[SANS ISC] Keep an Eye on Your Users Mobile Devices (Simple Inventory), (Fri, Sep 24th)

Today, smartphones are everywhere and became our best friends for many tasks. Probably your users already access their corporate mailbox via a mobile device. If it’s not yet the case, you probably have many requests to implement this. They are two ways to achieve this: you provide corporate devices to all users. From a risk perspective, it’s the best solution: you select the models and control them. But it’s very expensive and people don’t like to carry two devices (a personal and a corporate one). Hopefully, if you use a Microsoft Exchange platform, there are ways to authorize personal devices to access corporate emails with a software component called ActiveSync[1]. ActiveSync allows deploying basic security policies like forcing the device to be locked with a password, force a minimum password length, etc. However, it’s not a real MDM (“Mobile Device Management”).

But you’ve hundreds or thousands of users connecting their mobile devices to your Exchange server how to keep an inventory of models, hardware, etc. Especially if the system administrators are not ready to share some information with your security team? ActiveSync is based on open protocols: HTTP(S) and XML. To synchronize, the ActiveSync server must be facing the Internet like any web server. So it mean we can gather some logs? Via a reverse-proxy or directly on the IIS server running the ActiveSync service?

Because network data is a goldmine (you can learn this topic in FOR572[2] – “Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response”), let’s have a look at the IIS logs, located in C:inetpublogsLogFilesW3SVC1*.log. Here is a sample HTTP request: (the line is pretty long and has been beautified)

2021-09-20 12:10:46 192.168.4.101 POST /Microsoft-Server-ActiveSync/default.eas
Cmd=Ping&User=domain.test%5Cuser01&DeviceId=XXXXXXXX&DeviceType=SamsungDevice&
  CorrelationID=<empty>;&ClientId=XXXXXXXXX&cafeReqId=817b3ec9-6360-4526-a738-xxxxxxxxxxxx;
  443 domain.testuser01 10.0.0.11 Android-SAMSUNG-SM-G950F/101.9 – 200 0 0 609

One of the interesting fields is the User-Agent (like any HTTP request) but the ActiveSync client submits the device model, OS & version through this field! Here are some User-Agent strings:

Android-LG-G810/9.10.11
Android-SAMSUNG-SM-A505FN/101.10
Apple-iPad5C3/1807.82
Apple-iPhone10C4/1807.69
Apple-iPhone13C4/1807.82

Wait, did you read carefully the last sample? Does it mean that some users are already happy owners of a brand new iPhone 13? Unfortunately, it’s not so easy! The ActiveSync user-agent does not reflect the model in “clear”. It contains a reference to a model and you must convert it to the right device name. Example with “Apple-iPhone10C4/1807.82”:

“iPhone 10C4” = “iPhone 8”
“1807.69” = “iOS 14.7”

How do we find the corresponding values? There are plenty of lists available online like this one for iOS[3]

Now, you have all the requirements to build an inventory of all the mobile devices connecting to your ActiveSync instance and learn about:

Outdated devices
Suspicious devices (based on models not sold in Europe or your region)
People using multiple devices (because we also have the username in the HTTP event log)

[1] https://docs.microsoft.com/en-us/exchange/clients/exchange-activesync/exchange-activesync?view=exchserver-2019
[2] https://for572.com
[3] https://justworks.ca/blog/ios-and

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2019-10-26

U.N., UNICEF, Red Cross Under Ongoing Mobile Attack threatpost.com/un-unicef-red-cross-mobile-attack/149556/ A smart mobile-first phishing effort uses valid certificates to sign fake Office 365 pages, and logs keystrokes in real time. An ongoing, mobile-focused phishing campaign is targeting the United Nations and several humanitarian aid organizations, including UNICEF, the Red Cross and UN World Food. The campaign […]

Read More

[HackerNews] CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems

All posts, HackerNews

The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021. “This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide Source: Read More […]

Read More

[ZDNet] US Census Bureau stopped 2020 cyberattack but faces criticism for security lapses

All posts, ZDNet

An OIG report said the Bureau routinely used end-of-life systems and wasted time in responding to the attack before it was stopped. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.