#FactCheck - Old Ajman Fire Video Falsely Linked to Iran Drone Attack on Dubai Airport

Introduction

YouTube is testing a new feature called ‘Notes,’ which allows users to add community-sourced context to videos. The feature allows users to clarify if a video is a parody or if it is misrepresenting information. The feature builds on existing features to provide helpful content alongside videos. Currently under testing, the feature will be available to a limited number of eligible contributors who will be invited to write notes on videos. These notes will appear publicly under a video if they are found to be broadly helpful. Viewers will be able to rate notes into three categories: ‘Helpful,’ ‘Somewhat helpful,’ or ‘Unhelpful’. Based on the ratings, YouTube will determine which notes are published. The feature will first be rolled out on mobile devices in the U.S. in English. The Google-owned platform will look at ways to improve the feature over time, including whether it makes sense to expand it to other markets. 

YouTube To Roll Out The New ‘Notes’ Feature

YouTube is testing an experimental feature that allows users to add notes to provide relevant, timely, and easy-to-understand context for videos. This initiative builds on previous products that display helpful information alongside videos, such as information panels and disclosure requirements when content is altered or synthetic. YouTube in its blog clarified that the pilot will be available on mobiles in the U.S. and in the English language, to start with. During this test phase, viewers, participants, and creators are invited to give feedback on the quality of the notes.

YouTube further stated in its blog that a limited number of eligible contributors will be invited via email or Creator Studio notifications to write notes so that they can test the feature and add value to the system before the organisation decides on next steps and whether or not to expand the feature. Eligibility criteria include having an active YouTube channel in good standing with Yotube’s Community Guidelines.

Viewers in the U.S. will start seeing notes on videos in the coming weeks and months. In this initial pilot, third-party evaluators will rate the helpfulness of notes, which will help train the platform’s systems. As the pilot moves forward, contributors themselves will rate notes as well.

Notes will appear publicly under a video if they are found to be broadly helpful. People will be asked whether they think a note is helpful, somewhat helpful, or unhelpful and the reasons for the same. For example, if a note is marked as ‘Helpful,’ the evaluator will have the opportunity to specify  if it is so because it cites high-quality sources or is written clearly and neutrally. A bridging-based algorithm will be used to consider these ratings and determine what notes are published. YouTube is excited to explore new ways to make context-setting even more relevant, dynamic, and unique to the videos we are watching, at scale, across the huge variety of content on YouTube.

CyberPeace Analysis: How Can Notes Help Counter Misinformation

The potential effectiveness of countering misinformation on YouTube using the proposed ‘Notes’ feature is significant. Enabling contributors to include notes on videos can offer relevant and accurate context to clarify any misleading or false information in the video. These notes can aid in enhancing viewers' comprehension of the content and detecting misinformation. The participation from users to rate the added notes as helpful, somewhat helpful, and unhelpful adds a heightened layer of transparency and public participation in identifying the accuracy of the content. 

As YouTube intends to gather feedback from its various stakeholders to improve the feature over time, one can look forward to improved policy and practical over time: the feedback mechanism will allow for continuous refinement of the feature, ensuring it effectively addresses misinformation. The platform employs algorithms to identify helpful notes that cater to a broad audience across different perspectives. This helps showcase accurate information and combat misinformation.

Furthermore, along with the Notes feature, YouTube should explore and implement prebunking and debunking strategies on the platform by promoting educational content and empowering users to discern between fact and any misleading information. 

Conclusion

The new feature, currently in the testing phase, aims to counter misinformation by providing context, enabling user feedback, leveraging algorithms, promoting transparency, and continuously improving information quality. Considering the diverse audience on the platform and high volumes of daily content consumption, it is important for both the platform operators and users to engage with factual, verifiable information. The fallout of misinformation on such a popular platform can be immense, and so, any mechanism or feature that can help counter the same must be developed to its full potential. Apart from this new Notes feature, YouTube has also implemented certain measures in the past to counter misinformation, such as providing authenticated sources to counter any election misinformation during the recent 2024 elections in India. These efforts are a welcome contribution to our shared responsibility as netizens to create a trustworthy, factual and truly-informational digital ecosystem.

