Daily Drop

1-3-22

Monday, January 3, 2022

Uber ignores vulnerability that lets you send any email from Uber.com

FROM THE MEDIA: A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber. The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach. Uber seems to be aware of the flaw but has not fixed it for now. Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber's systems that enables anyone to send emails on behalf of Uber. These emails, sent from Uber's servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters. Imagine getting a message from Uber stating, 'Your Uber is arriving now,' or 'Your Thursday morning trip with Uber'—when you never made those trips. The email form sent to BleepingComputer by the researcher urges the Uber customer to provide their credit card information. On clicking 'Confirm,' the form submits the text fields to a test site set up by the researcher. Note, however, the message did have a clear disclaimer towards the bottom stating, "this is a security vulnerability Proof of Concept," and was sent to BleepingComputer with prior permission.

READ THE STORY:  Bleeping Computer

ANALYST COMMENT:  NSTR

Microsoft releases emergency fix for Exchange year 2022 bug

FROM THE MEDIA:  Microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery on on-premise Microsoft Exchange servers. As the year 2022 rolled in and the clock struck midnight, Exchange admins worldwide discovered that their servers were no longer delivering email. These errors are caused by Microsoft Exchange checking the version of the FIP-FS antivirus scanning engine and attempting to store the date in a signed int32 variable. However, this variable can store only a maximum value of 2,147,483,647, which is less than the new date value of 2,201,010,001 for January 1st, 2022, at midnight. Due to this, when Microsoft Exchange attempts to check the AV scanning version, it would generate a bug and cause the malware engine to crash. "The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues," Microsoft explained in a blog post. Microsoft has released a temporary fix requiring customer action while working on an update that automatically fixes the issue. This fix comes in the form of a PowerShell script named 'Reset-ScanEngineVersion.ps1.' When executed, the script will stop the Microsoft Filtering Management and Microsoft Exchange Transport services, delete older AV engine files, download the new AV engine, and start the services again.

READ THE STORY:  Bleeping Computer

ANALYST COMMENT:  NSTR

NASA Director Twitter account hacked by Powerful Greek Army

FROM THE MEDIA: The Twitter account of the NASA Director and Sr Technologist for Air Transporation Sytem Mr. Parimal Kopardekar (@nasapk) was hacked by the Powerful Greek Army group. A spokesman told me that they have targeted the NASA Director for fun, the attack was not politically motivated. They have chosen Kopardekar because they were looking for someone who works at NASA. PGA was asked how they hacked the account and they claim to have an exploit that allows them to take over Twitter accounts, but this was not verified. The group told stated that they are hacking for fun to demonstrate that “that nobody is safe online.” In April 2020, the Powerful Greek Army group compromised the Twitter account of the vice-speakers of the Greek Parliament and KINAL MP, Odysseas Konstantinopoulosening. 

READ THE STORY:  Security Affairs

ANALYST COMMENT:  NSTR

Lapsus$ ransomware gang hits Impresa, Portugal’s largest media conglomerate

FROM THE MEDIA:  The Lapsus$ ransomware gang has compromised the infrastructure of Impresa, the largest media conglomerate in Portugal. Impresa owns SIC TV channel, and Expresso newspaper, among other leading media, like several magazine publications. The attack took place during the New Year holiday, the websites of the Impresa group, the SIC TV channels, and the Expresso were forced offline. The Lapsus$ ransomware group defaced all the sites publishing a ransom note that claims that they had access to Impresa’s Amazon Web Services account. At this time the websites of the company are in maintenance mode. According to TheRecord, while Impresa claims to have regained control over its Amazon account, in turn, the ransomware gang tweeted from Expresso’s verified Twitter account demonstrating to have access to its infrastructure. Early this month, the ransomware gang hit the websites under Brazil’s Ministry of Health (MoH) causing the unavailability of COVID-19 vaccination data of millions of citizens.

