CyberWire Daily - Dark Caracal APT steals out of Lebanon. [Research Saturday]
Episode Date: March 10, 2018Researcher from Lookout and the EFF have discovered an APT group operating out of Lebanon they've named Dark Caracal. The group is running a global espionage campaign, targeting journalists, military ...personnel, activists, lawyers, medical professionals and educational institutions. Mike Murray is VP of Security Intelligence at Lookout, and he's our guide through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Two years ago, the Electronic Frontier Foundation presented at Black Hat about an operation that they called Operation Manual.
That's Mike Murray. He's the VP of Security Intelligence at Lookout.
Today, he's discussing research from Lookout and the EFF about the recent discovery of Dark Karakal,
a mobile advanced persistent threat actor conducting a global espionage campaign.
Operation Manual at the time was believed to be the Kazakhstan government,
and we still believe it was the Kazakhstan government,
but at the time it was the Kazakhstan government,
working with a lower-end cybersecurity actor.
And so one of our leaders on my team was reading the report, and the report mentioned that they believed that there was an Android component, a mobile malware component, to the attacks, but that they didn't have any evidence of it.
Lookout has a huge data set around what is mobile.
We have over 50 million apps in our app database.
He looked at it and thought, well, if there's anyone who's
going to find the Android component, it's us. And he went looking and found it. And what we
originally started out with was a blog entry that simply just stated, hey, we went and found the
mobile component of this. Here's the mobile component. And we reached out to EFF and we
all agreed that we would work together to put out a couple of blog entries and just say, hey, look, we found this.
And as we started to investigate, things stopped making sense.
So you had this report that was all about Kazakhstan and about this actor in India that was doing this work.
And the information that we started to see started to be inconsistent with the narrative
that we thought we were looking at. And we were in some ways very lucky because the attacker had
made some errors that left some significant parts of their infrastructure with information public
that they probably didn't want to see or didn't want us to see. We found, for example, they had left the logs of everyone who's connecting to the server
and connecting to the system either compromised, people's devices who were uploading data to the server,
as well as the administrative logins who was actually logging into the system.
And we started to look at it, and it had nothing to do with Kazakhstan.
who was actually logging into the system.
And we started to look at it, and it had nothing to do with Kazakhstan.
And so we started to pull on the threads, as one does in an investigation.
And more and more, it started to point to a much more globally active actor,
and an actor who was doing very nation-state level things across a much wider swath than just what had originally been reported.
And at a point in the investigation, we got a lead on an email address that was used in many other campaigns.
The email address is referred to in our report.
And we shorthanded the email address to OP13.
in our report. And we shorthanded the email address to Op 13. But Op 13 turned out that people had been seeing Op 13 over the years, many, many years. It had been attributed to
potentially looking like the Russians. It had been attributed to various other actors. And we
started to really pull on the threads to figure out what was behind this and
eventually realized that all of the connections from the server and all of the information and
and ultimately we were lucky again in that some of the data on the server appeared to be the
attackers testing neuronal software and when they were testing it it it very clearly went back to this one building
in beirut and so suddenly nobody nobody ever thought of beirut and lebanon as having any sort
of cyber capability so that was a huge surprise and we obviously chased it down further and and
eventually wrote this massive report sort of detailing all of the
activity that they were doing globally and what we were seeing and what information was available on
the infrastructure that we had access to and the information about infrastructure that we didn't
have access to or we knew about and really just put all the pieces together but it took many many
months and this this happened the the original the original activity of going and finding the pieces of Android malware that the EFF had alluded to happened in May. And obviously you didn't see our report until February where there was a lot of pieces to this.
Let's pull some more of those threads. I mean, take us through it. You get the revelation that things are happening in Beirut, and you, I suppose, want to sort of nail down that piece of information, verify, make sure that what you suspect is actually so. Take it from there. for a second. First of all, a lot of conversations about really Beirut,
Lebanon, that can't be possible. So because of our own doubt, because we all really had a whole
lot of doubt about this, we spent a lot of time fact checking and trying to understand what we
were seeing. And even to the point that we were lucky that some people that were related
to us had been visiting Beirut and we actually had them check out certain wireless networks.
