Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructure (VDI)

Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructure (VDI)

• 1.
  Practical Attacks against VirtualDesktop Infrastructure (VDI) Solutions Michael Shaulov, CEO Daniel Brodie, Sr. Security Researcher Lacoon Mobile Security Lacoon Mobile Security 1
• 2.
  About Daniel §  10years of security research §  From PC to Mobile §  Researcher and developer at Lacoon Mobile Security §  Developing a virtual execution-based app behavioral analysis framework of mRATs and mobile malware §  Analysis of iOS and Android vulnerabilities and exploits §  BH 2013: “A Practical Attack against Mobile Device Management (MDM) Solutions” Lacoon Mobile Security 2
• 3.
  About Michael §  Decadeof experience researching and working in the mobile security space §  From feature-phones to smartphones §  Mobile Security Research Team Leader for Defense Contractors §  CEO and co-founder of Lacoon Mobile Security §  BH EU, BH USA, RSA Conf, GovWare … Lacoon Mobile Security 3
• 4.
  Quick Disclaimer This talkis NOT about: §  Dismiss VDI value as an enterprise mobile solution §  Specific vendor implementation This talk is about: §  Quantify risks that can compromise VDI sessions §  Provide a framework to assess and mitigate the risks Lacoon Mobile Security 4
• 5.
  Agenda §  Mobile VDI101 §  Practical Mobile Threats against VDI §  Augmenting VDI with Defense-in- Depth Mobile Security §  Conclusions Threat 2 Grabbing credentials locally / Android Threat 3 Screen-scraping/ Android Threat 4 MitM Session Hijacking / iOS Lacoon Mobile Security 5 In the Wild mRAT Key-loggers / AndroidThreat 1
• 6.
  Mobile VDI 101 LacoonMobile Security 6
• 7.
  Mobile VDI Motivation KeyRequirements for BYOD / CYOD §  Enablement §  DLP / Lost Device §  Intrusion Lacoon Mobile Security 7
• 8.
  Enablement Simplify IT supportof BYO devices It can meet the increasing demand for BYO initiatives by delivering apps and desktops as an on-demand service. Lacoon Mobile Security 8
• 9.
  DLP / LostDevice X No content is saved on the device On-demand session Lacoon Mobile Security 9
• 10.
  Intrusion “Virtual desktop securityto protect sensitive information Centrally secured virtual desktops and apps in the datacenter reduce the risk of data loss or intrusion when delivered to any device. Corporate access remains secure while intellectual property and sensitive private information stays safe.” Good Marketing Lacoon Mobile Security 10
• 11.
  VDI Architecture -Example Lacoon Mobile Security 11
• 12.
  VDI Players 2 majormobile VDI enterprise players: §  Citrix §  VMware Lacoon Mobile Security 12
• 13.
  Threats to MobileVDI Solutions Lacoon Mobile Security 13
• 14.
  Threat 1 Using anmRAT for its Keylogging Capabilities Lacoon Mobile Security 14
• 15.
  Emails App Data Contact Lists,Call & Text Logs What is a Mobile Remote Access Trojan (mRAT) Key Logger Screen Scrapper Memory Scrapping Files and Photos Microphone and Camera Track Location Lacoon Mobile Security 15
• 16.
  Recent High-Profiled Examples LacoonMobile Security 16
• 17.
  mRAT Spectrum $300K-$12M Government ->Terrorists / Activists Free - $300 Cybercriminal -> ? Free - $100 Everyone -> Everyone Surveillance / Monitoring ToolsDarknet mRATsGov / Mil mRATs Lacoon Mobile Security 17
• 18.
  mRAT Spectrum $300K-$12M Government ->Terrorists / Activists Free - $100 Everyone -> Everyone Surveillance / Monitoring ToolsGov / Mil mRATs Lacoon Mobile Security 18 “Hacking Team is really a very basic software with a public payload based on CVE bugs PUBLIC. Not different than any commercial spyware on internet. Even with lower features.” -- Mobile Malware Google Group
• 19.
