Our thoughts on an eventful year in mobile security
2022 has been an eventful year in mobile security. Continued concerns about Pegasus and other sophisticated malware, the rise in sms phishing campaigns targeting organizations, and the regular discovery of new vulnerabilities in iOS and Android have dominated our conversations with customers, analysts, and partners throughout the year. And all against the drumbeat of war in Europe for the first time in generations. There’s quite a bit to cover in this year’s review.
Our word of the year …smishing
Smishing continues to be the most frequent cyberthreat facing users of iOS and Android phones and tablets. In the United States, the FBI, the Federal Communications Commission , and the Internal Revenue Service all had reason to issue warnings about the massive increase in phishing texts in 2022.
While the vast majority of such text scams target consumers, we have observed significant growth in spear-smishing: campaigns targeting employees of specific organizations. In August, we learned that such an attack led to a breach at Twilio, the large global messaging service provider. Twilio’s incident report gives a good account of what happened next:
“In mid-July 2022, malicious actors sent hundreds of smishing text messages to the mobile phones of current and former Twilio employees (the “Smishing Incident”). The malicious actors posed as Twilio IT or other administrators and urged users to click on what appeared to be password-reset and other links. The links led to fake Okta login pages for Twilio. These fake pages were hosted on domains created by malicious actors, such as twilio-sso.com, twilio.net, twilio.org, sendgrid-okta.org, twilio-okta.net, and twilio-okta.com. Some Twilio employees entered their credentials on these fake pages. The malicious actors then used the credentials of these Twilio employees to access internal Twilio administrative tools and applications to access certain customer information.”
While we don’t know why multifactor authentication was not enabled on Twilio’s accounts, we do know that MFA is not the panacea that some believe.
During the year, we saw attackers using the adversary-in-the-middle (AITM) attack technique to undermine MFA by stealing authentication cookies. Instead of directing a victim to a fake login page, these attacks direct the victim to a server controlled by the attacker. This server acts as a proxy for the legitimate login page. The user enters their credentials in the normal way, successfully completes the second-factor challenge and is granted access to their application. However, in the background, the attacker copies the authentication cookie generated as part of this process. This gives the attacker access to the victim’s account for up to 90 days.
And all of this done in a way which leaves the victim and their organization completely unaware of the compromise. You can learn more about this attack technique here.
What has made this type of attack more widespread is the emergence on the darkweb of phishing toolkits and infrastructure from groups including Modlishka, Necrobrowser, Evilginx2, and Evilproxy, which incorporate the “Adversary in the Middle” capability.
Zero-day, zero security
2022 was notable for the number of zero-day vulnerabilities discovered in iOS and Android.
As recently as November, a security researcher discovered a simple to execute hack for bypassing passcodes on Android phones. Apple released ten patches for high-severity zero-day vulnerabilities across a number of its key software products over the course of the year. While no details were provided about exactly where and how these vulnerabilities had been exploited, Apple did admit that they were aware that this had happened in a number of cases.
Pegasus and its clones
And what do we know about the kind of organization capable of uncovering and exploiting such security gaps ? Investigations by Meta and hearings by the European Parliament into the activities of the NSO Group (the organization responsible for the notorious Pegasus spyware used by a range of governments to target political opponents) shed light on the broader spyware for hire industry.
Hermit and Predator were two of the new brands of spyware that we learnt about. A range of companies compete with NSO including Cobwebs, Cytro and Belltrox. Political scandals related to the use of such surveillanceware erupted in a number of countries, including Spain and Greece.
The drumbeat of war
But the geopolitical event of the year was, of course, the Russian invasion of Ukraine. This heralded a new era of naked geopolitical rivalry. Added to this was a more confrontational tone to relations between the US and China, with tensions over Taiwan and stringent restrictions on Chinese access to advanced semiconductor technology. All of this matters to those of us who work in cybersecurity. Cyberattacks backed by the resources of large nation-states have now to be considered the norm rather than the exception. Such attacks are doubly dangerous. The level of effort that an attacker is prepared to expend is no longer related to the potential financial gain. The objective is no longer confined to financial gain but is often focused on trying to disrupt the smooth functioning of society by, for example, targeting energy and communications infrastructure, retail supply chains or public services such as healthcare and education.
Innovation and expansion
Against this backdrop, it’s good to report Corrata’s progress in improving the security of mobile devices.
Our sales and marketing team and those of our partners, such as AT&T Firstnet and Three UK and Ireland, continue to drive the adoption of our technology by organizations across a range of industries, including healthcare, government, finance, manufacturing and professional services. Our security researchers and product team have delivered a range of new protections, each of which represents firsts for our industry. Organizations using Corrata can benefit from the ability to block traffic from specific ports, IP addresses or IP address ranges (including specific geo’s). These features are critical to protecting against the kind of sophisticated spyware and nation-state threats which have been so central to the story of mobile security in 2022.
We continue to lead the way in protecting against smishing with a detection rate of 3x our competitors. And our commitment to making sure that sensitive traffic cannot be tampered with has been significantly strengthened with a range of new features which defend against network interception.
The team at Corrata will continue to work hard to extend the state-of-the-art and drive adoption of mobile threat defense in 2023. In the meantime, we look forward to some well-earned rest over the holiday season!