And so actually, let me back up for a second. One of the big keys to understanding what the
building was, was in those test devices, what we believed to be test
devices. And the way we figured out that they were test devices is, for example, imagine you,
you know, you're a malware author testing your malware. You're not going to test it on your own
phone. You're going to test it on some burner phone that has three contacts and four fake emails in
it. And you're going to see if you can steal that. Well, that doesn't look like anyone's real phone,
right? And we found a bunch of things that looked like that.
And all of these phones were connected to this one wireless network.
And so we started out by doing open source intelligence on the various –
there are various sites that you can say, you know,
show me the places that this wireless network exists in the world.
And we have screenshots of that in the report where where
the open source intelligence says this wireless network is and then like i said um there was
we lucked out in that some people were sort of transiting the country that was were friends of
ours and and said hey can you just like walk by this and see if there's a see if you see this
wireless network for real and obviously the wireless network was there,
and it turned out that there was no way that that wireless network
was not in this one building.
And the building literally says on the top of the building
that it belongs to the Lebanese General Security Directorate,
basically the GDGS is the acronym.
I don't remember what it exactly stands for, but that is basically the the Lebanese version of sort of in in U.S. terms, it would be like the FBI, the CIA and customs all in one building.
These guys do border patrol and all these things. Now, we never we cannot attribute and we we were very careful in our attribution because we don't know who inside that building is doing this.
This might be freelancers who just happen to work for the government.
They might have leased office space.
We don't know exactly who the people are.
And so we're being very careful in what we say because we can't prove it was actually the Lebanese government.
We're 100 percent sure that the people who are doing this were in that building.
So, you know, draw further conclusions as you will.
So, I mean, take us from there. You determine that that's where things are going on,
and you're taking a closer look at this. So what exactly does this software set out to do?
The software sets out to steal people's information. And so let me,
let me back up for a second, just, just on a more philosophical point. Five years ago,
you would have seen groups like this dabble in cyber espionage because breaking into a bunch
of people's desktops, you can steal information, but it's not really a great espionage tool.
If I want to chase bad guys, say, say I want I want to do – I'm going to pick the nice case.
I'm going to pick the case that everybody's happy with.
Say I want to do counterterrorism, right, and I want to track down terrorists.
Breaking into their laptops tells me a little bit about their operations,
and I can probably read their email, et cetera, et cetera.
Breaking into their phones when the phone has an extremely accurate camera,
an extremely accurate microphone, a GPS that can geolocate you anywhere in the world,
breaking into phones gives you such a rich picture of people's lives
that seeing these folks break into thousands of phones globally
and steal information, you know, sort of indiscriminately.
And I have to say, we don't know what they did with that information.
You know, that's far outside my or any of my team's pay grade.
Our job is to figure out, you know, that the attackers are doing it and work to protect the industry
and protect our customers and protect the people around us from this kind of malicious behavior.
But seeing that kind of widespread espionage activity where you have information about exactly where your targets are at any given time,
you know, the nation states have largely moved to this capability.
I don't know of any major nation state at this point
who doesn't have a capability for this purpose, right?
If I am any sort of well-meaning government,
if I want to track down drug traffickers or terrorists, etc.,
this capability is fantastic as long as it's used appropriately.
Now, of course, what we also see is it being used illicitly.
I'm sure that some of the people who were attacked by this were used in appropriate ways,
but we've seen around the world, and not specifically in Dark Caracal,
because we didn't dig too deeply into who the victims were, again, beyond our pay grade.
And frankly, there was just so much information, it was really hard to do.
We had over half a million text messages.
It's really hard to have people on my team sit and try and read through a half a million text messages,
especially given the region of the world, how many of them were in Arabic or other languages
or even dialects of Arabic that people don't
understand over here, right? We weren't going to analyze who the targets were, but the point being,
these targets were compromised in a level that they could be followed around, their, you know,
their phone calls could be recorded and were recorded, you know, all of their personal
information was stolen, their pictures were stolen, This is an incredibly deep compromise of these people's lives.
And because of that, you start to see a real shift where five years ago, if you were going
to have this capability, you had to be a top-level nation-state.
Now you see even the minor nation states moving towards this capability
because it's so valuable to you from an espionage perspective. Now, are they getting these components
off the shelf? Are they custom developing? What's the spread, your analysis of the software? What
are you seeing here? A little of both. So what we really saw was a lot of these tools are variants of things that
have been out in the world. Malware on the desktop, for example, one of the pieces of malware that
they seem to use a lot is known as Bandook. Bandook's been available on the black market
for a long time. What was particularly interesting about what we saw
with their use of Bandook was the version of Bandook
that they had didn't correspond to the version that's
available publicly.
