These programs are readily available on the black market, and in 2017 the volume of malicious spam is unlikely to fall.
In addition, it welcomed more than 400 new customers across Europe and 2 UK partners.
In order to keep up with business growth and surging customer demand, the company also hired 21 new employees and opened a branch in Vienna, Austria, in line with its expansion plans."We... Source: RealWire
Tony Evans from Wick Hill (part of the Nuvias Group) highlights the risks of Wi-Fi and provides some advice for delivering a secure hotspot
The fact that Wi-Fi stands for Wireless Fidelity hints at how long Wi-Fi has been around, but it was only in 1999 that the Wi-Fi Alliance formed as a trade association to hold the Wi-Fi trademark, under which most products are sold.
Today, Wi-Fi is on the top of the list of must-haves for businesses of all types and sizes. People will simply vote with their feet if good and, usually free, Wi-Fi is not available.
But this demand for anytime, anyplace connectivity can mean that some of us are prepared to jump onto Wi-Fi hotspots at cafes, hotel, airports or company guest networks, with only a fleeting consideration of security – a fact that has not gone unnoticed by cyber criminals.
There are over 300,000 videos on YouTube alone explaining how to hack Wi-Fi users with tools easily found online.
Risks from unprotected Wi-Fi:
Wi-Fi Password Cracking
Wireless access points that still use older security protocols such as WEP, make for easy targets because these passwords are notoriously easy to crack. Hotspots that invite us to log in by simply using social network credentials are increasingly popular, as they allow businesses to use demographic information such as age, gender and occupation to target personalised content and advertisements.
Without encryption, Wi-Fi users run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected network.
Cyber criminals can set up a spoof access point near your hotspot with a matching SSID that invites unsuspecting customers to log in leaving them susceptible to unnoticed malicious code injection.
In fact, it is possible to mimic a hotspot using cheap, portable hardware that fits into a backpack or could even be attached to a drone.
There are common hacking toolkits to scan a Wi-Fi network for vulnerabilities, and customers who join an insecure wireless network may unwittingly walk away with unwanted malware.
A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive information.
Joining an insecure wireless network puts users at risk of losing documents that may contain sensitive information.
In retail environments, for example, attackers focus their efforts on extracting payment details such as credit card numbers, customer identities and mailing addresses.
Inappropriate and Illegal Usage
Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.
Adult or extremist content can be offensive to neighbouring users, and illegal downloads of protected media leave the businesses susceptible to copyright infringement lawsuits.
As the number of wireless users on the network grows, so does the risk of a pre-infected client entering the network. Mobile attacks, such as Android’s Stagefright, can spread from guest to guest, even if the initial victim is oblivious to the threat.
There are established best practices to help secure your Wi-Fi network, alongside a drive, from companies such as WatchGuard, to extend well-proven physical network safeguards to the area of wireless, providing better network visibility to avoid blind spots.
Implementing the latest WPA2 Enterprise (802.1x) security protocol and encryption is a must, while all traffic should, at a minimum, be inspected for viruses and malware, including zero day threats and advanced persistent threats.
Application ID and control will monitor and optionally block certain risky traffic, while web content filtering will prevent unsuspecting users from accidentally clicking a hyperlink that invites exploitation, malware and backdoors to be loaded into your network.
The use of strong passwords, which are changed frequently, should be encouraged, along with regular scanning for rogue Access Points (APs) and whitelisting MAC addresses, when possible.
WatchGuard’s latest cloud-managed wireless access points also have built-in WIPS (Wireless Intrusion Prevention System) technology to defend against unauthorised devices, rogue APs and malicious attacks, with close to zero false positives.
While WIDs (Wireless Intrusion Detection Systems) are common in many Wi-Fi solutions, WIDs require manual intervention to respond to potential threats.
This may be OK for large organisations with IT teams that can manage this, however WIPs is a fully-automated system, which makes it far more attractive to SMEs and organisations such as schools and colleges.