READ THE STORY:  Security Affairs

ANALYST COMMENT:  NSTR

The AirTag stalking problem is only partially Apple's problem, it's mostly law enforcement's

FROM THE MEDIA:  Apple's AirTags are being used for stalking, but the problem isn't new, nor remotely exclusive to Apple — and is easier to execute undetected with other inexpensive methods. The real issue is the overall failure of law enforcement to act. Reports of AirTags being used to stalk people don't give a full picture of the dangers of "stalkerware," and the reports often shift blame entirely onto Apple. But Apple isn't the only one whose tracking devices can facilitate stalking, it's just the highest profile vendor to provide tracking tools. n most cases, the issue is law enforcement. Despite Apple cooperating readily with law enforcement to find a perpetrator, police departments are mostly failing to take seriously reports of stalking revealed by an AirTag's safety mechanisms. Here's some additional context for the discussion. While AirTags can be used to locate stolen or lost property, the small devices are also being used to stalk people and track vehicles for later theft. A Dec. 30 report from The New York Times contains reports from at least seven women who believe they were tracked with AirTags. Earlier in December, police in Canada issued a warning that thieves were using the Apple tracking accessory in the theft of high-end vehicles. Specifically, they had five reports of possible AirTag involvement, out of more than 2,000 reports in total. In the stalking cases, the victims discovered they were apparently being tracked because of Apple's anti-stalking features, which include mechanisms that notify iPhone users if they're being "followed" by an unknown accessory. AirTags also beep regularly once separated from the device to which they are paired — but in our testing, this could be much louder. However, AirTags are small and can be hard to find. Some reports of AirTag-stalking indicate that victims are unable to locate an AirTag after they're alerted to its presence. According to Electronic Frontier Foundation cybersecurity director Eva Galperin, AirTags are "uniquely harmful" because the system uses Apple products — even ones you don't own — for granular and precise location tracking. Because Apple devices are ubiquitous, AirTags have a large network to leverage.

READ THE STORY:  Apple insider

ANALYST COMMENT:  NSTR

U.S. Catches Kremlin Insider Who May Have Secrets of 2016 Hack

FROM THE MEDIA: (Bloomberg) -- In the days before Christmas, U.S. officials in Boston unveiled insider trading charges against a Russian tech tycoon they had been pursuing for months. They accused Vladislav Klyushin, who’d been extradited from Switzerland on Dec. 18, of illegally making tens of millions of dollars trading on hacked corporate-earnings information. Yet as authorities laid out their securities fraud case, a striking portrait of the detainee emerged: Klyushin was not only an accused insider trader, but a Kremlin insider. He ran an information technology company that works with the Russian government’s top echelons. Just 18 months earlier, Klyushin received a medal of honor from Russian President Vladimir Putin. The U.S. had, in its custody, the highest-level Kremlin insider handed to U.S. law enforcement in recent memory. Klyushin’s cybersecurity work and Kremlin ties could make him a useful source of information for U.S. officials, according to several people familiar with Russian intelligence matters. Most critically, these people said, if he chooses to cooperate, he could provide Americans with their closest view yet of 2016 election manipulation. According to people in Moscow who are close to the Kremlin and security services, Russian intelligence has concluded that Klyushin, 41, has access to documents relating to a Russian campaign to hack Democratic Party servers during the 2016 U.S. election. These documents, they say, establish the hacking was led by a team in Russia’s GRU military intelligence that U.S. cybersecurity companies have dubbed “Fancy Bear” or APT28. Such a cache would provide the U.S. for the first time with detailed documentary evidence of the alleged Russian efforts to influence the election, according to these people. Klyushin’s path to the U.S. — his flight from Moscow via private jet, his arrest in Switzerland, and his wait in jail as Russia and the U.S. competed to win his extradition — is described in U.S., European and Swiss legal filings, as well as in accounts of more than a half-dozen people with knowledge of the matter who requested anonymity to speak about Moscow’s efforts and its causes for concern.

