With over 1.45 billion compromised accounts, emails, social security numbers, dates of birth, and other data types, March was the biggest month for exposed data this year.
Seventeen companies reported data breaches in March, totaling 1,449,373,000 breached accounts. Major companies, including Saks Fifth Avenue, Coupa, and McDonald’s (Canada), experienced data loss. However, according to email marketing organization River City Media’s public reports, the organization took the biggest hit with 1.4 billion exposed email addresses. That’s over 96% of the total breached accounts for the month.
Today, Lookout and Google are releasing research into the Android version of one of the most sophisticated and targeted mobile attacks we’ve seen in the wild: Pegasus.
A “cyber arms dealer” named NSO Group developed the Pegasus malware, which jailbreaks or roots target devices to surveil specific targets. Last summer, after being tipped off by a political dissident in the UAE, Citizen Lab brought Lookout in to further investigate Pegasus. In August 2016, Lookout, with Citizen Lab, published research about the discovery of the iOS version of this threat. What we discovered was a serious mobile spyware operation that has since been reportedly used to target Mexican activists, according to The New York Times.
Google calls this threat Chrysaor, the brother of Pegasus. For simplicity, we’ll reference this as Pegasus for Android. Names aside, the threat is clear: NSO Group has sophisticated mobile spyware capabilities across a number of operating systems that are actively being used to target individuals.
Lookout enterprise and personal customers are protected from this threat.
Enterprises are actively transitioning from desktop and server environments to mobile and cloud ones. This should come as no shock to anyone in an enterprise IT or security function. Mobile devices are in every employees’ hand. Corporate architectures are app-centric, with employees downloading mobile apps without IT vetting.
Cybercrime goes where the value is and the value is increasingly going to be in the data that sits in cloud services and the mobile devices that access them.
Paying attention now can help you be in a much better security position later.
“You know, when a CSO thinks through priorities — it’s a tough job. [They need to] to balance the kinds of things that require a lot of intense concentration, real deep problems in infrastructure … with the day-to-day things that could be just as important.”
Ed Amoroso would know. Ed served for 12 years as CSO at AT&T and is now the CEO of TAG Cyber. He started his career at Bell Labs in Unix security R&D over 30 years ago.
The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.
However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.
Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.
2016 was the year mobile risk reduction became a necessity for global enterprises. Controlling mobile access to corporate data is now a top priority and proactive CISOs are selecting Lookout to accelerate secure mobility in the workplace.
This increase in customer orders drove Lookout to triple our billings year over year in 2016 compared to 2015 for Mobile Endpoint Security. To date, more than 150 enterprises, including top financial services institutions, technology leaders, healthcare providers, professional services firms, and large government agencies, are using Lookout Mobile Endpoint Security. Lookout also more than tripled the number of channel partnerships year over year, and we’re now working with over 80 distributors globally, including new partnerships with Carahsoft, Docomo, Ingram Micro, CDW, SHI, Synergie, and Netrix.
Lookout tracks breaches related to companies and services that may impact customers with our Breach Report feature. Breach Report looks at the largest companies globally, and reports on those breaches to provide customers the most relevant information. It also provides remediation actions to help keep them safe. Interested in getting Breach Report? Upgrade to Premium now.
Attackers successfully breached 15 companies from a wide range of industries including retail, transportation, government services, hospitality, technology, gaming, and more. Among them, the biggest names included popular music festival Coachella, restaurant chain Arby’s, and the InterContinental Hotel Group. In the process, attackers were able to compromise nearly 7 million accounts, according to public reports of these incidents.
The graphic above appears in Gartner’s report, Market Guide for Mobile Threat Defense (MTD) Solutions*. I believe a comprehensive mobile security solution must cover all four of these quadrants and enterprises should look for single solutions that cover all aspects addressed by MTD + MARS.
In my conversations with CISOs, I repeatedly hear that one of the biggest issues they have is too many security products. They usually express different versions of, “I’ve got 50 different vendors and 50 different security products, and I simply can’t afford the personnel that I need to manage 50 different products.” I’m happy to share that at Lookout, our Mobile Endpoint Security solution is already a united single offering with capabilities that are usually considered separate parts of Mobile Threat Defense (MTD) and Mobile App Reputation Solutions (MARS) products.
ViperRAT is an active, advanced persistent threat (APT) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.
The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device, and seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures.
Using data collected from the Lookout global sensor network, the Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.
In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and search history, screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.
Cyber war is a term the U.S. government is intimately familiar with, but woefully unprepared for when it comes to mobile.
Government employee mobile devices are a relatively new attack surface, and a particularly valuable one for espionage missions and other criminal intent. Mobile devices access confidential, classified, and other protected data classes. At this point, that’s just a fact. Both CSIS and the Presidential Cyber Commision acknowledge that mobile is no longer a fringe technology, but a central instrument that allows employees to get their jobs done.
Protecting data on mobile is non-negotiable and the responsibility of federal technology and security leaders across the entire government.
There are five principles any federal agency or organization must use to build a mobile security strategy. To forego such a strategy directly puts sensitive government data at risk.