Using patented, Marker Packet wireless detection technology, WatchGuard WIPS differentiates between nearby external access points and rogue access points.
If a rogue access point is detected, all incoming connections to that access point are instantly blocked. WIPS also keeps a record of all clients connecting to the authorised access points, so if a known device attempts to connect to a malicious access point, the connection is instantly blocked. WIPS will also shut down denial-of-service attacks by continuously looking for abnormally high amounts of de-authentication packets.
Wi-Fi as a marketing tool
While Wi-Fi networks have traditionally been viewed as part of the IT infrastructure and the responsibility of the IT department, the latest Wi-Fi systems deliver more than just connectivity, which makes them an attractive proposition for customer services and marketing departments.
For example, the WatchGuard Wi-Fi Cloud provides visibility into marketing data, including insights into footfall and customer demographics and also makes it possible to have direct communication with individual customers in the form of SMS, MMS or social networks.
And with customised splash pages, businesses can personalise the customer Wi-Fi experiences by offering promotional opportunities or surveys and promoting all-important branding.
It is clear that Wi-Fi is here to stay and is becoming much more than simply a way to get online. While the rapid speed of Wi-Fi adoption has led to a disconnect between physical and wireless security, this is now changing and there is no longer any excuse for providing insecure Wi-Fi.
About Wick Hill
Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.
The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions.
Wick Hill is particularly focused on providing a wide range of value-added support for its channel partners.
This includes strong lead generation and conversion, technical and consultancy support, and comprehensive training. Wick Hill has its headquarters in the UK and offices in Germany and Austria. Wick Hill also offers services to channel partners in fourteen EMEA countries and worldwide, through its association with Zycko, as part of Nuvias Group, the pan-EMEA, high value distribution business, which is redefining international, specialist distribution in IT.
According to KSN data, in Q3 2016 the number of email antivirus detections totaled 73,066,751. Most malicious attachments contained Trojan downloaders that one way or another loaded ransomware onto the victim’s computer. Number of email antivirus detections, Q1-Q3 2016 The amount of malicious spam reached its peak in September 2016.
According to our estimates, the number of mass mailings containing the Necurs botnet alone amounted to 6.5% of all spam in September.
To recap, this kind of malicious spam downloads the Locky malware to computers. Most emails were neutral in nature. Users were prompted to open malicious attachments imitating bills supposedly sent by a variety of organizations, receipts, tickets, scans of documents, voice messages, notifications from stores, etc.
Some messages contained no text at all.
All this is consistent with recent trends in spam: fraudsters are now less likely to try and impress or intimidate users to make them click a malicious link or open an attachment.
Instead, spammers try to make the email contents look normal, indistinguishable from other personal correspondence.
Cybercriminals appear to believe that a significant proportion of users have mastered the basics of Internet security and can spot a fake threat, so malicious attachments are made to look like everyday mail. Of particular note is the fact that spam coming from the Necurs botnet had a set pattern of technical email headers, while the schemes used by the Locky cryptolocker varied a lot.
This well-known method of writing IP addresses in hexadecimal and octal systems was updated by scammers who began to add ‘noise’.
As a result, an IP address in a link may end up looking like this: HTTP://@[::ffff:d598:a862]:80/ Spammers also began to insert non-alphanumeric symbols and slashes in domain/IP addresses, for example: http://0122.0142.0xBABD/ <a href=/@/0x40474B17 URL shortening services Spammers also continued experimenting with URL shortening services, inserting text between slashes.
For example: Sometimes other links were used to add text noise: The use of search queries Some spammers have returned to the old method of hiding the addresses of their sites as search queries.
This allows them to solve two problems: it bypasses black lists and makes the links unique for each email.
In the third quarter, however, spammers went even further and used the Google option “I’m Feeling Lucky”.
This option immediately redirects users to the website that’s displayed first in the list of search results, and it can be activated simply by adding “&btnI=ec” to the end of the link.
Clicking on the link redirects users to the spammer’s site rather than to the page displayed in the Google search results.
The advertising site itself is obviously optimized to appear first in the search results.