References:

• https://blog.youtube/news-and-events/new-ways-to-offer-viewers-more-context/
• https://www.thehindu.com/sci-tech/technology/internet/youtube-tests-feature-that-will-let-users-add-context-to-videos/article68302933.ece

‍

Introduction

‍

India is confronting a wake-up call as a recent cyber incident aimed at the aviation sector underscores the fragile nature of digital systems that guide national air travel. The disclosure in Parliament has pushed the conversation on flight safety, signal integrity, and cyber readiness back into urgent focus. In a written response to a Parliamentary question, Civil Aviation Minister Ram Mohan Naidu acknowledged that GPS spoofing, a malicious method employed to alter navigation signals, had been noticed at seven major airports of the country. New Delhi flights had not been affected during the incident, but still, it was an event that again made air travel's safety, GNSS interference, and the overall cyber threat to India's airspace an issue of concern.

‍

The Incident: What Happened?

‍

Initial notices came from Indira Gandhi International Airport in Delhi, where the pilots of the different inbound flights talked about GPS spoofing as the reason for their landing. Spoofing is the process of sending counterfeit GPS signals which mislead the aircraft's navigation systems and may cause a wrong measure of the altitude, the position or the runway alignment. In Delhi, pilots operating under GPS-based landing procedures over Runway 10 experienced errors in their approaches and promptly switched to the alternative procedures without any delay.

The Minister said that apart from Delhi, other airports, viz. Kolkata, Amritsar, Mumbai, Hyderabad, Bengaluru, and Chennai were the 6 airports that recorded similar GNSS interference patterns consisting of both jamming and spoofing. Though no major interruptions or incidents occurred, these occurrences are a sign of a steady and enlarging threat.

‍

Why Is GPS Spoofing So Dangerous?

‍

Satellite navigation and communication systems are the backbone of modern aviation, which is now a matter of great precision. Signal jamming by malicious actors comes with a bunch of risks:

‍

1. Diversions and Delays: Pilots may be forced to either give up attempts to land or divert flights, which translates into higher consumption of fuel and more complicated operations due to the case of jamming.

2. Threat of Safety Issue: Pilots are trained to deal with such incidents by following the prescribed fallback procedures, but still they depend very much on the GNSS signals that are accurate for safe manoeuvring, especially in low visibility situations.

3. Pressure on Old Systems: Indian airports are still in the process of completely converting from ground-based navigation aids to GNSS. Signal disruptions entail the use of older technologies, which results in putting additional pressure on the already overburdened air traffic control systems.

4. Opening Up Possibilities for Direct Attacks: Signal jamming can be made a tool for more clever tactics of operation that can include causing confusion during the busy traffic period or performing coordinated attacks to create chaos.

‍

Aviation and Cyber Threats

‍

The disturbances that have been mentioned at the seven airports are not unique. The civil aviation regulators all over the world have already reported an increase in GNSS jamming. The exemplary cases in the Middle East, Eastern Europe, and East Asia have revealed that the safety of airspace has turned into a tactical issue.

Moreover, India's quick adoption of digital technology in the aviation sector could open threat vulnerabilities from state-sponsored groups, hackers. In this instance, the government has not yet announced who was responsible for the spoofing, but the trend points to an adversary with advanced technology.

‍

Government and Regulatory Response

‍

The confirmation from the Civil Aviation Minister underscores a proactive stance by agencies such as:

• Directorate General of Civil Aviation (DGCA)
• Ministry of Civil Aviation
• Airports Authority of India (AAI)

‍

The involved entities are collaborating now to do an inquiry into the cases and set up preventive measures. 

‍

The main steps that are taken in response are: 

‍

• More thorough observation of GNSS signal anomalies 
• More pilot briefings and training on dealing with spoofing situations 
• Improving navigation aids to set up a backup 
• Working with IT security experts to find out the sources of interference 
• Communicating with other global aviation authorities to share the best practices 

‍

India, being a significant player in the world aviation market, is not allowed to relax its guard. Cyberattacks on airports show how digital as well as physical security are becoming more and more intertwined.

‍

The Bigger Picture: Protecting Critical Infrastructure

‍

Aviation is a sector that very clearly shows that threats from cyberspace can easily translate into security issues for a nation. The airport system not only becomes more vulnerable to attacks but also the whole aviation industry as the digital ecosystems gain more complex forms together with integrated telecommunications networks, the Internet of Things (IoT)-enabled systems, and cloud-based services.

‍

One of the many threats in the form of GNSS spoofing demonstrates so-called: 

‍

• Ransomware attacks on airport systems
• Contamination of air traffic control infrastructure 
• Data breaches conducted by insiders 
• Passenger data attacks 
• Hinderance of airport logistics and baggage systems 

‍

What Needs to Happen Next?

