July was a hot month for cybersecurity research

While summer may be vacation season, criminals never take a day off. Researchers are also always busy following their methods and digging into their possible path for exploit. Here are a few interesting research initiatives making headlines this month.

Fake Android apps keep popping up in Google Play

When folks download mobile applications from a trusted app source, obviously the expectation is the apps with be safe to use. But unfortunately, that is not always the case.

While it is not a new issue, recent findings from both Zscaler ThreatLabz and Pradeo reveal that malware-laden Android apps in Google’s app store—Google Play—continue to be a problem. The latest findings point to multiple instances of apps with the Joker, Facestealer, and Coper malware families in the marketplace. 

“Joker is one of the most prominent malware families targeting Android devices,” Zscaler researchers Viral Gandhi and Himanshu Sharma said in their report on the findings. “Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques.”

Researchers immediately contacted Google, which has taken steps to remove the malicious apps. Some were surprised that the problem keeps turning up.

“I truly do not understand how a company as large as Google and operating the #PlayStore could continue to allow this widescale #malware distribution. You would think that instantly these things would be scanned, if they are pointing to a Dropbox or G-drive, that will pull down a payload,” shared Aaron Lax (@MAST3R0x1A4), a system administrator, cybersecurity analyst, pentester & developer on both Twitter and LinkedIn

Cloud storage services serve as malware conduit

Not a great month for Google products and security as another set of researchers find a well-known Russian-backed group of hackers is using Google Drive, as well as Dropbox, in recent advance persistent threat (APT) attacks.  Researchers Palo Alto Networks’ Unit 42 say the group, known as by several names, including Cloaked Ursa, APT29, Nobelium and Cozy Bear “demonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.”

“The use of trusted, legitimate cloud services isn’t entirely new to this group,” the researchers said in a blog on the findings. “Extending this trend, we have discovered that their two most recent campaigns leveraged Google Drive cloud storage services for the first time. The ubiquitous nature of Google Drive cloud storage services—combined with the trust that millions of customers worldwide have in them—make their inclusion in this APT’s malware delivery process exceptionally concerning.”

The hacking group has been linked to other big attack campaign in the last several years: The Democratic National Committee (DNC) hack in 2016 has been attributed to the group, as well as the SolarWinds supply chain compromises in 2020.

Cybersecurity and awareness services provider Richard Freiberg (@richfreiberg) noted the storage tools’ pervasiveness and popularity make them easy for hackers to use.

“Using Google Drive & Dropbox is a low-cost way to leverage trusted applications. You can easily get Google accounts for free and use that to collect information and host malware,” he tweeted about the news.

Researchers uncover issues—but not flaws—in Okta

New research from cloud identity and access security provider Authomize is an interesting twist on the usual vulnerability disclosure story that we typically see. That’s because Authomize released findings that they say uncover a number of “high impact security risks” in identity provider Okta’s platform. These issues have the potential to expose customers to password theft and impersonation, they say.

Authomize CTO and cofounder Gal Diskin (@gal_diskin) tweeted a long thread with details of the research, starting with: “New security research: #PassBleed: How to get @okta *master passwords* in *clear text* for *all employees* and several other important findings Why care? Because compromise in your IdP is *game over* for your security.”

Specifically, according to a blog from Authomize, their researchers claim the risks at issue include:

1. Clear text password extraction via SCIM;
2. Sharing of passwords and sensitive data over unencrypted channels (HTTP);
3. Hub & spoke configuration that allows sub-org admins to compromise accounts in the hub or other spokes downstream;
4. Mutable identity log spoofing.

But in a response blog post, Arnab Bose, SVP of product management at Okta, said the company had looked into the claims and did not consider them to be bugs.

“After a thorough review, our internal product and security teams affirmed that the areas of concern highlighted are not vulnerabilities.”

With that in mind, the company offered number of recommendations, specific to configuration of the tool in organization, to help use Okta securely.

Authomize then offered their own clarification on Okta’s response, and in a blog, stated that while they may not be flaws, they are inherent security risks—and perhaps are perhaps part of Okta’s operational risk assessment. 

“From my POV, the answer for Okta, and every IAM solution out there, here is pretty clear. They are going to choose making a product that will allow their customers to do more, even if it increases risk. And that is probably the right way forward.”