There could be lots of similar queries within a single mass mailing. The example above involves yet another trick.
The search query is written in Cyrillic.
The Cyrillic letters are first converted to a decimal format (e.g., “авто” becomes “Авто”), and then the whole query in decimal format, including special symbols, are converted to a hexadecimal URL format. Imitations of popular sites The third quarter saw phishers trying to cheat users by making a link look similar to that of a legitimate site.
This trick is as old as the hills.
In the past, real domain names were distorted very slightly; now, cybercriminals make use of either subdomains imitating real domain names or long domains with hyphens.
So, in phishing attacks on PayPal users we came across the following domain names: Phishing attacks targeting Apple users included the following names: Spammers have also found help from new “descriptive” domain zones, where a fake link can seem more topical and trusted, for example: Testers required Q3 email traffic contained mass mailings asking users to participate in free testing of a product that they could then keep.
The authors of the emails we analyzed were offering popular goods such as expensive brand-name home appliances (coffee machines, robot vacuum cleaners), cleaning products, cosmetics and even food. We also came across a lot of emails offering the chance to test the latest models of electronic devices including the new iPhone that was released at the end of the third quarter.
The headers used in these mass mailings include: “Register to test & keep a new iPhone 7S! Wanted:! IPhone 7S Testers”.
The release of the latest iPhone was met with the usual surge of spam activity dedicated exclusively to Apple products. The largest percentage of spam in the third quarter – 61.25% – was registered in September #KLReport Tweet The people sending out these messages are in no way related to the companies whose products they use as bait. Moreover, they send out their mass mailings from fake email addresses or from empty, newly created domains. The senders promise to deliver the goods for testing by post, and using this pretext they ask for the recipient’s postal and email addresses as well as other personal information.
A small postal charge in is imposed on the user, but even if the goods are delivered, there is no guarantee they will be good quality.
There are lots of posts on the Internet by users saying they never received any goods, even after paying the postage costs.
This has an element of old-fashioned non-virtual fraud: the cybercriminals receive money transfers under the pretext of a postal charges and then disappear. Gift certificates to suit all tastes Spam traffic in Q3 included some interesting mailings using the common theme of fake gift certificates. Recipients were offered the chance to participate in an online survey in return for a certificate worth anything from ten to hundreds of euros or dollars.
They were led to believe that the certificates were valid for large international retail chains, online hypermarkets, grocery stores, popular fast-food chains as well as gas stations. In some cases, the senders of these fraudulent messages said they were carrying out a survey to improve the customer support services of the organizations that were allegedly behind these generous offers, as well as to improve the quality of their products.
In other cases, the message was described as a stroke of luck and that the recipient’s email address was randomly selected for a generous gift as a mark of appreciation for using the brand’s goods or services.
The messages were indeed randomly sent out to email addresses that had been collected by spammers, and did not necessarily belong to customers of the companies named in emails. To confirm receipt of the gift certificate, the user is asked to follow a link in the email which in fact leads to an empty domain with a descriptive name (e.g. “winner of the day”).
Then, via the redirect, the user ends up at a newly created site with a banner designed in the style of the brand that supposedly sent out the mailing.
The user is notified that the number of certificates is limited and that they have only 90 seconds to click on a link, thereby agreeing to receive the gift.
After completing a short survey asking things such as “How often do you use our services?” and “How are you planning to use the certificate?” the user is asked to enter their personal data in a form.
And finally the “lucky winner” is redirected to a secure payment page where they have to enter their bank card details and pay a minor fee (in the case we analyzed the sum was 1 krone). In Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots #KLReport Tweet According to online reviews, some potential victims of this type of certificate fraud were asked to call a number to participate in a telephone survey rather than an online survey.
This type of fraudulent scheme is also quite common: the idea is to keep someone on the paid line for as long as possible until they give up on the promised reward. Like the offers to participate in the testing of goods, these themed messages were sent out from fake addresses with empty or newly created domains that had nothing to do with the organizations in whose name the cybercriminals were offering the certificates. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q2 and Q3 2016 The largest percentage of spam in the third quarter – 61.25% – was registered in September.