‍

India is compelled to embrace a multi-faceted approach in order to manage the intricacies of GNSS interference risk:

‍

1. Cybersecurity Measures in Aviation Enforced: New monitoring tools, anomaly detection systems, and instant response plans will be put into service.
2. Redundant Technology: The non-GNSS-based navigation system will be expanded to guarantee the continuity of operations in the event of jamming.
3. Cyber Drills Across all Sectors: To get pilots, air traffic control personnel, and airport operators ready, the aviation cyber drills will be conducted at the national level.
4. Global Cooperation: International organisations will be approached to share the information and standardise the procedures.
5. R&D and Innovations: Funding will be directed towards anti-spoofing technology, stronger satellite signals, and the domestic navigation system, like NavIC.

‍

Conclusion

‍

The cyberattack that targeted the seven airports serves as a clear reminder that aviation cybersecurity should not be considered a secondary issue anymore. Even though the quick reaction from the authorities managed to averted any disruptions, the event still shows the vulnerabilities of modern aviation systems. India's air travel infrastructure expansion will be a good time for the country to install its strong cybersecurity frameworks to protect its passengers, maintain the continuity of operations, and secure the airspace of its territory. At CyberPeace, we believe that a coordinated, proactive, and technology-driven approach is no longer an option, it is the new fundamental of aviation security in the digital age.

‍

Reference

‍

• https://www.youtube.com/watch?v=8ZgAVgwQ5lE

‍

Introduction

A zero-click cyber attack solely relies on software and hardware flaws, bypassing any human factor to infect a device and take control over its data. It is almost impossible to discover the attack and know that the device is hacked unless someone on your side is closely monitoring your network traffic data.

At Kaspersky, security analysts used their SIEM solution KUMA to monitor their corporate WiFi network traffic and discovered this mysterious attack. They took necessary actions to investigate it and even went a step further to dive right into the action and uncover the entire attack chain.

A few months ago, Kaspersky shared their findings about this attack on iOS devices. They shared how these zero-click vulnerabilities were being exploited by the attackers and called this attack ‘Operation Triangulation’.

A zero-click exploit in the network

Kaspersky detected a zero-click attack on the iPhones of their colleagues while monitoring their corporate WiFi network traffic. They managed to get detailed information on all the stages of the attack by simply identifying a pattern in the domain names flowing through their network. Although the attackers were quite experienced, their mistakes helped Kaspersky detect critical vulnerabilities in all iOS devices.

The name-pattern

These previously unsuspected domains had a similar name-style which consisted of two names and ended with ‘.com’, such as ‘backuprabbit.com’ and ‘cloudsponcer.com’. They were used in pairs, one for an exportation process and the other served as a command and control server. These domains showed high outbound traffic, they were registered with NameCheap and protected with Cloudflare.

The network pattern

Each time a connection to these suspicious domains was made, it was preceded by an iMessage connection which indicated these domains are being accessed by iOS devices. It was observed that the devices connected to these domains, downloaded attachments, performed a few requests to a first level domain which was an exploitation framework server, then made regular connections with the second level domain which was a command and control server controlled by the attackers.

Getting more information

To get more information about the attack all the infected devices were collected and backed up after carefully informing the device owners. Although the attackers had managed to clean their artefacts, the backed up data was used to perform digital forensic procedures and find traces of the attacks. This helped Kaspersky to figure out how the infection might be taking place.

The attacker’s mistakes

The attackers deleted all the attachment files and exploits but did not delete the modified SMS attachment folder. That folder had no files left inside it. The attackers removed evidence from other databases as well, like the ‘SMS.db’ database, however another database called ‘datausage.sqlite’ was not sanitised.

The ‘datausage.sqlite’ database is the most important database when it comes to iOS forensics as its contents can be used to track applications and network usage. Upon examination of this database, a process logged as ‘BackupAgent’ was found to be making network connections at the same time the device was making connections to the suspicious domains.

The indicator of compromise

‘BackupAgent’ stood out in this scenario because although it is a legitimate binary, it has been deprecated since iOS4 and it should not have been making any network connections. This identified the ‘BackupAgent’ process as the first solid indicator of compromise in Operation Triangulation. The indicator is termed as- ‘Data usage by process BackupAgent’, and was used to determine if any specific device was infected.

Taking it a step ahead

The team at Kaspersky successfully identified the indicator of compromise and determined which devices were infected, but as the attackers were experienced enough to delete their payloads, they decided to set a trap and perform a man-in-the-middle attack. When they did, the attackers were unable to detect it.

