Google announced they have prevented 2.28 million policy-violating apps from being published in the official Google Play.

Google announced that in 2023, they have prevented 2.28 million policy-violating apps from being published on Google Play. This amazing result was possible thanks to the introduction of enhanced security features, policy updates, and advanced machine learning and app review processes.

Additionally, Google Play strengthened its developer onboarding and review procedures, requesting a more accurate identification during account setup. These efforts resulted in the ban of 333,000 accounts for confirmed malware and repeated severe policy breaches.

Google also rejected or remediated approximately 200K app submissions to ensure proper use of sensitive permissions such as background location or SMS access. Google has closely worked with SDK providers to protect users’ privacy and prevent sensitive data access and sharing. Over 31 SDKs have enhanced their posture impacting 790K+ apps.

“We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem.” states Google. “This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks.”

Google continues to work on improving the Android environment. In November, 2023, it moved the App Defense Alliance (ADA) under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. The Alliance encourages widespread adoption of best practices and guidelines for app security across the industry, while also developing countermeasures to address emerging security threats.

Google enhanced Google Play Protect’s security capabilities to provide stronger protection for users installing apps from outside the Play Store. The company implemented real-time scanning at the code-level to detect new malicious apps. The company revealed that this measure has already identified over 5 million new malicious apps outside of the Play Store, enhancing Android users’ global security.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google Play)

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-22 to 2024-04-29.

News

• Trusted Signing is in Public Preview - Code sign your payloads with Microsoft? Note that your company will need "3 years of tax history" to use the service.
• Multi-tenant organization capabilities now available in Microsoft 365 - This is AD forests for Entra ID with the ability to connect single tenants together. Let the games begin!
• HashiCorp joins IBM to accelerate multi-cloud automation - HashiCorp joins IBM. This comes on the heels of their license changes for Terraform and Vault. 🤔
• FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users' Cameras - The FTC charged Ring with privacy violations, including unauthorized employee access to customer videos and inadequate security measures, leading to a proposed order requiring Ring to improve privacy protocols and pay $5.8 million in refunds. Consider using home assistant and Frigate NVR to keep all your security camera footage local.
• FTC Announces Rule Banning Noncompetes - This likely affects many technology workers in the US.
• Google Lays off the Python Team? - It seems they are moving the Python team to Germany? Unclear what the motivations were for these actions.
• How G.M. Tricked Millions of Drivers Into Being Spied On (Including Me) - Another blatant privacy violation that will probably go unpunished.

Techniques and Write-ups

• Hello: I'm your Domain Admin and I want to authenticate against you - A method for exploiting default Distributed COM permissions on DCs to intercept and relay the authentication of users, leading to privilege escalation and RCE (maybe) by leveraging "SilverPotato."
• ETW-ByeBye: Disabling ETW-TI Without PPL - A vulnerability that allows disabling ETW-TI (Event Tracing for Windows Threat Intelligence) logging without Protected Process Light (PPL) requirements, using SeDebug or SeTcb privileges on certain Windows versions. PoC code and detection guidance is provided. Note: this only works on Windows 10, Windows 11 patched this bug.
• JA4T: TCP Fingerprinting - JA4 scanner released. Certainly worth adding to your recon worfklow and automation.
• NetNTLM is still a thing? - Yes. Yes it is. This post gives a good recap of how you can still relay NetNTLM via various methods. Details some less common techniques like leveraging HTTP.SYS for setting up a listener without admin privileges, bypassing the Windows firewall, and using SSH for port forwarding to relay. You aren't checking emails or doing day to day activities with a highly privileged account, right?
• Adversaries sometimes compute gradients. Other times, they rob you. This blog post discusses the concept of an "adversary flywheel," which involves attackers using data science to adapt and optimize their methods based on defensive responses, enhancing their ability to exploit security vulnerabilities efficiently.
• Not the Access You Asked For: How Azure Storage Account Read/Write Permissions Can Be Abused for Privilege Escalation and Lateral Movement This post discusses unexpected techniques that allow an Azure user with Storage Account permissions to abuse them for privilege escalation and lateral movement. Grab the tool: Find-SensitiveAzStorageAccounts.
• Loading DLLs Reflections - Simple article discussing reflective DLL loading to load a DLL into memory without it being written to disk.
• Nemesis 1.0.0 - "...from host modeling, to a streamlined installation process, dashboard improvements, and more!"
• Offensive SaaS Security - Exfiltrating Cleartext Credentials via LogonUserW Hooking - This post details a technique exploiting IAM providers like Azure AD, Okta, and OneLogin using LogonUserW hooking to capture cleartext credentials and insert backdoors in authentication flows.
• Arbitrary 1-click Azure tenant takeover via MS application - Blog post on how reply URLs in Azure Applications can be used as a vector for phishing. The impact of this can range from data leaks to complete tenant takeover; just by luring a victim into clicking on a link. Another disappointing bug bounty case unfortunately.
• Laundering C2 Traffic by FuzzySecurity Good recap of using high-reputation services as your C2 channel.
• Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR - The kernel address space layout randomization (KASLR) cat and mouse game heats up with a bypass for the new Windows 11 24H2 hardened kernel.
• So I Became a Node: Exploiting Bootstrap Tokens in Azure Kubernetes Service - What can you do if you retrieve a Kubernetes bootstrap token from an AKS pod? This post explore the bootstrap tokens, how they work, and how to exploit them.
• CVE-2024-21111 - Local Privilege Escalation in Oracle VirtualBox - An arbitrary file move vulnerability in the VirtualBox system service service can facilitate privilege escalation on a Windows host.
• How to Crack the Perfect Egg - Some great password cracking methodology.