The average share of spam in global email traffic for Q3 amounted to 59.19%, which was 2 p.p. more than in the previous quarter. Sources of spam by country Sources of spam by country, Q3 2016 In Q3 2016, the contribution from India increased considerably – by 4 p.p. – and became the biggest source of spam with a share of 14.02%.
Vietnam (11.01%, +1 p.p.) remained in second place.
The US fell to third after its share (8.88%) dropped by 1.9 p.p. As in the previous quarter, fourth and fifth were occupied by China (5.02%) and Mexico (4.22%) respectively, followed by Brazil (4.01%), Germany (3.80%) and Russia (3.55%).
Turkey (2.95%) rounded off the TOP 10. Spam email size Breakdown of spam emails by size, Q2 and Q3 2016 Traditionally, the most commonly distributed emails are very small – up to 2 KB (55.78%), although the proportion of these emails has been declining throughout the year, and in Q3 dropped by 16 p.p. compared to the previous quarter. Meanwhile, the proportion of emails sized 10-20 KB increased considerably from 10.66% to 21.19%.
The other categories saw minimal changes. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the TOP 10 malware families to trigger mail antivirus. TOP 10 malware families Trojan-Downloader.JS.Agent (9.62%) once again topped the rating of the most popular malware families.
Trojan-Downloader.JS.Cryptoload (2.58%) came second.
Its share increased by 1.34 p.p.
As in the previous quarter, Trojan-Downloader.MSWord.Agent (2.34%) completed the top three. The popular Trojan-Downloader.VBS.Agent family (1.68%) fell to fourth with a 0.48 p.p. decline.
It was followed by Trojan.Win32.Bayrob (0.94%). TOP 10 malware families in Q3 2016 A number of newcomers made it into the bottom half of this TOP 10. Worm.Win32.WBVB (0.60%) in seventh place includes executable files written in Visual Basic 6 (in both P-code and Native modes) that are not recognized as trusted by KSN.
The malware samples of this family are only detected by Mail Anti-Virus.
For this type of verdict File Antivirus only detects objects with names that are likely to mislead users, for example, AdobeFlashPlayer, InstallAdobe, etc. In Q3 2016 India (14.02%) became the biggest source of spam #KLReport Tweet Trojan.JS.Agent (0.54%) came eighth.
A typical representative of this family is a file with .wsf, .html, .js and other extensions.
The malware is used to collect information about the browser, operating system and software whose vulnerabilities can be used.
If the desired vulnerable software is found, the script tries to run a malicious script or an application via a specified link. Yet another newcomer – Trojan-Downloader.MSWord.Cryptoload (0.52%) – occupied ninth place.
It is usually a document with a .doc or .docx extension containing a script that can be executed in MS Word (Visual Basic for Applications).
The script includes procedures for establishing a connection, downloading, saving and running a file – usually a Trojan cryptor. Trojan.Win32.Agent (0,51%), which was seventh in the previous quarter, rounded off the TOP 10 in the third quarter. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, Q3 2016 Germany (13.21%) remained the country targeted most by malicious mailshots, although its share continued to decline – by 1.48 p.p. in Q3. Japan (8.76%), whose share increased by 2.36 p.p., moved up to second.
China (8.37%) in third saw its share drop by 5.23 p.p. In Q3 2016, fourth place was occupied by Russia (5.54%); its contribution increased by 1.14 p.p. from the previous quarter.
Italy came fifth with a share of 5.01%.
The US remained in seventh (4.15%).
Austria (2.54%) rounded off this TOP 10. Phishing In Q3 2016, the Anti-Phishing system was triggered 37,515,531 times on the computers of Kaspersky Lab users, which is 5.2 million more than the previous quarter. Overall, 7.75% of unique users of Kaspersky Lab products worldwide were attacked by phishers in Q3 2016. Geography of attacks China (20.21%) remained the country where the largest percentage of users is affected by phishing attacks.
