Tens of thousands of infected devices have hit corporate networks across the world in a “next generation mobile threat”.
The group behind the NotCompatible cyber crime group have evolved the sophistication of their malware to add proxy functionality that allows attackers to infiltrate secure enterprise networks via compromised devices.
According to research from Lookout, new attributes to NotCompatible.C include resiliency to network-based blocking via a peer-to-peer protocol and multiple, geographically-distributed Command and Control servers; and a resistance to network-based detection by encrypting all server communication end-to-end whilst performing mutual authentication between clients and servers via public key cryptography. Finally the new version of NotCompatible uses a command and control (C&C) gateway to analyse incoming connections, and likely prevents active probing of the various Operational C&Cs by blocking connections from non-approved IP addresses.
Lookout found that the operators behind NotCompatible.C have built up their population of infected devices on the back of massive spam campaigns and a lack of mobile threat protection on devices.
Kevin Mahaffey, co-founder and CTO of Lookout, told IT Security Guru that it has seen continuous evolution of the threat and with the change in architecture, it is not incredibly sophisticated. “If access is blocked at the server, the devices connect peer to peer and encrypt their traffic, so analysis is no longer possible,” he said.
“Whenever we talk to organisations, they don’t want malware that steals money but malware running through a proxy can access the internal network is a really big deal.”
Mahaffey said that the analysis had not stretched to what could happen with the malware, but “tens of thousands” of devices had been infected across the world, and hundreds of organisations were impacted.
“We cannot speculate to the usage of this, but we do know it is on corporate networks now, and we have also seen some of the traffic where the owners are using this to control machines,” he said. “So we know it is not just for spam, it is on enterprise networks and it is hard to block, so businesses need to know what this is so it is not on their networks.”
Mahaffey said that there is evidence that malware writers were bypassing the PC to target the mobile device, and when NotCompatible was first released it hit websites. He said that if you visited an infected website from a PC, nothing would happen, but if visited by a mobile device it would download malware.
Lookout claimed that attackers have begun to capitalise on this opportunity, by targeting hand-held inventory scanners too, which were recently used by attackers to bypass perimeter security defenses and steal a company’s entire financial database.
Lookout has analysed traffic for NotCompatible.C clients connected to “generic” private networks and has not seen evidence of automatic network scanning, but it has not yet analysed traffic from infected devices on potentially targeted corporate networks.
Mahaffey said: “There are a lot of unanswered questions here, but the key thing is that bad guys are attacking mobile devices and there are no magic forcefield that exists and with th
e right controls you can be safe. In the case of a jailbroken device, the malware embedded itself very deeply so it is nasty.”
Asked for recommendations on remediation, Mahaffey recommended making sure users only download apps from legitimate app stores, don’t jailbreak devices, learn about common sense measures and put in technical controls to prevent attacks.