Apple's New Rule & Google PlayStore Bypass -July 29th-4th Aug, 2023 - F5 SIRT-This Week in Security
Editor's introduction
Hello Everyone, this week your editor is Dharminder.
I am back again with another edition of This Week in Security, This week I have security news about Apple's New policy for developers, How Andriod Malware slips onto Google Play Store and CISA's cybersecurity advisory on Preventing web application access Control Abuse and 2022 Top routinely exploited vulnerabilities
We in F5 SIRT invest lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT.
Ok so let's get started to find details of security news.
Apple's New Rule to Prevent Data Misuse
If you are developer who already have an app on Apple’s App Store or planning to have one. Then you should know this important announcement from Apple.
To protect user privacy on Apple’s platform and to prevent miss use of API which collects data about users’ devices through fingerprinting. Apple will soon start enforcing a policy which will ensure developers select one or more approved reasons that accurately reflect how their app uses the API, also the app can only use the API for the selected reasons. This will help ensure that apps only use those APIs for their intended purpose.
Here is the list of APIs that require approved reasons.
- File timestamp APIs
- System boot time APIs
- Disk space APIs
- Active keyboard APIs, and
- User defaults APIs
Detailed information is available at https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api
Snippet of Apple’s Announcement.
“Starting in fall 2023, when you upload a new app or app update to App Store Connect that uses an API (including from third-party SDKs) that requires a reason, you’ll receive a notice if you haven’t provided an approved reason in your app’s privacy manifest. And starting in spring 2024, in order to upload your new app or app update to App Store Connect, you’ll be required to include an approved reason in the app’s privacy manifest which accurately reflects how your app uses the API. If you have a use case for an API with required reasons that isn’t already covered by an approved reason and the use case directly benefits the people using your app, let us know.”
As per Apple, they are enforcing this policy to ensure that APIs are not abused by app developers to collect device signals to carry out fingerprinting, which could be employed to uniquely identify users across different apps and websites for other purposes such as targeted advertising.
https://thehackernews.com/2023/07/apple-sets-new-rules-for-developers-to.html
https://www.zdnet.com/article/developers-have-new-apple-app-store-rules-to-follow/
How Android Malware Slips onto Google Play Store
The Google Cloud security team has acknowledged a technique called versioning which is used by malicious actor to bypass Google Play Store’s review process and security controls. This technique is used by malicious actors to slip malware on Android devices. By using versioning, malicious actors are mainly targeting users credentials, data and finances.
How it works-
In the first stage developer release the app on the play store, since the app does not have any malware component it passes Google’s checks.
Once the checks are passed the second stage kicks in where attacker pushes update using third-party server (controlled by attacker) containing malware component using a method called DCL or dynamic code loading. Sharkbot is one of the examples. It is a financial trojan that initiates unauthorized money transfers from compromised devices using the Automated Transfer Service protocol.
Graphical representation:
https://thehackernews.com/2023/08/malicious-apps-use-sneaky-versioning.html
CISA Cybersecurity Advisory on Preventing Web Application Access Control Abuse & 2022 Top Routinely Exploited Vulnerabilities.
The Australian Signals Directorate’s Australian Cyber Security Centre , U.S. Cybersecurity and Infrastructure Security Agency , and U.S. National Security Agency has released a joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organisations using web applications about insecure direct object reference (IDOR) vulnerabilities.
IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web API specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.
Explaining the IDOR further, advisory talks about
- Horizontal IDOR vulnerabilities occur when a user can access data that they should not be able to access at the same privilege level (e.g., other user’s data).
- Vertical IDOR vulnerabilities occur when a user can access data that they should not be able to access because the data requires a higher privilege level.
- Object-level IDOR vulnerabilities occur when a user can modify or delete an object that they should not be able to modify or delete.
- Function-level IDOR vulnerabilities occur when a user can access a function or action that they should not be able to access.
IDOR vulnerabilities have resulted in the compromise of personal, financial, and health information of millions of users and consumers. Hence, Advisory encourages to implement the mitigations along with some additional steps mentioned in the advisory.
Use of Use indirect reference maps, Configure applications to deny access by default and ensure the application performs authentication and authorization checks for every request to modify/delete/access sensitive data, Use CAPTCHA to limit automated invalid user requests where feasible, Use memory-safe programming languages where possible etc are some of the mitigations provided in the security advisory.
I would highly recommend to read each and every details of the advisory and take necessary steps to prevent web app access control abuse.
There is another Cybersecurity advisory about 2022 Top Routinely Exploited Vulnerabilities. This advisory is coauthored by US Cybersecurity and Infrastructure Security Agency, US National Security Agency, US Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand, and UK’s National Cyber Security Centre. To reduce the risk of compromise by malicious cyber actors, Advisory strongly encourages vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of the advisory.
List of Top Routinely Exploited Vulnerabilities
- CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.
- CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.
- CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.
- CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.
- CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.
- CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.
- CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.
- CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.
- CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-208a
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a
F5 - Aug 2nd QSN
F5 customers, please note, in Aug 2nd QSN https://my.f5.com/manage/s/article/K12201527 F5 has published seven vulnerabilities. Out of seven vulnerabilities, 3 are of high severity where as remaining 4 are of medium severity. For more information please check K000135479: Overview of F5 vulnerabilities (August 2023) https://my.f5.com/manage/s/article/K000135479
The Play Store exploit seems like a very simple case to have thought about up front. In my role, as a community manager, this same functional "exploit" (for SPAM and SPAM-dexing) has been around, perhaps, since forever.
Thanks for reminding us all to have a #securityMindset.