In Q3 2016, the proportion of those attacked increased by 0.01 p.p. Geography of phishing attacks*, Q3 2016 *Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country The percentage of attacked users in Brazil decreased by 0.4 p.p. and accounted for 18.23%, placing the country second in this rating. UAE added 0.88 p.p. to the previous quarter’s figure and came third with 11.07%.
It is followed by Australia (10.48%, -2.29 p.p.) and Saudi Arabia (10.13%, +1.5 p.p.). TOP 10 countries by percentage of users attacked: China 20.21% Brazil 18.23% United Arab Emirates 11.07% Australia 10.48% Saudi Arabia 10.13% Algeria 10.07% New Zealand 9.7% Macau 9.67% Palestinian Territory 9.59% South Africa 9.28% The share of attacked users in Russia amounted to 7.74% in the third quarter.
It is followed by Canada (7.16%), the US (6.56%) and the UK (6.42%). Organizations under attack Rating the categories of organizations attacked by phishers The rating of attacks by phishers on different categories of organizations is based on detections of Kaspersky Lab’s heuristic anti-phishing component.
It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases.
It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity.
After the security system is activated, a banner is displayed in the browser warning the user about a potential threat. In Q3 of 2016, the share of the ‘Financial organizations’ category (banks, payment systems, online stores) accounted for more than half of all registered attacks.
The percentage of the ‘Banks’ category increased by 1.7 p.p. and accounted for 27.13%.
The proportion of ‘Online stores’ (12.21%) and ‘Payment systems’ (11.55%) increased by 2.82 p.p. and 0.31 p.p. respectively. Distribution of organizations affected by phishing attacks by category, Q3 2016 In addition to financial organizations, phishers most often attacked ‘Global Internet portals’ (21.73%), ‘Social networking sites’ (11.54%) and ‘Telephone and Internet service providers’ (4.57%). However, their figures remained almost unchanged from the previous quarter – the change for each category was no more than a single percentage point. Hot topics this quarter Attacks on users of online banking The third quarter saw the proportion of attacked users in the ‘Banks’ category increase significantly – by 1.7 p.p.
The four banks whose clients were attacked most often are all located in Brazil.
For several years in a row this country has ranked among the countries with the highest proportion of users attacked by phishers, and occasionally occupies first place. Naturally, online banking users are priority targets for cybercriminals, since the financial benefits of a successful attack are self-evident. Links to fake banking pages are mostly spread via email. Example of a phishing email sent on behalf of a Brazilian bank.
The link in the email leads to a fake page that imitates the login page to the user’s banking account ‘Porn virus’ for Facebook users At the beginning of the previous quarter, Facebook users were subjected to phishing attacks.
Almost half a year later, the same scheme was used by fraudsters to attack users in Europe.
During the attack, a provocative adult video was used as bait.
To view it, the user was directed to a fake page (a page on the xic.graphics domain was especially popular) imitating the popular YouTube video portal. Example of a user being tagged in a post with the video This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information.
The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name. Phisher tricks Carrying on from the second quarter, we continue to talk about the popular tricks of Internet fraudsters.
The objectives are simple – to convince their victims that they are using legitimate resources and to bypass security software filters.
It is often the case that the more convincing the page is for the victim, the easier it is to detect with a variety of technologies for combating fraudsters. Nice domains We have already described a trick whereby spammers use genuine-looking links in emails to spread phishing content.
Fraudsters often resort to this technique regardless of how the phishing page is distributed.
They are trying to mislead users, who do actually pay attention to the address in the address bar, but who are not technically savvy enough to see the catch. The main domain of the organization that is being attacked might be represented, for example, by a 13th-level domain: Or might simply be used in combination with another relevant word, e.g., secure: These tricks help deceive potential victims, though they make it much easier to detect phishing attacks using security solutions. Different languages for different victims By using information about the IP address of a potential victim, phishers determine the country in which they are located.