They had the super premium upgrade, so to speak,
with functionality that didn't exist in the one
that you could go buy on the dark web.
The Android malware, however, seems to be largely
custom developed. We hadn't seen it
before in that exact form i think there's no malware author in the world that doesn't or
no we're no software developer in the world that doesn't borrow code from places right sure um i
i've never i've never never met a software developer who didn't go to stack overflow at
some point and cut and paste a piece of code yeah So that stuff exists. And so, you know, not exactly off the shelf, but traditionally,
sort of the way that everybody else does it. But that malware was relatively unique,
as was the other piece of what we believe to be in early development malware that we called
CrossRat. It appears to be almost, in fact, the version number on the first version
of CrossRAT we got was 0.1. We saw that as sort of next generation capabilities that they're just
evolving into. It looks like they're trying to get away from the traditional Bandook malware because
so many vendors know what it is. Yeah, before we dig into some of the details of CrossRAT,
can you give us an idea of the breadth of operating systems that they're able to hit?
Yeah, so we saw pretty much everything on the desktop.
So Windows, Linux, Mac OS.
We also saw Android.
Now, what's interesting, people always ask me, what about iOS?
And I think iOS is largely an issue of demographics for them.
And I think iOS is largely an issue of demographics for them.
And so if you think about the region of the world they're operating in and what many of their targets would be, Lebanon, for internal purposes as well as neighboring Syria, Iraq, et cetera, those aren't places where people are buying $1,000 iPhone X very often.
Right? where people are buying $1,000 iPhone X very often, right? And so if I'm an attacker,
I always explain attackers to people in terms of security software,
in terms of just normal software business.
If you're a software developer
and you know 95% of your customers are running Android,
why would you spend all the time to build an iOS version?
And so I think if you were to see that region become extremely heavy in iOS,
you'd see them evolve an iOS capability. But what we saw was so prolific, if you're getting
all the information on most of your targets, why would you invest in building another version?
Take me through the timeline here, because one of the things that struck me about your research is how far back this campaign goes.
Absolutely. And this is why this is actually why we named it Caracal.
The EFF folks love cats and so do we. So so like Manuel is a is a type of cat.
A caracal is also a type of cat. But one of the one of the things when we were looking into into names was that the caracal is also a type of cat. But one of the things when we were looking into names was that the caracal, it's a cat that has often been seen and been mistaken for other types of cats.
And that's what we saw here is that these folks have been active for quite a long time.
The infrastructure has been up for many years.
There have been attacks reported against that infrastructure for many years. Even the manual work was two years ago, right? And even with that manual work, where it was attributed to somebody else, we saw that people knew that this was happening, but they didn't understand the context of what they were looking at. And that was, to me, the most fascinating thing is you could have an attacker that's
this prolific, doing politically motivated work, attacking targets globally, whether
for Kazakhstan or for their own purposes or for other targets.
And these attacks are happening for years and years.
And even the best minds in security are looking at it and thinking it's something else.
It was very much a hiding in plain sight strategy, and I think part of that – we even fell victim to this in our discussions.
The idea that it could be coming out of Lebanon was sort of an easy thing to write off. You know, if I asked you about cyberpowers like two months ago,
Lebanon would be a long way down your list of people.
Even if I said it's a Middle Eastern actor,
you would probably say Israel, Iran, Saudi Arabia.
You know, you'd go down a long way on that list before you got to Lebanon.
Well, I mean. To that point, do you think that this indicates that
Lebanon upped their game and or
does it mean that there's more activity going
on from some of these, what we would previously have described as lesser
actors? Do you follow my line of questioning there? Completely.
That to me, people ask me what the real interesting point to this is.
And there's so many little angles to this story.
But for me, especially when I talk to our enterprise customers, when I talk to CISOs
of big banks or anybody who's working globally, the most interesting thing to me is that it's no longer a game
where APT only comes from China and North Korea, the Five Eyes and Russia. APT is becoming
the providence because just like the internet has made, has democratized so many other things, right? You know, I remember, I'm old enough to
remember 20 years ago when building a website required a special set of skills. Now it requires
I pop up WordPress or I go to Squarespace and suddenly I have a website in 10 minutes.
