AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 1/3/2022

Microsoft releases emergency fix for Exchange year 2022 bug

Microsoft has released an emergency fix for a year 2022 bug that is breaking email delivery on on-premise Microsoft Exchange servers. As the year 2022 rolled in and the clock struck midnight, Exchange admins worldwide discovered that their servers were no longer delivering email. After investigating, they found that mail was getting stuck in the queue, and the Windows event log showed one of the following errors. These errors are caused by Microsoft Exchange checking the version of the FIP-FS antivirus scanning engine and attempting to store the date in a signed int32 variable.  However, this variable can store only a maximum value of 2,201,010,001, which is less than the new date value of 2,201,010,001 for January 1st, 2022, at midnight. Due to this, when Microsoft Exchange attempts to check the AV scanning version, it would generate a bug and cause the malware engine to crash.

 

Firmware attack can drop persistent malware in hidden SSD area

Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that’s beyond the reach of the user and security solutions. The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems. Hardware-level attacks offer ultimate persistence and stealth. Sophisticated actors have worked hard to implement such concepts against HDDs in the past, hiding malicious code in unreachable disk sectors.

 

AT&T, Verizon CEOs reject FAA request to delay 5G expansions scheduled to start January 5th

In an ongoing battle pitting the FAA and airlines against the FCC, Verizon, and AT&T over their planned launch of mid-band 5G service, the mobile carriers are declining a request by the FAA for a two-week delay. Earlier this year, an FCC auction sold the two carriers rights to use so-called “C-band” frequencies at a price of nearly $70 billion. Verizon and AT&T are eager to roll it out so that in addition to offering ultra-fast 5G connectivity in specific areas using high-band millimeter-wave technology and much slower 5G over low-band frequencies, the new spectrum will provide in-between performance over much wider areas. T-Mobile currently uses mid-band spectrum that isn’t in the C-band.

 

Uber ignores vulnerability that lets you send any email from Uber.com

A vulnerability in Uber’s email system allows just about anyone to send emails on behalf of Uber. The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach. Uber seems to be aware of the flaw but has not fixed it for now. Security researcher and bug bounty hunter Seif Elsallamy discovered a flaw in Uber’s systems that enables anyone to send emails on behalf of Uber. These emails, sent from Uber’s servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters.

 

CES 2022 preview: The metaverse, NFTs and a self-driving tractor?

The massive CES technology show will go on this week in Las Vegas but the annual summit, like many other recent events, is being hindered by COVID-19. The Consumer Technology Association (CTA), which runs the CES, had planned for a hybrid event to run Jan. 5-8, with some events in-person and others virtually. That’s a step forward from last year’s CES, which was conducted completely online during the coronavirus shutdown as vaccines were just being deployed. However, in the days leading up to this year’s conference some big name exhibitors have bowed out. And some media outlets have canceled plans to cover CES in person. That has led CTA to shorten the event by one day, closing the CES after Jan. 7. 

 

Morgan Stanley to pay $60 million to resolve data security lawsuit

Morgan Stanley agreed to pay $60 million to settle a lawsuit by customers who said the Wall Street bank exposed their personal data when it twice failed to properly retire some of its older information technology. A preliminary settlement of the proposed class action on behalf of about 15 million customers was filed on Friday night in Manhattan federal court, and requires approval by U.S. District Judge Analisa Torres. Customers would receive at least two years of fraud insurance coverage, and each can apply for reimbursement of up to $10,000 in out-of-pocket losses. Morgan Stanley denied wrongdoing in agreeing to settle, and has made “substantial” upgrades to its data security practices, according to settlement papers. Customers accused Morgan Stanley of having in 2016 failed to decommission two wealth management data centers before the unencrypted equipment, which still contained customer data, was resold to unauthorized third parties. They also said some older servers containing customer data went missing after Morgan Stanley transferred them in 2019 to an outside vendor. Morgan Stanley later recovered the servers, court papers show.

Related Posts