In the example below, they do so by using the service http://www.geoplugin.net/json.gp?ip=. Depending on the country that has been identified, the cybercriminals will display pages with vocabulary in the corresponding language. Examples of files that are used to display a phishing page in a specified language The example below shows 11 different versions of pages for 32 different locations: Example of a script used by phishers to display the relevant page depending on the location of the victim TOP 3 attacked organizations Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component are for phishing pages hiding behind the names of fewer than 15 companies. The TOP 3 organizations attacked most frequently by phishers accounted for 21.96% of all phishing links detected in Q3 2016. Organization % of detected phishing links Facebook 8.040955 Yahoo! 7.446908 Amazon.com 6.469801 In Q3 2016, Facebook (8.1%, +0.07 p.p.) topped the ranking of organizations used by fraudsters to hide their attacks. Microsoft, the leader in the previous quarter, dropped out of the TOP 3.
Second place was occupied by Yahoo! (7.45%), whose contribution increased by 0.38 p.p.
Third place went to Amazon, a newcomer to the TOP 3 with 6.47%. Conclusion In the third quarter of 2016, the proportion of spam in email traffic increased by 2 p.p. compared to the previous quarter and accounted for 59.19%.
The largest percentage of spam – 61.25% – was registered in September.
India (14.02%), which was only fourth in the previous quarter, became the biggest source of spam.
The top three sources also included Vietnam (11.01%) and the US (8.88%). The top three countries targeted by malicious mailshots remained unchanged from the previous quarter.
Germany (13.21%) came first again, followed by Japan (8.76%) and China (8.37%). In Q3 2016, Kaspersky Lab products prevented over 37.5 million attempts to enter phishing sites, which is 5.2 million more than the previous quarter.
Financial organizations were the main target, with banks the worst affected, accounting for 27.13% of all registered attacks.
The most attractive phishing targets in Q3 2016 were clients of four banks located in Brazil.
The security patch level is a date string displayed in Android’s settings under “About phone” and indicates that the firmware contains all Android security patches up to that date. The new 2016-11-01 patch level contains fixes for flaws in Android’s own components.
It addresses two critical vulnerabilities, 16 high-risk flaws and 10 medium-risk ones. One of the critical flaws is located in the Mediaserver component, which has been a major source of serious Android vulnerabilities over the past year.
The flaw can be exploited by tricking users into downloading or opening a specially crafted media file. The second critical flaw is located in the libzipfile library and could enable malicious applications to execute code within the context of a privileged process.
This can lead to a full device compromise that requires reflashing the operating system to fix. The second patch level is 2016-11-05 and primarily includes fixes for vulnerabilities in kernel drivers for various hardware components.
This level covers 21 critical vulnerabilities, 23 high-risk ones and 10 with a moderate impact. The critical flaws are located in the kernel file system, SCSI driver, media driver, USB driver, ION subsystem, networking subsystem and sound subsystem, as well as in the Nvidia GPU driver and Qualcomm’s crypto driver, bootloader and other components. One of the patches for the ION memory allocator is intended to mitigate a physical attack against DRAM (dynamic random-access memory) chips that could be exploited by applications to gain root access on a device.
The attack is known as Drammer and was devised by researchers from the Vrije Universiteit Amsterdam in the Netherlands, the Graz University of Technology in Austria, and the University of California in Santa Barbara. The third patch level is 2016-11-06 and covers a privilege escalation vulnerability in the memory subsystem of the Linux kernel that was disclosed a few weeks ago.
The flaw, which the security community dubbed Dirty COW (copy-on-write) has existed in the Linux kernel for the past nine years and is already being exploited in the wild. Google has not patched this vulnerability in its Nexus and Pixel devices yet and will probably do it next month. However, device manufacturers can address the flaw by importing the upstream fix that was included in the Linux kernels versions 3.10 and 3.18.
The flaw was disclosed after this month’s patch levels had already been defined, which is why Google refers to the 2016-11-06 patch level as “supplemental.”