The man-in the-middle attack

Kaspersky prepared a server with ‘WireGuard’ and ‘mitmproxy’. They installed root certificates on devices that could be used as targets for the attackers and routed all the network traffic to that server. They also developed a ‘Telegram’ bot to notify them about new infections as they decrypted the network traffic.

Setting up a bot proved to be an effective way of real time monitoring while modifying all the network packets on-the-fly with ‘mitmproxy’, this gave them unlimited power! Their trap was successful in capturing a payload sent by the attackers and it was analysed in detail.

The name was in the payload

The payload was an HTML page with obfuscator javascript which performed various code checks and canvas footprinting. It rendered a yellow triangle and calculated its hash value. This is why the operation was named Operation Triangulation.

The team at Kaspersky started cracking various layers of asymmetric cryptography with regular expressions. They patched the stages one-by-one on the fly to move the logic from each stage to ‘mitmproxy’ and finally implemented a 400 line ‘mitmproxy’ add-on. This add-on decrypted all the validators, exploits, spyware and additional modules.

The mystery 

It is remarkable how Kaspersky detected the attack and identified multiple vulnerabilities, set up a trap to capture a payload and decrypted it completely. They shared all their findings with the device manufacturer and Apple responded by sending out a security patch update addressing four zero-day vulnerabilities. 

A zero-click vulnerability

Traditionally any spyware relies on the user to to click on a compromised link or file to initiate the infection. However a zero-click vulnerability is a specific flaw in the device software or hardware that the attacker can use to infect the device without the need for a click or tap from the user.

The vulnerabilities identified

1. Tricky Font Flaw (CVE-2023-41990): A clandestine method involving the manipulation of font rendering on iPhones, akin to a secret code deciphered by the attackers.Apple swiftly addressed this vulnerability in versions iOS 15.7.8 and iOS 16.3.

2. Kernel Trick (CVE-2023-32434): Exploiting a hidden language understood only by the iPhone's core, the attackers successfully compromised the kernel's integrity.Apple responded with fixes implemented in iOS 15.7.7, iOS 15.8, and iOS 16.5.1.

3. Web Sneakiness (CVE-2023-32435): Leveraging a clever ploy in the interpretation of web content by iPhones, the attackers manipulated the device's behaviour.Apple addressed this vulnerability in iOS 15.7.7 and iOS 16.5.1.

4. Kernel Key (CVE-2023-38606): The pinnacle of the operation, the attackers discovered a covert method to tamper with the iPhone's core, the kernel.Apple responded with a fix introduced in iOS 16.6, thwarting the intrusion into the most secure facets of the iPhone

Still, how these attackers were able to find this critical vulnerability in a device which stands out for it’s security features is still unknown.

CyberPeace Advisory

Zero-click attacks are a real threat, but you can defend yourself. Being aware of the risks and taking proactive steps can significantly reduce vulnerability. Regularly installing the latest updates for your operating system, apps, and firmware helps patch vulnerabilities before attackers can exploit them.

• Keep your software updated as they contain crucial security patches that plug vulnerabilities before attackers can exploit them.
• Use security software to actively scan for suspicious activity and malicious code, acting as a first line of defence against zero-click intrusions.
• Be cautious with unsolicited messages if the offer seems too good to be true or the link appears suspicious as it can contain malware that can infect your device.
• Disable automatic previews as it can potentially trigger malicious code hidden within the content.
• Be mindful of what you install and avoid unverified apps and pirated software, as they can be Trojan horses laden with malware.
• Stay informed about the latest threats and updates by following reliable news sources and security blogs to stay ahead of the curve, recognize potential zero-click scams and adjust your behaviour accordingly.

Check out our (advisory report)[add report link] to get in depth information.

Conclusion

Operation Triangulation stands as a testament to the continuous cat-and-mouse game between cybercriminals and tech giants. While the covert spy mission showcased the vulnerabilities present in earlier iPhone versions, Apple's prompt response underscores the commitment to user security. As the digital landscape evolves, vigilance, timely updates, and collaborative efforts remain essential in safeguarding against unforeseen cyber threats.

References:

1. Operation Triangulation: iOS devices targeted with previously unknown malware | Securelist, 1 June, 2023
2. Operation Triangulation: The last (hardware) mystery | Securelist, 27 December, 2023.
3. 37C3 - Operation Triangulation: What You Get When Attack iPhones of Researchers (youtube.com), 29 December,2023