The same thing's happening for the bad guys. Same thing's happening in the cyber attacker world.
10 years ago to have this kind of capability, you had to put in, you know, millions, tens of millions, hundreds of millions
of dollars like those large countries. Now, you can do it with a handful of computer science grads
and a lot of cutting and pasting off of Stack Overflow and, you know, pulling in open source tools. What this really says is the landscape of attackers
who can perform this level of espionage is in the middle of exploding.
And especially because mobile is so useful.
If you think about the mobile platform as,
like if I really wanted to compromise your life and follow you around,
there's no better way than to track your cell phone.
I can literally listen to you at all times. I can you probably like you go into
every meeting. You might close your laptop in a meeting, but you very rarely turn your cell phone
off in a meeting. You know, so so the opportunity for these nation states who want to use this
capability is expanding at the same time that it's becoming easier and more scalable to implement.
Now, take us through the patterns of attacks here. How do people get infected and how targeted were
the attacks? Incredibly. So the way that across the board, the mobile kill chain, whereas on the
traditional desktop, there's a million ways to get infected right you you could go to the wrong
website you get phished you know someone attacks you directly whether attacking your website etc
the mobile kill chain almost always looks the same and that it starts with some sort of phishing
message we've seen a proliferation of text and other messaging-based phishing that leads the victim to click on a link or go to a site,
which does one of two things.
Just asks them to install an app, which is what Dark Heracle did.
They literally had a page that was called Secure Android
and had Trojan versions of all the communications apps you could think of.
And so you would get a message from me generally through Facebook.
These guys use Facebook a lot. Generally through Facebook, you'd get a message from, from me that
said, Hey, I just got an update to my WhatsApp that has extra security in it. Go to this site,
grab it, and then we can talk extra secure, right? And we can talk more securely. Of course,
you would download the app,
install it on your device, and then I would have complete control of your device while you talk to me on WhatsApp. But to me, it still functions as WhatsApp. It's just been trojanized. You bet
it does. Yeah. Yeah. It's WhatsApp with a little bit of extra, and the extra is what you really
don't want. Right. So what's interesting is it wasn't technically sophisticated. It relied on just simply people trusting the people that are sending the messages
and falling for it the way that so many other phishing type attacks were.
But again, in terms of them targeting people,
does it seem like were they taking more of a shotgun approach
or did they know who they wanted?
So we're not sure.
Yeah.
And that's
the hardest thing like i i've said it to many people um understanding that kind of stuff is
really above our pay grade and and obviously we shared information with the appropriate authorities
in various or in various countries to make sure that that people were remediating and people were being protected.
But ultimately, we try to keep out of the attribution game.
My team and pretty much any security research team is not tooled to understand the nuances of who everyone in Lebanon is and whether they're politically relevant and why they
were targeted.
That's really a job for law enforcement agencies and the like.
And so we tried to stay away.
We certainly saw what appeared to be patterns in the data, but again, didn't dig in because
our focus was really on what does the software do?
How is it getting on devices?
And how can we stop that, and how can
we inform the rest of the community on how to stop that as well? That, to me, is our primary
mission. There are people in the world whose job attribution is, and they're way better at it than
we will ever be. I see a lot of security firms try and get into attribution and so often it's wrong. So let's talk about prevention
and mitigation. If someone found themselves infected by this, would antivirus discover it?
Absolutely. So especially now, right? It wouldn't have, most products wouldn't have when it first
came out, obviously, because they didn't know it existed. But these
days, since we released the report, we believe that pretty much, you know, whether the CrossRider
Bandook samples or the Palace samples, which is the mobile malware, you know, our customers have
been protected against that for many, many months. The interesting thing is you have to be in a place
and a mindset where you know to install that
software. And I think a lot of the times targets of this kind of stuff, especially, you know,
dissidents, reporters, political, you know, political figures, etc. They're not generally
the most tech savvy people. So making sure that they have the right controls on their devices
is really, it's really paramount, but it's a message that we all have to get out. Is there a false sense of security on the mobile side?
Oh yeah, is there ever? We've all fallen into the belief, I think it's two pieces. First,
we've fallen into the belief that because it's Apple and Google and they're such huge companies
that they'll protect us. Now, I'm old enough to
remember a time when people believed the same thing about Microsoft in the 90s, right?