The attack builds upon previous Rowhammer techniques devised and demonstrated in the past. The VUSec researchers have created a malicious Android application that doesn't require any permissions and gains root privileges when it is executed by using undetectable memory bit flipping. The researchers tested 27 Android devices from different manufacturers, 21 using ARMv7 (32-bit) and six using ARMv8 (64-bit) architectures.
They managed to flip bits on 17 of the ARMv7 devices and one of the ARMv8 devices, indicating they are vulnerable to the attack. Furthermore, Drammer can be combined with other Android vulnerabilities such as Stagefright or BAndroid to build remote attacks that don't require users to manually download the malicious app. Google is aware of this type of attack. "After researchers reported this issue to our Vulnerability Rewards Program, we worked closely with them to deeply understand it in order to better secure our users," a Google representative said in an emailed statement. "We’ve developed a mitigation which we will include in our upcoming November security bulletin.” Google's mitigation complicates the attack, but it doesn't fix the underlying problem, according to the VUSec researchers. In fact, fixing what is essentially a hardware issue in software is impossible. Hardware vendors are investigating the problem and may be able to fix it in future memory chips, but chips present in existing devices will likely remain vulnerable. Even worse, it's hard to say which devices are affected because there are many factors that come into play and haven't yet been fully investigated, the researchers said. For example, a memory controller might behave differently when the device battery level is under a certain threshold, so a device that doesn't appear to be vulnerable under a full charge might be vulnerable when its battery is low, the researchers explained. Also, there's an adage in cybersecurity: Attacks always get better, they never get worse. Rowhammer attacks have grown from theoretical to practical but probabilistic and now to practical and deterministic.
This means that a device that does not appear to be affected today could be proven vulnerable to an improved Rowhammer technique tomorrow. Drammer was demonstrated on Android because the researchers wanted to investigate the impact on ARM-based devices, but the underlying technique likely applies to all architectures and operating systems.
The new attack is also a vast improvement over past techniques that required either luck or special features that are present only on certain platforms and easily disabled. Drammer relies on DMA (direct memory access) buffers used by many hardware subsystems, including graphics, network, and sound. While Drammer is implemented using Android's ION memory allocator, APIs and methods to allocate DMA buffers are present in all operating systems, and this warning is one of the paper's major contributions. "For the very first time, we show that we can do targeted, fully reliable and deterministic Rowhammer without any special feature," said Cristiano Giuffrida, one of the VUSec researchers. "The memory massaging part is not even Android specific.
It will work on any Linux platform -- and we suspect also on other operating systems -- because it exploits the inherent properties of the memory management inside the OS kernel." "I expect that we're going to see many other flavors of this attack on different platforms," added Herbert Bos, a professor at Vrije Universiteit Amsterdam and leader of the VUSec Systems Security research group. Along with their paper, the researchers have released an Android app that can test if an Android device is vulnerable to Rowhammer -- at least to the currently known techniques.
The app is not yet available on Google Play but can be downloaded from the VUSec Drammer website to be installed manually.
An open-source Rowhammer simulator that can help other researchers investigate this issue further is also available.
Essentially, malicious code can change the content of memory it should never be able to access. This means rogue mobile applications can abuse this hardware flaw to commandeer peoples' handhelds. The effect is pure physics and yet exploitable through software: RAM is assembled in rows of cells, and it is possible to flip bits in a row by repeatedly accessing the cells in an adjacent row.
By continuously accessing cells, software can trigger voltage fluctuations in the RAM chips' control electronics.
This causes cells in rows adjacent to the one being accessed to discharge faster than normal, meaning they lose the information they were holding. This can be exploited to alter bits in RAM one by one, and manipulate crucial operating system data to gain root privileges. With admin access, the software can completely hijack the device, install malware and spyware, and so on. Most – but not all – Android smartphones are potentially vulnerable to this attack, we're told. A team from Vrije Universiteit, Amsterdam and other academics have documented how this Rowhammer effect, previously demonstrated on Microsoft Edge and public clouds, also affects Android smartphones as well as PCs and servers. The group have developed and released Drammer, which exploits Rowhammer to take control of a mobile device by tampering with its physical memory, proving the attack technique is practical rather than a lab-only exercise.
