Daily Digest (12/7)

Google Play apps still vulnerable to major flaw; IBM: Global phishing campaign targets COVID vaccine distribution; 113,000 Alaskan voter IDs exposed in breach; Trump signs order on AI use

Google Play Apps Still Vulnerable to High-Severity Flaw, Researchers Say

Researchers warned last week that several popular Google Play apps have failed to introduce an important update addressing a high-severity vulnerability.

The vulnerability was found in the Google Play Core Library, utilized by several popular applications — including Google Chrome, Facebook and Instagram, Threatpost reports. 

The library acts as a gateway for apps to interact with Google Play services, allowing developers to carry out various processes for app development, which include dynamic code-loading, delivering locale-specific resources and interacting with Google Play’s review mechanisms.

The weakness was discovered in  SplitCompat.install, which allowed untrusted sources to copy files to a folder for the trusted code of Google Play.

Google confirmed that it had patched the flaw in April, but some developers still had not incorporated the fix in their applications, according to a report from Check Point Researchers last Thursday. 

“Unlike server-side vulnerabilities, where the vulnerability is patched completely once the patch is applied to the server, for client-side vulnerabilities, each developer needs to grab the latest version of the library and insert it into the application,” said Aviran Hazum and Jonathan Shimonovich, two Check Point security researchers.

“Prior to this publication, we have notified all apps about the vulnerability and the need to update the version of the library, in order not to be affected,” they told Threatpost.

Sources (all links external): 

IBM: Global Phishing Campaign Targets COVID Vaccine Distribution

A global phishing campaign since September has targeted organizations associated with the distribution of COVID-19 vaccines, IBM security researchers said last week.

Analysts Claire Zaboeva and Melissa Frydrych of IBM X-Force IRIS said in a blog post that the phishing campaign spanned six regions: Germany, Italy, South Korea, the Czech Republic, as well as greater Europe and Taiwan, The Verge reports. 

The campaign focused on the “cold-chain” segment of the supply chain, which keeps the vaccine doses cold during storage and transportation. 

The hackers focused on groups associated with Gavi, an international organization that promotes vaccine access and distribution. 

Specifically, the campaign targeted organizations related to Gavi’s Cold Chain Equipment Optimization Platform (CCEOP), which aims to distribute and improve technology that can keep vaccines at very cold temperatures.

The perpetrators sent emails to organization executives claiming to be an executive from CCEOP supplier Haier Biomedical, according to the blog post.

The emails contained HTML attachments that asked for an opener’s credentials, which the actor could store and use to gain unauthorized access in the future.

“We assess that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorized access to corporate networks and sensitive information relating to the COVID-19 vaccine distribution,” the blog post said.

The researchers suspected that a nation-state actor, rather than a private individual or group, was responsible for the campaign. 

113,000 Alaskan Voter IDs Exposed in Data Breach 

The Alaska Division of Elections said that the personal information of 113,000 potential voter was exposed in a data breach against the state’s voter registration system.

“Although some voters’ personal information was exposed, the division has determined that no other election systems or data were affected. Republican Gov. Kevin Meyer said during a teleconference. 

“The division’s ballot tabulation systems, the 2020 general election results and the state’s voter database remain secure.” 

The stolen data included birth dates, driver’s license or state identification numbers, the last four digits of Social Security numbers, names, party affiliations and addresses, The Juneau Empire reports.

Meyer said he became aware of the breach Oct. 27 and began working with the vendor, law enforcement and a computer forensics firm to stop the exposure. 

“The flaw has been corrected,” Meyer said. “The preliminary investigation indicates that although outside actors accessed voter-registration information, the purpose of the unlawful access, we believe, was more to spread propaganda and to shake voter confidence.”

Alaskans who had their data breached will receive a letter with instructions on how to sign up for a year of free credit and identification monitoring, The Associated Press reports. 

Meyer said recent audits conducted by the state Division of Elections have shown hand counts of certain races match the tabulations from the vote counting machines.

The state certified the election on Monday.

Meyer and other state officials declined to comment on who might have breached the system and how propaganda might have been spread, Juneau Empire reports. 

Trump Signs Executive Order Outlining Principles for AI Use

President Donald Trump signed an executive order Thursday to guide federal agencies on adopting artificial intelligence (AI) in government decision-making. 

The Executive Order on Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government outlined nine principles for the design, development, acquisition and use of AI in government in an effort “to foster public trust and confidence in the use of AI, and ensure that the use of AI protects privacy, civil rights, and civil liberties,” Reuters reports. 

The principles stipulated that AI use by federal agencies must be lawful; must be purposeful and performance-driven; must be accurate, reliable and effective; must be safe, secure and resilient; must be understandable; must be responsible and traceable; must be regularly monitored — as well as transparent and accountable.

The order established a process for implementing the principles through common policy guidance across agencies. It also directed federal agencies to prepare inventories of AI-use cases throughout their departments. 

Michael Kratsios, U.S. chief technology officer, said the order “will foster public trust in the technology, drive government modernization and further demonstrate America’s leadership in artificial intelligence.”

The Trump administration issued guidance earlier this year to federal agencies aimed at limiting “overreach” in regulating the use of AI by private companies, Reuters reports. 

Some U.S. states and cities have raised concerns about AI applications.

By DPN Staff