  19 Lacoon Mobile Security CommercialSurveillance Software
• 20.
  Data sample Mobile devicescommunicating through corporate WiFi access points, connected to the Checkpoint firewall Traffic from 95 gateways (~90 enterprises) 20 Lacoon Mobile Security Survey: mRATs in the Enterprise A Lacoon-Checkpoint Research
• 21.
  21 Lacoon Mobile Security Survey:mRATs in the Enterprise A Lacoon-Checkpoint Research mRAT Network Signatures CP Threat Cloud
• 22.
  22 Lacoon Mobile Security Howcommon are mobile threats in the Enterprise? % By Country 41.8 6.6 5.3 4.9 4.9 3.9 3.3 US MX NO TM EC FR BR Key Findings: Number of infected Devices •  290 •  Median: 2 infected devices / enterprise mRATS found •  16 used •  Most common: Spy2Mobile, Mspy, Mobile Spy, Bosspy Types of OS •  90% Android •  10% iOS Country infection rates •  Spread across 30 countries
• 23.
  The full reportcoming soon… Stay tuned @LacoonSecurity. Survey: mRATs in the Enterprise A Lacoon-Checkpoint Research 23 Lacoon Mobile Security
• 24.
  Lacoon Mobile Security 24 Recap § Looked at the two solutions §  Test servers (citrixcloud, pivot3’s testdrive) §  Vmware is more of a slim VDI while Citrix has additional capabilities §  Very configurable §  Both provide a myriad of clients and logging in capabilities
• 25.
  Lacoon Mobile Security 25 Threat1 Using a Widely Popular mRAT on an Android-based Device §  Keylogging for data or authentication info §  mSpy §  Lacoon-Checkpoint “mRATs in the Enterprise” survey §  Mostly used in the enterprise §  Detected in 19 countries, such as USA, Britain, and France Cost: >$50
• 26.
  26 Lacoon Mobile Security mSpy
• 27.
  Different Keylogging options § Repackage keyboard – done on SwiftKey in 2013 §  Used by mRAT’s as a custom keyboard §  MitM on the active input method – grant yourself the BIND_INPUT_METHOD permission §  Pretty complicated and requires elevated privileges §  Input Manager Service is a native process, hooking it at the InputDispatcher- >dispatchOnce will give you access to all input events §  Practically all Android ROMs use default symbol visibility 27 Lacoon Mobile Security
• 28.
  Threat 2 Grabbing CredentialsLocally on Android 28 Lacoon Mobile Security
• 29.
  Threat 2 Grabbing CredentialsLocally on Android §  Keylogging has it’s own problems §  Target the client itself to grab whatever credentials you need Lacoon Mobile Security 29
• 30.
  Threat 2 Grabbing CredentialsLocally on Android 1.  Run a Privilege Elevation vulnerability 1.  TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),… 2.  Exploit does not leave identifiable root marks 2.  Enable jdwp debugging on all the apps installed on the device 3.  Connect as a debugger to the VDI client 4.  Set a breakpoint on a function that handles the credentials Lacoon Mobile Security 30
• 31.
  31 Lacoon Mobile Security Debuggingthe Session against the VDI Client
• 32.
  Enabling jdwp debuggingon apps §  By ptrace-ing the init process to dynamically change the ro.debugabble property §  Similar to what setpropx does §  By starting the jdwp thread by yourself in the relevant process §  Easily done by calling the dvmJdwpStartup with ptrace 32 Lacoon Mobile Security
• 33.
  Possibilities to hookapps JDWP easy way to simply sit on a specific java function after enabling debugging XPosed / Cydia Substrate Also great way to dynamically hook a function without needing to resort to debugging §  Uses a small jar injected into every process by zygote to initiate hooking, dalvik changes not neccesary Native code hooking Through ptrace debugging or so- injection §  Either by having a relevant native function somewhere in the stack §  Also very useful for hooking ART 33 Lacoon Mobile Security
• 34.
  Threat 3 Screen Scrapingagainst Android 34 Lacoon Mobile Security
• 35.
