CVE-2024-23204 Detection: Exploitation of a Recently Patched Vulnerability in Apple Shortcuts App Can Lead to User Data Theft
- CVE-2024-21793 and CVE-2024-26026 Detection: Exploitation of Critical F5 Central Manager Vulnerabilities Can Lead to Full System Compromise - 09.05.2024
- Cuckoo Malware Detection: New macOS Spyware & Infostealer Targeting Intel and ARM-Based MacsĀ - 07.05.2024
- SOC Primeās Integration Highlights with Amazon Security Lake - 02.05.2024
Table of contents:
Apple has patched a notorious security gap affecting its Shortcuts app. The high-severity flaw enables adversaries to collect sensitive info without user consent. The uncovered zero-click Shortcuts vulnerability tracked as CVE-2024-23204 poses risks to user privacy, enabling threat actors to access sensitive data on the compromised device without the userās permission.
Detect CVE-2024-23204 Exploits
With an exponential rise in attack volumes and sophistication, the threat landscape of 2024 is assumed to be even more challenging than last year. The cost of cyber attacks on the global economy is estimated to top US$10.5 trillion by the end of 2024. Taking into account 29K+ new CVEs discovered in 2023, with a 14,5% surge predicted for 2024, security professionals require advanced solutions to detect and defend from threats proactively.Ā
SOC Primeās Platform for collective cyber defense offers the worldās largest collection of behavior-based detection algorithms to detect attackersā TTPs, backed by innovative threat hunting and detection engineering solutions created to streamline SOC operations.Ā
To assist cyber defenders in identifying malicious activity associated with CVE-2023-23204 exploitation, Threat Detection Marketplace aggregates a curated Sigma rule helping to spot a downloaded Apple shortcut file, potentially indicating an attempt to exploit the vulnerability in the limelight. Attackers might use this vulnerability to initiate phishing campaigns and gain initial access to victim environments.Ā
The rule above is compatible with 20 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework v14.1, addressing the Initial Access tactic and Phishing (T1566) as the main technique. The rule is enriched with extensive metadata, including CTI and ATT&CK references, attack timelines, and more.Ā
Security professionals seeking more Sigma rules addressing CVE exploitation can drill down to the dedicated detection stack of more than 1,000 algorithms by hitting the Explore Detections button below.Ā
CVE-2024-23204 Analysis
A recent discovery by cybersecurity researchers has revealed a vulnerability in Apple’s Shortcuts app, known as CVE-2024-23204, which reaches a CVSS score of 7.5. Apple Shortcuts is a highly popular tool that enables simplifying tasks across macOS and iOS devices, like offering automated capabilities for quick app tasks, device management, media handling, messaging, and location-based activities. Adversaries can weaponize this high-severity vulnerability to create a malicious shortcut that bypasses TCC policies.
Jubaer Alnazi Jabin from Bitdefender unveiled the security issue and provided its in-depth overview and technical details. The flaw lies within the āExpand URLā shortcut action designed to expand and sanitize URLs shortened by relevant services, while also eliminating UTM tracking parameters. Abusing these shortcut capabilities involves selecting sensitive information within the Shortcuts app, importing and encoding it via base64, and then sending it to the adversary server. The captured data is subsequently stored as an image on the attacker’s server through a Flask app, creating opportunities for further exploitation. The sharing feature in Shortcuts amplifies the vulnerability’s risks, as users can readily import shortcuts that weaponize the flaw.
Apple addressed the flaw on January 22, 2024, with the launch of a set of product versions, iOS 17.3, iPadOS 17.3, macOS Sonoma 14.3, and watchOS 10.3. As CVE-2024-23204 mitigation measures, Apple users should promptly upgrade their devices to the latest versions, stay vigilant when running shortcuts obtained from untrusted sources, and keep updated to be in sync with relevant fixes introduced by the vendor.
To eliminate the risks of CVE-2024-23204 exploitation and its harmful impact, defenders should encourage cyber vigilance across the organizationās infrastructure. Leveraging Attack Detective, security engineers can gain attack surface visibility in real time and in an automated fashion, timely investigate risks, and find breaches before adversaries are ready to strike.
