Bolstering Endpoint Security

By: John Maddison

For many organizations, endpoint security remains the weak link in their security strategy. While organizations are able to ensure that endpoint clients are installed on company-owned assets, security becomes more challenging when workers use their personal devices for work-related activities. The organizational risks introduced several years ago by BYOD have been compounded as the number of critical business applications and the volume of data being accessed have grown rapidly as a result of ongoing global digital transformation (DX) efforts.

Of course, not all endpoint devices are the same, and each requires a somewhat different approach. Traditional endpoint devices, even those owned by employees, can still be required to install a security client in order to access network resources. Likewise, handheld devices such as tablets and smartphones can be protected using mobile device management (MDM) solutions. And even the most primitive IoT devices can be secured using proximity-based protections.

Laying a proper endpoint security foundation

Like most security issues, success begins with laying the proper foundation. In the case of endpoint security, this begins with two fundamental strategies:

  • Organizations need to implement a comprehensive Network Access Control Any device seeking to access network resources needs to meet certain baseline requirements, such as being malware free. If it a user-based device, then it must also be patched and running a current version of any mandated security software. Once a device meets that criteria, it then needs to be assigned to specific network resources using a variety of contextual criteria, including type of device, business unit it or its user are assigned to, current status of the user, and even physical location or time of day.


iPhone Hacking Campaign Using MDM Software Is Broader Than Previously Known

By: Swati Khandelwal

India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.

As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.

Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.

These modified apps have been designed to secretly spy on iOS users, and steal their real-time location, SMS, contacts, photos and private messages from third-party chatting applications.

During their ongoing investigation, Talos researchers identified a new MDM infrastructure and several malicious binaries – designed to target victims running Microsoft Windows operating systems – hosted on the same infrastructure used in previous campaigns.

  • Ios-update-whatsapp[.]com (new)
  • Wpitcher[.]com

“We know that the MDM and the Windows services were up and running on the same C2 server in May 2018,” researchers said in a blog post published today.

“Some of the C2 servers are still up and running at this time. The Apache setup is very specific, and perfectly matched the Apache setup of the malicious IPA apps.”


Possible Connections with “Bahamut Hacking Group”

mobile device management software

Hackers Used Malicious MDM Solution to Spy On ‘Highly Targeted’ iPhone Users

By: Swati Khandelwal


Security researchers have uncovered a “highly targeted” mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.

The attackers, who are also believed to be operating from India, were found abusing mobile device management (MDM) protocol—a type of security software used by large enterprises to control and enforce policies on devices being used their employees—to contol and deploy malicious applications remotely.

To enroll an iOS device into the MDM requires a user to manually install enterprise development certificate, which enterprises obtained through the Apple Developer Enterprise Program.

Companies can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using Apple Configurator.

Once a user installs it, the service allows the company administrators to remotely control the device, install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” Apple explains about MDM.

Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service.

However, researchers at Cisco’s Talos threat intelligence unit, who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.