This month security organizations and researchers discovered an attack that utilizes Apple’s popular and open source Mobile Device Management (MDM) system for iPhones. The MDM suite allows enterprises to conveniently deploy and manage employees’ iPhones remotely. The attackers in this campaign appear to have used social engineering to persuade unsuspecting users to enroll in MDM on their iPhones. From there, the attackers used MDM to remotely deploy Trojan spyware applications. Furthermore, they remained undetected for the past three years, while launching multiple successful attacks against targeted corporate employees in India.
The attackers, who are also believed to be operating within India, were able to coax their victims to install unverified certificates for MDM. The unverified certificates used deceptive naming conventions such as hxxp://ios-certificate-update[.]com and allowed for unchecked administrative privileges once installed. Following the initial compromise, it was later possible for the attacker to deploy the Trojan spyware applications on to the mobile devices of the affected users. While the applications appeared to be legitimate software, such as Telegram or WhatsApp, they were in fact modified versions of the legit software, which granted the attackers access to the target’s photos; contacts; real-time location; SMS messages; and application chat logs.
Proficio Threat Intelligence Recommendations:
- Assess the authenticity of MDM certificates currently in use by your mobile fleet. Apple has already revoked several certifications that were linked to this malicious MDM campaign, but there are likely other malicious certificates that have yet to be canceled.
- As MDM becomes more popular with large organizations, users should be made aware that installing additional certificates on to their mobile devices may allow unauthorized and/or malicious remote management activity.
- Update IDS/IPS devices to blacklist certificates and/or traffic made towards the following malicious servers that have been identified thus far: Ios-certificate-update[.]com; www[.]wpitcher[.]com; techwach[.]com; and voguextra[.]com.
- Update IDS/IPS devices to take appropriate actions when observing the following malicious application hashes: 329e025866bc6e88184af0b633eb3334b2e8b1c0817437c03fcd922987c5cf04 AppsSLoader.ipa aef046b67871076d507019cd87afdaeef602d1d2924b434ec1c165097b781242 MyApp.ipa 4be31095e5f010cc71cf8961f8fe3fc3ed27f8d8788124888a1e90cb90b2bef1 PrayTime.ipa 624689a1fd67891be1399811d6008524a506e7e0b262f549f5aa16a119369aef Telegram.ipa e3872bb33d8a4629846539eb859340940d14fdcf5b1c002b57c7dfe2adf52f08 Wplus.ipa.
General Information – Click Here