Oh, come on, Mike. Nobody ever believed that about Microsoft.
Oh, no, absolutely not. When NT4 came out, people said, oh, this is the most secure operating
system. We can run our business on it. Right, right.
You know, say 1997, there was that belief.
No, you're absolutely right.
You're absolutely right.
I'm being, I'm kidding, but you are absolutely correct.
Man, we got disabused of that notion fast, didn't we?
We did.
But what's amazing is we all believe the same thing about Apple, especially Apple.
Apple's done a really great job of making people believe this, but also Android.
And so there's that part.
I think there's another part to it.
I think so many of us established our relationship with the technology that is a cell phone when it was basically, depending on how old you are, it was a brick that you had to carry around.
Or it was like a Motorola Razr flip phone.
or it was a brick that you had to carry around, or it was like a Motorola Razr flip phone.
And the idea that that could be compromised to compromise your life was kind of,
it was so far out there that nobody believed it.
And I think a lot of people still believe that their mobile device is simply nothing more than a thing that they get phone calls on and take text messages on.
And yet the mobile device has now taken this central role in our digital world,
even up to and including that for almost everybody I know, the two-factor token for all of their enterprise access is now on that device.
And so we've put ourselves in this world where we think of it as a Motorola Razr flip phone, but it literally has the keys to everything and has the computing power of a Cray-3 supercomputer.
That's an actually specific benchmark.
The iPhone 7 is actually the equivalent of the Cray-3 supercomputer
in terms of processing power and memory access.
Whenever I tell somebody that, they're shocked by it,
which you really shouldn't be.
And then the idea that you would take that level of computing power,
if I told you I was going to give you a
supercomputer but i was never going to secure it i wasn't going to do anything to secure it you'd be
like you're insane and yet almost everybody i know does that with their phones i i think you're right
i think for most people it doesn't even strike them that uh i think particularly on the ios side
to even think to install any sort of additional protection, because there is the
sense that the walled garden of the app store is going to protect you.
Right. And it doesn't work like that. You know, there has never been a computer system
that didn't have vulnerabilities that could be exploited. And especially now, especially
because of the value to the high-end attacker of compromising that platform, it's so valuable to the attacker
that you have to realize that if there's vulnerabilities, there are people exploiting
them and they're exploiting them for gain. And we just have to get our heads around that this
thing that we carry around with us isn't a phone. It's a very powerful computer that almost everybody I know spends a
lot of time basically connecting that to every part of their life, their social media, their
personal email, their work email, two factor tokens, you know, all of your contacts and calendar.
Like I, if I have access to your phone, I can tell you everything about you and that asset needs to
be protected. And yet we treat it like it's not that
kind of asset. And it's mind blowing to me. You know, as an aside, it reminds me of a tweet I
saw a couple months ago or some, it was a long time Apple employee, you know, one of the old
timers. And he said that, you know, this new iMac Pro that I just bought, he said has 11 times more RAM in it than the Apple
2. And he said, and by Apple 2, I mean all six and a half million Apple 2s that were ever sold
combined, right? Yes, exactly. This one machine, you know, and so I think you're absolutely right
that for those of us who've been around for a while, the scale of how things have changed, how things have developed, I think it's beyond our capability to really imagine.
You bet.
And you know what the worst part about what you just said is?
Is the people who have been around for that long.
You know, I remember 15 years ago when I was a young whippersnapper, 20 years ago,
I guess. And when the senior executives wouldn't understand something like email, and we would go,
wow, I don't get it. Why do you still have your email printed out for you? That's insane.
All of us who are now C-level executives and the people in charge are making the same mistakes about the mobile platform that we used to deride senior executives for making about websites.
And it's literally just the human condition that we, as we grow, we rely on our knowledge from previous eras.
And if the previous era changes, we have to be really conscious
about thinking about it.
I love doing the Cray-3 supercomputer
in a room full of C-level security executives
because you literally can watch,
it's fun to watch it from a stage
because the lights come on
and people are like,
oh my goodness.
I haven't,
so we've taken within lookout
to calling it the forgotten platform, right?
These people, you know, me included, I'm old enough to make the same mistake.
