Another Windows 0-day flaw has been published on Twitter

And on GitHub there’s a proof-of-concept that’ll render your system unbootable.

SandboxEscaper, a researcher who back in August tweeted out a Windows privilege escalation bug, has published another unpatched Windows flaw on Twitter.

The new bug has some similarities to the previous bug. Windows services usually run with elevated privileges. Sometimes they perform actions on behalf of a user, and to do this they use a feature called impersonation. These services act as if they were using a particular user's set of privileges. After they've finished that action, they revert to their normal, privileged identity.

Both this bug and SandboxEscaper's previous bug depend on improper use of impersonation—specifically, the services in question (last time it was Task Scheduler, this time it's the "Data Sharing Service") revert their impersonation too quickly and end up performing some actions with elevated privileges when they should in fact have been impersonated. The last bug allowed one file to be written over another. In this case, it's a call to delete a file that is improperly impersonated, ultimately giving regular unprivileged user the ability to delete any file on the system, even those that they should have no access to.

Read 3 remaining paragraphs | Comments

Twitter Accounts of US Media Under Attack by Large Campaign

A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hour…

A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following. On January 13, the Twitter account of the Indian ambassador to the United Nations was taken over and spread pro-Pakistan and pro-Turkey postings:

What seemed to be a single event soon became a targeted campaign that we discovered in cooperation with our partner SocialSafeGuard. Combining their technology and our threat researchers, we started to build a timeline of events:

 

In each case in this timeline, the account was restored after several hours.

Once the accounts were compromised, the attackers direct-messaged the account contacts with propaganda for their cause or with a link to convince them to click on a phishing site that would harvest the Twitter credentials of the victim.

One example of such a site is hxxp://fox-news.medianewsonline.com/.

Visiting the page shows the following:

If we look at the source code of the page, we discover several Turkish-language segments. Focusing on the domains used for the phishing sites, we discovered more registered sites. Some examples:

  • mypressonline.com
  • official-twitter-jp.mypressonline.com
  • feedbac-verifv.mypressonline.com

Who is behind this campaign? According to the messages used, the Turkish hacker group “Ayyildiz Tim” (AYT) claims to be responsible for the attacks. The group was founded in 2002 and advocates Turkish state ideology. In the following example, we see the background image of Greta van Susteren has changed to one of the many wallpapers used by the group:

We advise journalists in particular, as well as others in high-profile positions, to follow appropriate safeguards to protect their accounts.

  • https://help.twitter.com/en/managing-your-account/two-factor-authentication

We are aware that one of the tactics from this group is to use Direct Messaging to communicate with other prominent Twitter accounts. There is also evidence that private messaging history has been accessed from certain compromised accounts of prominent figures, along with other sensitive or confidential information such as private phone numbers and emails.  If you receive a message, even from someone you know or trust, be aware that the message may not be from the person you know. It is potentially directing you to malicious content.

You absolutely should verify through an alternate channel that the link is safe to click.

The post Twitter Accounts of US Media Under Attack by Large Campaign appeared first on McAfee Blogs.

Trump has an iPhone with one app: Twitter

Enlarge (credit: Andrew Harrer/Bloomberg via Getty Images)
Early in March, President Donald Trump surrendered his personal Android phone—the phone from which scores of controversial Twitter posts had been launched. Based on Twitter metadata, Trum…

Enlarge (credit: Andrew Harrer/Bloomberg via Getty Images)

Early in March, President Donald Trump surrendered his personal Android phone—the phone from which scores of controversial Twitter posts had been launched. Based on Twitter metadata, Trump retired the Android device after expressing outrage over the DNC's failure to let the FBI search its servers and taunting Arnold Schwarzenegger on March 5. The next day, he replaced it with an iPhone.

According to a report from Axios' Mike Allen, Twitter is the only application running on Trump's new iPhone. And on his current overseas trip, staff have tried to limit his screen time in order to reduce the volume of his 140-character missives, Allen wrote:

Read 3 remaining paragraphs | Comments

Clinton campaign chief’s iPhone was hacked and wiped, photos suggest

Enlarge
Unconfirmed evidence builds a strong case that an Apple iCloud account belonging to Hillary Clinton’s campaign chief, John Podesta, was accessed and possibly erased by hackers less than 12 hours after his password was published on WikiLeaks…

Enlarge

Unconfirmed evidence builds a strong case that an Apple iCloud account belonging to Hillary Clinton's campaign chief, John Podesta, was accessed and possibly erased by hackers less than 12 hours after his password was published on WikiLeaks.

So far, Clinton campaign officials have confirmed only the compromise of Podesta's Twitter account after it was used to urge followers to vote for Republican nominee Donald Trump. Several screenshots circulating online, however, strongly suggest that the iCloud account tied to Podesta's iPhone was also illegally accessed by people who tried—and possibly succeeded—to wipe the device of all its data. The images raise the specter that no one inside the Clinton campaign locked down the Podesta iCloud account in the hours following the WikiLeaks dump. iCloud accounts often provide a wealth of sensitive information, including real-time whereabouts, contacts, and confidential messages. Clinton officials didn't respond to an e-mail seeking comment for this post.

The screenshots began appearing on Wednesday night, less than 12 hours after a new batch of Podesta e-mails published on WikiLeaks revealed that his iCloud password was "Runner4567." Researchers can't be certain how the iCloud and Twitter accounts were compromised, but several descriptions, such as this one of now-deleted threads on the 4chan discussion board, claim participants who saw the WikiLeaks post discovered that "Runner4567" remained a working password and used it to illegally access Podesta's iCloud account.

Read 7 remaining paragraphs | Comments