Curated commentary; timely topics View web version

"Joker is one of the most prominent malware families targeting Android devices," Zscaler researchers Viral Gandhi and Himanshu Sharma said in their report on the findings. "Despite public awareness of this particular malware, it keeps finding its way into Google's official app store by regularly modifying the malware's trace signatures including updates to the code, execution methods, and payload-retrieving techniques."

Researchers immediately contacted Google, which has taken steps to remove the malicious apps. Some were surprised that the problem keeps turning up.

“I truly do not understand how a company as large as Google and operating the #PlayStore could continue to allow this widescale #malware distribution. You would think that instantly these things would be scanned, if they are pointing to a Dropbox or G-drive, that will pull down a payload,” shared Aaron Lax (@MAST3R0x1A4), a system administrator, cybersecurity analyst, pentester & developer on both Twitter and LinkedIn.


Cloud storage services serve as malware conduit

Not a great month for Google products and security as another set of researchers find a well-known Russian-backed group of hackers is using Google Drive, as well as Dropbox, in recent advance persistent threat (APT) attacks.  Researchers Palo Alto Networks’ Unit 42 say the group, known as by several names, including Cloaked Ursa, APT29, Nobelium and Cozy Bear “demonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.”

“The use of trusted, legitimate cloud services isn't entirely new to this group,” the researchers said in a blog on the findings. “Extending this trend, we have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time. The ubiquitous nature of Google Drive cloud storage services—combined with the trust that millions of customers worldwide have in them—make their inclusion in this APT’s malware delivery process exceptionally concerning.”

The hacking group has been linked to other big attack campaign in the last several years: The Democratic National Committee (DNC) hack in 2016 has been attributed to the group, as well as the SolarWinds supply chain compromises in 2020.

Cybersecurity and awareness services provider Richard Freiberg (@richfreiberg) noted the storage tools’ pervasiveness and popularity make them easy for hackers to use.

“Using Google Drive & Dropbox is a low-cost way to leverage trusted applications. You can easily get Google accounts for free and use that to collect information and host malware,” he tweeted about the news.


Researchers uncover issues—but not flaws—in Okta

New research from cloud identity and access security provider Authomize is an interesting twist on the usual vulnerability disclosure story that we typically see. That’s because Authomize released findings that they say uncover a number of “high impact security risks” in identity provider Okta’s platform. These issues have the potential to expose customers to password theft and impersonation, they say.

Authomize CTO and cofounder Gal Diskin(@gal_diskin) tweeted a long thread with details of the research, starting with: “New security research: #PassBleed: How to get @okta *master passwords* in *clear text* for *all employees* and several other important findings Why care? Because compromise in your IdP is *game over* for your security.”

Specifically, according to a blog from Authomize, their researchers claim the risks at issue include:

  1. Clear text password extraction via SCIM;
  2. Sharing of passwords and sensitive data over unencrypted channels (HTTP);
  3. Hub & spoke configuration that allows sub-org admins to compromise accounts in the hub or other spokes downstream;
  4. Mutable identity log spoofing.


But in a response blog post, Arnab Bose, SVP of product management at Okta, said the company had looked into the claims and did not consider them to be bugs.

“After a thorough review, our internal product and security teams affirmed that the areas of concern highlighted are not vulnerabilities.”

With that in mind, the company offered number of recommendations, specific to configuration of the tool in organization, to help use Okta securely.

Authomize then offered their own clarification on Okta’s response, and in a blog, stated that while they may not be flaws, they are inherent security risks—and perhaps are perhaps part of Okta’s operational risk assessment. 

“From my POV, the answer for Okta, and every IAM solution out there, here is pretty clear. They are going to choose making a product that will allow their customers to do more, even if it increases risk. And that is probably the right way forward.”

How are we doing? We’d love to hear how you like this newsletter. Email us at idgnewsletters@idg.com

More in security news:

GPS trackers used for vehicle fleet management can be hijacked by hackers

At least one model of GPS tracking devices made by Chinese firm MiCODUS "lacks basic security protections needed to protect users from serious security issues." Read More.

 

Office 365 phishing campaign that can bypass MFA targets 10,000 organizations

The phishing web pages that this adversary-in-the-middle phishing campaign uses act as a proxy and pull content from the legitimate Office 365 login page. Read More.

 

New speculative execution attack Retbleed impacts Intel and AMD CPUs

Unlike other speculative execution attacks like Spectre, Retbleed exploits return instructions rather than indirect jumps or calls. Read More.

 

About the Author
Joan Goodchild is a veteran writer and editor with 20+ years experience. She writes about information security and strategy and is the former editor in chief of CSO. 

Linkedin Facebook Twitter YouTube
Privacy Policy | Manage Your Subscriptions | Unsubscribe
Advertise with us! | More Newsletters | Our Brands
©2022 IDG Communications, Inc.
140 Kendrick Street
Building B
Needham, MA 02494