READ THE STORY:  bloomberg

ANALYST COMMENT:  NSTR

Yemen rebels seize UAE ship; hackers hit Israeli newspaper

FROM THE MEDIA:  DUBAI, United Arab Emirates -- Yemen’s Houthi rebels seized an Emirati-flagged ship in the Red Sea, officials said Monday, the latest sign of Mideast tensions as hackers targeted a major Israeli newspaper’s website to mark America’s 2020 killing of a top Iranian general. The seizure of the Rwabee marks the latest assault in the Red Sea, a crucial route for international trade and energy shipments. The Iranian-backed Houthis acknowledged the incident off the coast of Hodeida, a long-contested prize of the grinding war in Yemen. No group immediately claimed responsibility for the hacking of the Jerusalem Post. The hackers replaced the Post's homepage with an image depicting a missile coming down from a fist bearing a ring long associated with Qassem Soleimani, the Iranian general killed by a U.S. drone strike in Iraq two years ago. First word of the Rwabee's seizure came from the British military’s United Kingdom Maritime Trade Operations, which only said an attack targeted an unnamed vessel around midnight. The coordinates it offered corresponded to the Emirati-flagged landing craft Rwabee, which hadn’t given its location via satellite-tracking data for hours, according to the website MarineTraffic.com. A statement from the Saudi-led coalition, carried by state media in the kingdom, acknowledged the attack hours later, saying the Houthis had committed an act of “armed piracy” involving the vessel. The coalition asserted the ship carried medical equipment from a dismantled Saudi field hospital in the distant island of Socotra, without offering evidence. “The Houthi militia must immediately release the ship, otherwise the coalition forces shall take all necessary measures and procedures to deal with this violation, including the use of force,” Brig. Gen. Turki al-Malki said in a statement. A Houthi military spokesman, Yahia Sarei, announced that rebel forces had seized what he described as an Emirati “military cargo ship” carrying equipment into Yemen’s territorial waters “without any license” to engage in “hostile acts” against Yemen’s stability. He said the rebels would offer more details on the seizure later.

READ THE STORY:  ABC News

ANALYST COMMENT:  NSTR

Detecting evasive malware on IoT devices using electromagnetic emanations

FROM THE MEDIA:  Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. With the rapid adoption of IoT appliances presenting an attractive attack surface for threat actors, in part due to them being equipped with higher processing power and capable of running fully functional operating systems, the latest research aims to improve malware analysis to mitigate potential security risks. The findings were presented by a group of academics from the Research Institute of Computer Science, and Random Systems (IRISA) at the Annual Computer Security Applications Conference (ACSAC) held last month. "[Electromagnetic] emanation that is measured from the device is practically undetectable by the malware," the researchers said in a paper. "Therefore, malware evasion techniques cannot be straightforwardly applied unlike for dynamic software monitoring. Also, since a malware does not have control on outside hardware-level, a protection system relying on hard]ware features cannot be taken down, even if the malware owns the maximum privilege on the machine." The goal is to take advantage of the side channel information to detect anomalies in emanations when they deviate from previously observed patterns and raise an alert when suspicious behavior emulating the malware is recorded in comparison to the system's normal state. Not only does this require no modifications on the target devices, the framework devised in the study enables the detection and classification of stealthy malware such as kernel-level rootkits, ransomware, and distributed denial-of-service (DDoS) botnets like Mirai, counting unseen variants.

READ THE STORY:  THN

ANALYST COMMENT:  NSTR

Paper of interest

An anatomical comparison of fake-news and trusted-news sharing pattern on Twitter

FROM THE MEDIA: Online social networks allow users to share a variety of multi-media content on the World Wide Web. The rising popularity of such social networking platforms coupled with limitations in verifying the veracity of shared content has contributed to increase in misinformation on these media. Misinformation content such as fake-news and hoaxes, though often considered innocuous, may have high social cost such as influencing elections decision, and thus should be investigated carefully. Many researchers have studied various aspects of fake-news including automated ways to recognize it. However, a large-scale study comparing the sharing patterns of fake-news and trusted-news is missing. In this research, we take Ukraine, a country where fake news is common, as a case study. Using datasets generated by three different Tweets collection strategies, we present an anatomical comparison of fake-news and trusted-news sharing pattern on Twitter. Such a comparison enables to identify the characteristics of tweets sharing fake-news, and allows to find the users who are more inclined to share misinformation. Besides, we also study possible bot activities in the dataset. The top conclusions derived from this study are (a) Users sharing fake-news stories are more likely to include hashtags, and the hashtags used in Tweets sharing fake-news stories are similar to hashtags used in Tweets sharing trusted news. (b) Users sharing fake-news are also more likely to include mentions, but mentions used in tweets sharing fake-news and trusted-news are often different. (c) Tweets sharing fake-news have more negative sentiment. In contrast, tweets sharing trusted-news have more positive sentiment.

READ THE STORY:  Springer

ANALYST COMMENT:  NSTR

About this Product

These open source products are reviewed from analysts at InfoDom Securities and provide possible context about current media trends in regard to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publically discussed threats and overall situational awareness. InfoDom Securities does not specifically endorse any third-party claims made in their original material or related links on their sites, and the opinions expressed by third parties are theirs alone. Contact InfoDom Securities at dominanceinformation@gmail.com