Tools and Exploits

• GoogleRecaptchaBypass - Solve Google reCAPTCHA in less than 5 seconds! 🚀
• ASPJinjaObfuscator - Heavily obfuscated ASP web shell generation tool.
• ja4tscan - JA4TScan is an active TCP server fingerprinting tool.
• tiny-gpu - A minimal GPU design in Verilog to learn how GPUs work from the ground up.
• AutoAppDomainHijack - Automated .NET AppDomain hijack payload generation.
• ReadWriteDriverSample - Sample driver + user component to demonstrate writing into arbitrary process memory from Kernel via CR3 manipulation (opposed to the usual KeStackAttachProcess API).
• PartyLoader - Threadless shellcode injection tool.
• 24h2-nt-exploit - Exploit targeting NT kernel in 24H2 Windows Insider Preview.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• ics-forensics-tools - Microsoft ICSpector (ICS Forensics Tools framework) is an open-source forensics framework that enables the analysis of Industrial PLC metadata and project files.
• Evidence Collection Environment - This environment is intended to be useful for when you have multiple investigators or external parties adding data for evaluation. Some key features (hopefully) implemented in this setup leverage the Azure Storage legal hold, Azure Storage analytics logging for validation of access by which parties, Azure Key Vault logging with the logs going to a Log Analytics workspace in the resource group.
• DLHell - Local & remote Windows DLL Proxying.
• MS-DOS - The original sources of MS-DOS 1.25, 2.0, and 4.0 for reference purposes.
• cdncheck - A utility to detect various technology for a given IP address.
• CloudInject - This is a simple tool which can be used to inject a DLL into third-party AD connectors to harvest credentials.

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.

The U.S. Federal Communications Commission (FCC) today levied fines totaling nearly $200 million against the four major carriers — including AT&T, Sprint, T-Mobile and Verizon — for illegally sharing access to customers’ location information without consent.

The fines mark the culmination of a more than four-year investigation into the actions of the major carriers. In February 2020, the FCC put all four wireless providers on notice that their practices of sharing access to customer location data were likely violating the law.

The FCC said it found the carriers each sold access to its customers’ location information to ‘aggregators,’ who then resold access to the information to third-party location-based service providers.

“In doing so, each carrier attempted to offload its obligations to obtain customer consent onto downstream recipients of location information, which in many instances meant that no valid customer consent was obtained,” an FCC statement on the action reads. “This initial failure was compounded when, after becoming aware that their safeguards were ineffective, the carriers continued to sell access to location information without taking reasonable measures to protect it from unauthorized access.”

The FCC’s findings against AT&T, for example, show that AT&T sold customer location data directly or indirectly to at least 88 third-party entities. The FCC found Verizon sold access to customer location data (indirectly or directly) to 67 third-party entities. Location data for Sprint customers found its way to 86 third-party entities, and to 75 third-parties in the case of T-Mobile customers.

The commission said it took action after Sen. Ron Wyden (D-Ore.) sent a letter to the FCC detailing how a company called Securus Technologies had been selling location data on customers of virtually any major mobile provider to law enforcement officials.