These people are spending hundreds of millions of dollars protecting their Windows desktops and zero dollars protecting their mobile devices.
And yet one of my favorite stats is we've started investigating this with our customers.
For most enterprise customers,
if they do a survey of what platform
are people logging into Active Directory for,
I have yet to find an organization
in the last three years
that is not more than 50% mobile devices.
And in some cases, it's 80% mobile devices.
Imagine, if you had 80% of the devices in your network, you have no visibility into. How do you protect that
environment? Right? But because we're still thinking about it the old way, we're blind to
it in the same way that the C-level executives in the 90s didn't understand how the web worked.
So let's bring it home in terms of recommendations. You know, your average person, your enterprise security professional,
how worried should they be about this and what steps should they be taking to make sure that
they're not hit with it? How worried should they be about it? Kind of depends. How worried should
they be about it today? Well, if I am, I'm going to pick on some names. These are not lookout customers. I'm not talking out of school. But if I'm, if I have a real nation state attack problem, right, if I'm anybody who has worried about APT in the last five years, defense contractors, you know, financials around the world, any multinational, they should be terrified because the nation-state
level attackers, the real serious, what we would call APT, have already figured out that, A,
this device is so useful, right? In terms of getting access to corporate resources because
of the two-factor tokens, but also getting access just to the lives of your targets.
two-factor tokens, but also getting access just to the lives of your targets.
And combined with, if I'm attacking your PC environment,
I've got to get by firewalls and antivirus and all of this stuff.
If I'm attacking your mobile device, you probably have nothing on that device that tells you that you've been compromised.
So not only am I blind, but it's the most valuable thing I can attack.
If I was a CSO of one of those companies, I'd be freaking out.
This would be the first thing I'd worry about.
If I am a Midwestern credit union and I'm picking on just some random thing
that doesn't have a nation-state attacker level thing,
what I'm thinking about is in the history of security, all exploits commoditize.
What is nation-state only today, three years from now is going to be a Metasploit module that anyone can use.
And so my thought would be, okay, maybe I don't have to worry about this in February of 2018 or
March of 2018, but I probably have to worry about it in February or March of 2019.
And I certainly have to worry about it in February or March of 2020.
And so I better start planning.
Now, if I'm just the average user, then all of the old rules that we had for PCs apply.
Don't click on links from people you don't know.
Don't install things that people ask you to install either over the internet or just through
an email. Like the security awareness stuff applies, but what we found is really interesting.
All of those rules that we had for doing security awareness well on the desktop, every single person
has been taught in their corporate security awareness. When you get an email that looks
suspicious, hover over a link to see that it's going to where it says it's going to. Guess what? You can't do that on a mobile platform.
That doesn't work. So we've taught our users all this stuff about how to protect themselves.
And most of it's not applicable to the mobile platform. And what we're seeing is significantly
higher rates of bad behavior on the mobile platform.
If I send a phishing email to an organization and I get 10% response, I'm going to get 25% response on the mobile device.
Because all the things we've taught the users, first of all, all the things we've taught don't work.
But second, the users are thinking, well, it's my phone.
It's not really a computer.
It doesn't have access to anything without thinking. It's back to that same, I'm still thinking of it as a phone,
not as a super powerful computer that has access to everything in my life. I'm not the one to
preach the sky is falling, even though I obviously believe that there's some urgency here.
But I think you have to really think about what your risk is. Because right now,
let me back up for a half second and
flip this over when we saw pc malware evolve right starting in the 90s what we saw was the evolution
went from small minor annoyance you know in 1998 the i love you virus you know to to massive
annoyance sequel slammer blaster etc to nation states later. The mobile ecosystem is going
backwards, right? You're going nation states and highly resourced attackers first, and then it
trickles down to the cybercrime. So if I'm looking at 2020, 2021, 2022, that's when I think you're
going to see the mobile platform becomes a real target for everyone. And it's my goal in life to get to 2021 and 2022
and not have every Android and iOS device,
whether car, light switch, et cetera.
I don't want all of those things compromised
by ransomware five years from now.
I think it's important to just realize
the scope of the problem and assess for yourself
where you are in that spectrum of how fast you need to respond to it.
Our thanks to Mike Murray for joining us. You can find the complete report about Dark
Caracal on the Lookout website. It's in the blog section.
Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
approach can keep your company safe and compliant. Thanks for listening.