Robins Newsletter #98

3 May 2020. Volume 3, Issue 18
Mobile device management as a vector, turning antivirus against itself and ransomware's long game
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Mobile Device Management software used to deploy Android malware

Check Point is reporting a security incident where attackers managed to infect over 75% of a ‘multinational conglomerates’ Android smartphones and tablets with the Cerberus malware. It’s interesting because it’s the first time I’ve heard of attackers using an organisations Mobile Device Management (MDM) platform to deploy malware.

MDM solutions are intended to manage the installation of apps and configuration of company-owned and staff Bring Your Own Device (BYOD) smartphones and tablets. They often can remote-wipe devices and access geo-location data too.

MDM as a target for this type of activity makes sense: ransomware groups have been simplifying their malware and removing auto-propagation features in favour of using enterprise IT administration tools.

If, as an attacker, you’ve got access to an organisation’s mobile devices, you’ll likely be able to access ‘soft’ authenticator app or SMS tokens. You’ll then be able to try re-used credentials from other breaches to gain access to corporate systems.

And guess what… The Cerberus malware was updated earlier in the year adding capabilities to capture those very MFA codes.

I think it is likely that more groups will adopt this tactic to help compromise company targets. So I’d strongly recommend all organisations review their MDM solutions, and how the administrator access to the platform is secured, in the coming weeks. Make sure administrator accounts use unique passwords and are also secured with MFA.,

Interesting stats

119 vulnerabilities to manage for a typical Windows endpoint in any given month, with 71% of windows devices have at least 1 high-risk vulnerability, and 36 days average ‘half-life’ for a Windows vulnerability, compared to 253 days for a Linux vulnerability, and 369 days for a vulnerability in a network appliance. Overall… 45% of all vulnerabilities are patched within 1 month, according to research from Kenna Security

$111,605 median ransomware payment in Q1 2020, up from $12,762 (8.7x increase) in Q1 2019, according to Coveware 3 Securities and Exchange Commission filings mentioned ransomware in 2014, rising to 1,139 five years later in 2019,

200,000 daily brute-force attacks against Remote Desktop (RDP) servers in March 2020, 1,200,000 (6x increase) in April 2020, according to Kaspersky $6 average price for a compromised RDP server, in 2017, according to IC3

Other newsy bits

Turning antivirus against itself

Antivirus software has been around for a long time and remains an important part of many security defences. Despite the maturity of the AV industry many of the software offerings have repeatedly shown to have pretty serious security vulnerabilities in them. In part, because they need to operate at an elevated level, and perhaps in part because they are quite long-in-the-tooth with codebases that pre-date modern software engineering practices.

This piece of research from Rack911 Labs is beautifully simple and turns the AV software against itself. They use directory junctions and symbolic links to exploit a gap, or race condition, between the time a file is determined to be bad by the scaling component and removed by the clean-up component. Essentially the AV ends up using its elevated ‘admin’ permissions to remove files that can be from the operating system or the AV software itself, disabling it in the process.

Disabling security controls, such as AV, to avoid detection is usually high on the list of threat actors after they break into a new computer system. The majority of AV vendors have now patched the issue in their programmes.

A hat tip to Georgios from Jagex for this story. He’s currently hiring, if you’re looking for a SecOps engineering role, based in Cambridge (UK):

The ransomware long game

An interesting read from Lily Hay Newman at Wired looking at the groundwork for ransomware attacks currently being inflicted on organisations, and hospitals, around the world. Tactics are changing all the time and there has been a trend towards greater manual orchestration of attacks to inflict damage at a time when an organisation will be most likely to pay up. Robbinhood, Maze and REvil groups have all been seen lurking on systems for weeks and months before pulling the trigger on their malware to encrypt files.

That means two things:

  1. The current attacks were likely instigated before, or during the early stages of the Coronavirus (COVID-19) pandemic, and
  2. Any spike due to poorly configured remote working solutions following lockdown and isolation measures will occur in the future

Chainalysis, who track cryptocurrency payments, say they have seen a decrease in ransomware payments during the pandemic.

Stop using whitelist and blacklist

A worthwhile blog post from NCSC this week: stop using whitelist and blacklist, start calling them allow list and block list. It’s more inclusive. And explicitly saying something it allowed or denied is much clearer than applying a colour code.

In brief

Attacks, incidents & breaches

  • Sheffield City Council left 8.6M automatic number-player recognition (ANPR) records exposed in password-less camera management dashboard
  • 15M records leaked from Indonesia’s larked e-commerce site, Tokopedia
  • Maze ransomware group claim to have stolen details of 4M credit cards from state-owned Bank of Costa Rica, Banco BCR
  • FT reporter accused of eavesdropping on Zoom meetings of rival newspapers

Threat intel

  • Consumer investors being targeted to sell shares and withdraw money from their investments in phishing and smashing campaigns
  • New banking trojan EventBot being tested ahead of potential attacks on European banks and crypocurrency exchanges
  • Nation-states are still sneaking Android spyware apps onto the Google Play store to given authenticity to their campaigns
  • Fake emails from US Small Business Administration (SBA) install remote access trojan on companies seeking coronavirus aid


  • Critical vulnerability in Oracle WebLogic being actively exploited,
  • Bug in Microsoft Teams patched that allows data theft via malicious GIF files

Security engineering

  • Both the NSA and Mozilla have published reviews of video conferencing services this week: (PDF),
  • US Cybersecurity and Infrastructure Security Agency publishes revised recommendations to secure Microsoft Office 365
  • Epic Games mandates MFA for all accounts wanting to redeem free games. The games co. has previously offered in-game items to incentivise uptake


  • Contact tracing goes corporate: PwC is building a contact tracing app, says “US businesses are going to have to [tell employees]: If you’re going to come back to the work environment, you need this app on your phone.” Expect to see a lot more of this.
  • Default web browser on Xiaomi mobile devices collecting full web browsing history, apparently including while in incognito mode, that can ‘very easily correlated with a specific user’, (Xiaomi response)

Public policy

  • Citing cyber security concerns, the White House bans US power grid from buying electrical equipment manufactured outside the country
  • ”[A]ll NSO allegedly did was send the wrong kind of message over WhatsApp’s servers. That is not a CFAA violation” in the latest WhatsApp vs NSO Group filing

And finally

Twenty years since ILOVEYOU

You’re likely reading this 20 years to the day since a different kind of pandemic was spreading around the world. The ILOVEYOU, or Love Bug, worm was using email address books to spread like wildfire. Over 50 million devices or approximately 10% of the Internet was believed to be infected at some point. Damages of $5.5-8.7 billion were estimated. Many organisations, including the UK Parliament and the CIA, shut down email systems to prevent infection. The BBC tracked down Love Bug’s author, Onel de Guzman, to a repair shop in the Philippines.


  Robin's Newsletter - Volume 3

  Mobile Device Management (MDM) Bring Your Own Device (BYOD) Multi-factor Authentication (MFA/2FA) Ransomware Ransomware Costs Antivirus (AV) Diversity and Inclusivity Sheffield City Council Local Government Automatic Number-plate Recognition (ANPR) Contact Tracing Video Conferencing (VC) Office 365 Digital Balkanisation ILOVEYOU / Love Bug