That same month, KrebsOnSecurity broke the news that LocationSmart — a data aggregation firm working with the major wireless carriers — had a free, unsecured demo of its service online that anyone could abuse to find the near-exact location of virtually any mobile phone in North America.

The carriers promised to “wind down” location data sharing agreements with third-party companies. But in 2019, reporting at Vice.com showed that little had changed, detailing how reporters were able to locate a test phone after paying $300 to a bounty hunter who simply bought the data through a little-known third-party service.

Sen. Wyden said no one who signed up for a cell plan thought they were giving permission for their phone company to sell a detailed record of their movements to anyone with a credit card.

“I applaud the FCC for following through on my investigation and holding these companies accountable for putting customers’ lives and privacy at risk,” Wyden said in a statement today.

The FCC fined Sprint and T-Mobile $12 million and $80 million respectively. AT&T was fined more than $57 million, while Verizon received a $47 million penalty. Still, these fines represent a tiny fraction of each carrier’s annual revenues. For example, $47 million is less than one percent of Verizon’s total wireless service revenue in 2023, which was nearly $77 billion.

The fine amounts vary because they were calculated based in part on the number of days that the carriers continued sharing customer location data after being notified that doing so was illegal (the agency also considered the number of active third-party location data sharing agreements). The FCC notes that AT&T and Verizon each took more than 320 days from the publication of the Times story to wind down their data sharing agreements; T-Mobile took 275 days; Sprint kept sharing customer location data for 386 days.

Update, 6:25 p.m. ET: Clarified that the FCC launched its investigation at the request of Sen. Wyden.

The U.K. National Cyber Security Centre (NCSC) is calling on manufacturers of smart devices to comply with new legislation that prohibits them from using default passwords, effective April 29, 2024. "The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to

The Federal Communications Commission (FCC) fined the largest U.S. wireless carriers $200 million for sharing customers’ real-time location data without consent.

The FCC has fined four major U.S. wireless carriers nearly $200 million for unlawfully selling access to real-time location data of their customers without consent. The fines come as a result of the Notices of Apparent Liability (NAL) issued by the FCC against AT&T, Sprint, T-Mobile, and Verizon in February 2020.

T-Mobile is facing a proposed fine exceeding $91 million, while AT&T is looking at one over $57 million. Verizon, on the other hand, faces a proposed fine exceeding $48 million, and Sprint faces a proposed fine of more than $12 million due to the actions taken by the FCC.

“The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” reads the announcement published by FCC. “As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.”

The FCC’s Enforcement Bureau launched an investigation after Missouri Sheriff Cory Hutcheson misused a “location-finding service” provided by Securus, a communications service provider for correctional facilities, to access the location data of wireless carrier customers without their consent from 2014 to 2017. Hutcheson allegedly provided irrelevant documents, such as health insurance and auto insurance policies, along with pages from sheriff training manuals, as evidence of authorization to access the data.

FCC added that the carriers continued to sell access to the customers’ location information and did not sufficiently guard it from further unauthorized access even after discovering irregular procedures.

All four carriers condemned the FCC’s decision and announced they would appeal it.

The Communications Act mandates that telecommunications carriers safeguard the confidentiality of specific customer data, including location information, about telecommunications services. Carriers must adopt reasonable measures to prevent unauthorized access to customer data. Furthermore, carriers or their representatives must typically secure explicit consent from customers before utilizing, disclosing, or permitting access to such data. Carriers bear responsibility for the actions of their representatives in this regard.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Federal Communications Commission)

The UK National Cyber Security Centre (NCSC) orders smart device manufacturers to ban default passwords starting from April 29, 2024.

The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.

The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.

“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”

The U.K. is the first country in the world to ban default credentia from IoT devices.

The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.

The law applies to the following products:

• Smart speakers, smart TVs, and streaming devices
• Smart doorbells, baby monitors, and security cameras
• Cellular tablets, smartphones, and game consoles
• Wearable fitness trackers (including smart watches)
• Smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines)

Threat actors could use them to access a local network or launch cyber attacks.

Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.

The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, smart device manufacturers)

The U.S. government has unveiled new security guidelines aimed at bolstering critical infrastructure against artificial intelligence (AI)-related threats. "These guidelines are informed by the whole-of-government effort to assess AI risks across all sixteen critical infrastructure sectors, and address threats both to and from, and involving AI systems," the Department of Homeland Security (DHS)&