Drammer has no special permissions – it is a normal unprivileged app – and yet is able to gain root-level access to the device. The researchers explain: The Rowhammer vulnerability allows attackers to change data in memory without accessing it directly, by reading from another memory region exhaustively (hence hammering).
To date, it was assumed that mobile, ARM-based devices would be too slow to trigger these so-called bit flips, limiting Rowhammer attacks to stationary PCs and servers.
This work squashes that common belief and shows how attackers can exploit the hardware bug in a fully deterministic and reliable manner. Drammer – developed in collaboration with the University of California at Santa Barbara and Graz University of Technology in Austria – uses Flip Feng Shui to achieve reliable Rowhammer exploitation. Not every phone is vulnerable to the Rowhammer bug.
The researchers performed bit flips in 18 out of 27 tested phones, including some (former) flagship models like Google's Nexus 5 or the LG G4. Google told El Reg that it had worked out a software fix designed to mitigate against attacks, which will become available in November.
A spokesperson told us: After researchers reported this issue to our Vulnerability Rewards Program, we worked closely with them to deeply understand it in order to better secure our users. We’ve developed a mitigation which we will include in our upcoming November security bulletin. The team that developed the attack warned that Google can only go so far toward resolving what boils down to a hardware problem. “Google scrambled to try and fix the problem, but they cannot really do it as the problem is in hardware,” Herbert Bos, professor of systems security at Vrije Universiteit Amsterdam and supervisor of the research, told El Reg. “Also, since the Android market is so fragmented, this patch will probably never reach most of the phones.” More details of the research are due to be unveiled on Wednesday, October 26, at the Conference on Computer and Communications Security (CCS), a security conference in Vienna, Austria, by Victor van der Veen, lead author of the paper. ®
The mobe uses a Qualcomm WCD9320 audio codec and Asahi Kasei 3D Magnetometer Sensor AK8963, which can be adapted by software to collect audio and electromagnetic signals from the printer.
By correlating the data, the team was able to reproduce a printed design with 94 per cent accuracy. "The tests show that smartphones are quite capable of retrieving enough data to put sensitive information at risk," said Dr Kui Ren, a professor in the university's Department of Computer Science and Engineering, and coauthor of a paper describing the surveillance work. The bulk of the useful data, some 80 per cent, came from electromagnetic signals from the target printer.
The printing nozzle's position is controlled by stepper motors and the team found the position of the nozzle could be determined based on the emissions made by these motors. This was cross-referenced against acoustic data from the lateral movements of the nozzle – although this was tricky, as the head makes a very similar sound when it moves along an axis, such as side-to-side or up-and-down. Nevertheless, when a suitably apped-up smartphone was placed within 20 centimeters of the target printer, the team was able to get an astonishing level of accuracy, losing only 6 per cent of the design.
That dropped off sharply as the phone was moved further away – down to 87 per cent at 30 centimeters and 66 per cent at 40 centimeters. Looks innocuous, but the smartphone contains a lot of useful sniffers There are other limitations – the smartphone has to be trained for specific models of printers, for example – and you could argue that it's easier to simply hack the computer controlling the printer.
But if someone just happened to leave a suitably equipped smartphone next to a printer, it could be used for some useful espionage. "Smartphones are so common that industries may let their guard down, thus creating a situation where intellectual property is ripe for theft," said Dr Chi Zhou, assistant professor in the uni's Department of Industrial and Systems Engineering, and another coauthor. There is one final problem. Presumably, if industrial espionage is the goal, then 94 per cent accuracy isn't going to be enough for a complex design – that six per cent is going to be the difference between a design that works and something that fails. But as a side-channel attack, the team's approach is inventive and hackers are going to be seeing if they can adapt some of the techniques in other hacking attacks.
The full research will be presented at next month's ACM Conference on Computer and Communications Security in Austria. ®