Attackers are Zeroing in On Trust with New Device ID Twist

Etay Maor
August 15, 2021

The cat-and-mouse game between threat actors and security researchers is ever-evolving. With every new threat comes a security solution that in turn triggers the threat’s evolution. It’s an ongoing process whose most recent twist in the Device ID game was documented in our just-released SASE report on enterprise security.

Device ID’s Led to Spoofing-as-a-Service

Device ID is an authentication measure that identifies attackers using compromised credentials by inspecting the device used and comparing it to previous devices used by this account. Most Device ID solutions use a weighted average formula to determine if the incoming device is risky. For example, hardware and screen resolution rarely change, so they get a significant “weight” in the overall calculation. At the same time, a browser version may receive lower priority as it gets patched and changed more often.

Threat actors have used a variety of tools and techniques over the years to fool Device ID solutions. One of the first tools was software that would allow the attacker to spoof several of the many hardware and software components installed on their system (for example – changing the hardware versions). Other early techniques included using an iPhone’s browser to perform a login. All iPhones have the same hardware, and the iOS also tends to be consistent thanks to Apple alerting users to an out-of-date operating system. In other words – the lack of entropy served the attackers well.

One of the latest iterations of Device ID evasion comes in the form of Spoofing-as-a-Service – online dark web services where threat actors send service providers details of the device they are trying to spoof. The service provider creates a VM (Virtual Machine) that would pass a device ID check and can be accessed over the Web. These services come at a significant price jump compared to “on-prem” solutions but provide an extra layer of security for the attacker.

The Latest Twist to Device ID

One question remains – how does the threat actor collect all the system data needed for spoofing? Be it spoofing as a service or a local tool, the attacker must know the victim’s device’s details to spoof them. One of the principles of zero trust architectures is continuous and contextual authentication in which Device ID plays a role. So how can the attacker collect all the necessary data for circumventing these systems?

Threat actors have been collecting Device ID data for at least 15 years now. Researchers have seen this type of data (such as operating system, screen resolution, and time zone) collected by some of the earliest phishing attacks. Later came malware that collected this data upon infection and immediately sent it to its C&C (Command and Control) server. But as we mentioned at the start – every “solution” leads to evolution, and security researchers have upped their game at identifying the exfiltration of Device ID parameters.

So what did the attackers do? They hid this data in areas they thought would be ignored or would generate false positives in security logs. Such is the case with the Houdini malware, which Cato Networks researchers have hunted down and analyzed in our 2021 Q2 report.

For more information, check out the complete report.

Etay Maor

Etay Maor is the Senior Director of Security Strategy at Cato Networks and an industry-recognized cybersecurity researcher. Previously, Etay was the Chief Security Officer for IntSights, where he led strategic cybersecurity research and security services. Etay has also held senior security positions at IBM, where he created and led breach response training and security research, and RSA Security’s Cyber Threats Research Labs, where he managed malware research and intelligence teams. Etay is an adjunct professor at Boston College and is part of Call for Paper (CFP) committees for the RSA Conference and QuBits Conference. He holds a BA in Computer Science and a MA in Counter-Terrorism and Cyber-Terrorism.