  Two possible methods § Leverage the clipboard access support §  Record the screen automatically when the mRAT detects that the VDI client is connected Threat 3 Screen Scraping against Android 35 Lacoon Mobile Security
• 36.
  Screen Scraping usingClipboard Access Support Run a Privilege Escalation vulnerability §  TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),… §  Exploit does not leave identifiable root marks Monitor the current foreground activity using standard Android APIs getRunningTasks/getForgroundApp Inject keyboard events to cause content to be copied from the file to the clipboard §  Using InputManager’s injectInputEvent (as root/system) we can inject input events §  Specifically Ctrl+A, Ctrl+C will work for most interesting applications 36 Lacoon Mobile Security
• 37.
  37 Lacoon Mobile Security ScreenScraping using Clipboard Access Support Inside the VDI client Data extracted from VDI client
• 38.
  Screen Scraping usingScreen Recording 1.  Run a Privilege Escalation vulnerability §  TowelRoot (CVE-2014-315), VROOT (CVE-2013-6282),… §  Exploit does not leave identifiable root marks 2.  Monitor the current foreground activity using standard Android APIs §  getRunningTasks/getForgroundApp 3.  Start recording the screen using one of the recording apis (go into depth) §  4.4 has a nice new screenrecorder – but possible even earlier by accessing framebuffer §  SurfaceView.setSecure would need to be patched on 4.2 and up Lacoon Mobile Security 38
• 39.
  Threat 4 Man-in-the-middle (MITM) 39 LacoonMobile Security
• 40.
  User VDI Credentials Authorized Listof services & Organizational policy Request for Service A VDI 40 Lacoon Mobile Security VDI Protocol Flow Server User Inserts VDI credsSSL Connections VDI Client Mobile Device
• 41.
  41 Lacoon Mobile Security MaliciousConfiguration Profiles Proxy/VPN Certificate Authority
• 42.
  42 Lacoon Mobile Security Threat#4: MitM against iOS This is an email with a phishing link to a configuration profile. It will be replaced with a screenshot. VDI Server
• 43.
  More possibilities withMitM attacks §  Duplicating the actual screen/input stream to a separate machine §  VmWare Horizon Viewer uses either a proprietary protocol or RDP §  Citrix Receiver uses a proprietary protocol called ICA – not widely analyzed yet §  Simulate commands to the client and/or server §  Can be used to do implementation specific actions, including gaining VPN credentials, etc… 43 Lacoon Mobile Security
• 44.
  Building the necessary 44 LacoonMobile Security mobile security strategy
• 45.
  VDI depends onthe integrity of the host system §  Protects the data as long as the device is uncompromised §  If the underlying device is compromised, so is the VDI solution Conclusions 45 Lacoon Mobile Security
• 46.
  A multi-layer approachto mobile security. Detect. Assess. Respond to Mobile Threats. A Layered Mobile Security Approach 46 Lacoon Mobile Security
• 47.
  A Layered MobileSecurity Approach 47 Lacoon Mobile Security •  Assess Device, Configurations, Apps •  Reduce attack surface Accurate mitigation and dynamic access control of compromised devices, using a rich toolbox: •  Integration to MDM, NAC and SIEM •  On-device remediation and on-demand network mitigation •  Device, Application, Network anomaly detection •  Mobile AV, advanced app reputation analysis •  Detect and classify advanced threats (Zero-day, APT, malicious applications, etc) Advanced Mobile Threat Detection Mobile Vulnerability Assessment Mobile Risk Mitigation
• 48.
  Thanks to thosethat helped on the Lacoon-Checkpoint mRATs in the Enterprise Survey! Lacoon §  Pavel Berengoltz §  Shai Yanovski §  Shalom Bublil §  Shayna Tichler §  Amir Kessler §  Noam Modai Checkpoint §  Inna Myslyuk §  Gali Carmel §  Ron Davidson §  Inbar Raz §  Alon Kantor 48 Lacoon Mobile Security
• 49.
  Thank You! Email: contact@lacoon.com Twitter:@LacoonSecurity Lacoon Mobile Security 49