Cyber Security Headlines – Week in Review – Jan 3-7, 2022

This week’s Cyber Security Headlines – Week in Review, Jan 3-7, is hosted by Rich Stroffolino with our guest, Adam Glick, CISO, SimpliSafe

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion.

Microsoft Exchange year 2022 bug breaks email delivery

According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine started blocking email delivery with on-premise servers as of midnight on January 1st. Security researcher and Exchange admin Joseph Roosen said that this was caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery.

(Bleeping Computer)

Uber email breach allows anyone to email as Uber

The researcher who discovered a flaw that allows just about anyone to send emails on behalf of Uber, warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach. These emails, sent from Uber’s servers, would appear legitimate to an email provider (because technically they are) and make it past any spam filters, and pose significant danger to consumers, especially if they ask for credit card details. Uber seems to be aware of the flaw but has not fixed it as of Sunday.

(Bleeping Computer)

Copycat and fad hackers will be the bane of supply chain security in 2022

Replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases next year, cybersecurity researchers have warned. This is according to Charlie Osborne, a contributor to ZDnet. She highlights the ransomware attack levied against Kaseya in 2021 as well SolarWinds Orion. She quotes Brian Fox, the CTO of Sonatype, who added that the majority of threat actors are copycats today, and “fad” attacks — or, the ‘attack of the day’ conducted by fast-acting threat actors — are going to increase the number of supply chain intrusions next year.

(ZDNet)

AT&T and Verizon respond to requests to delay 5G at airports

In a further development to the coverage of 5G rollouts at airports, AT&T and Verizon announced they would not comply with a request from the FAA and Department of transportation to postpone deploying new 5G service in those areas. The carriers did say they might be willing to pause deployments near certain airports for six-months “on the condition that the FAA and the aviation industry are committed to doing the same without escalating their grievances, unfounded as they are, in other venues.” As a reminder, airlines argue that 5G signals use frequencies that are close to altitude-sensing radar altimeters and could interfere with landing operation, while  the carriers say power levels and the gap in frequencies are adequate to prevent interference.

(Bloomberg)

Thanks to our episode sponsor, deepwatch

Increasing ransomware attacks and their evolving sophistication have been putting more pressure on security teams than ever before. Luckily, managed detection and response (or MDR) has emerged as a critical component for improving security operations, reducing ransomware risk, and minimizing the overall impact an attack can have. Visit deepwatch.com to see how we help to prevent breaches for our customers, by working together.

FTC warns of potential penalties for failing to fix Log4j flaws

On Tuesday, the Federal Trade Commission warned companies of possible legal repercussions for failing to remedy recently discovered Log4j open-source software vulnerabilities. As a cautionary tale, the FTC’s notice cites the agency’s $700 million settlement with Equifax in 2019 after the company was breached, exposing personal data of 147 million customers resulting from failure to patch a known flaw. The agency noted, “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” 

(CyberScoop)

New York AG warns of credential stuffing attacks

New York Attorney General Letitia James announced her office notified 17 businesses about the attacks, including online retailers, restaurant chains, and food delivery services. This warning came from monitoring hacking forums containing customer login credentials, with the OAG collecting over 1.1 million credentials apparently comprised in a credential stuffing attack. James said her office worked with the companies to determined how credentials were obtains, and how to better secure customer accounts going forward. 

(The Record)

Attackers exploit flaw in Google Docs’ comments feature

Attackers are using the “Comments” feature of Google Docs to send malicious links in a phishing campaign targeted primarily at Outlook users, researchers have discovered. Attackers target users of Google Docs by adding a comment to a document that mentions the targeted user with an “@,” which automatically sends an email to that person’s inbox. That email, which comes from Google, includes text as well as the malicious links. The same method is being used to exploit Google Slides. The technique allows bad actors to impersonate legitimate entities to target victims, making it harder for anti-spam filters to judge, and even harder for the end-user to recognize that the message is malicious.”

(Threatpost)

Morgan Stanley agrees to $60 million settlement in data breach lawsuit

Morgan Stanley has agreed to a settlement figure of $60 million to resolve a data breach lawsuit dealing with improper disposal of decommissioned assets. According to the motion, legacy equipment was decommissioned in 2016 and 2019 that contained the personally identifiable information (PII) of clients. However, the equipment was not wiped clean of this sensitive information prior to sale and the datasets may have then been exposed, in an unencrypted fashion, and available to view by the purchasing parties. Following notification, a class-action lawsuit was launched in 2020. Separately, a $60 million fine was issued by the OCC for data protection failures.

(ZDNet)