CYBER NEWS

Os usuários do iPhone Sob altamente segmentados Ataque que aproveita MDM Protocol

Uma campanha de malware altamente direcionado visando os usuários do iPhone na Índia foi descoberta por pesquisadores de segurança Cisco Talos. A campanha tem sido ativo desde agosto 2015 e está espionando 13 iPhones específicos. The attackers who were most likely operating from India (although posing as Russians) were leveraging the MDM protocol of the devices.




How Were the Attackers Exploiting the MDM Protocol?

The latter is a piece of security software that is used by large companies to monitor employee devices. The MDM protocol has been used to deploy malicious operations by remote users (os atacantes).

Conforme explicado pela Apple, MDM is designed to the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results.

Companies can deliver the MDM configuration file via email or through a webpage for the so-called over-the-air enrollment service with the help of Apple Configurator. Uma vez instalado, the service allows company admins to remotely control the device and install or remove apps, install or revoke certificates, lock the device, change password requirements, among other activities.

It is still unknown how attackers succeeded in attacking the 13 targeted iPhones. Como explicado, the MDM enrollment process is based on user interaction, and researchers suspect that social engineering techniques may have been employed to trick the targeted users.

Story relacionado: Correção da Apple corrige vulnerabilidade crítica em High Sierra (CVE-2017-7149)

It’s very possible that the attackers used the MDM service to remotely install modified versions of legitimate apps onto the targeted iPhones. The apps were designed to spy on users and harvest their real-time location, Contatos, fotos, and SMS and private messages from messaging apps. Mais especificamente, to leverage apps such as Telegram and WhatsApp attackers used the so-calledBOptions sideloading technique,” which enabled them to inject a dynamic library into the legitimate apps.

“The injection library can ask for additional permissions, execute code and steal information from the original application, entre outras coisas,” Cisco Talos researchers explained in their report. All harvested information from Telegram and WhatsApp was sent to a remote server.

It should be noted that at the time of wrapping up the report, Apple had already revoked 3 certificates linked to this campaign, with cancelling the rest of the certificates after Cisco Talos notified them of the attack.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...