobileIron