Welcome to this week’s edition of the Threat Source newsletter.
In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.
Now I’m worried we’re already moving backward with another presidential election just around the corner (somehow).
In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on the matter at YouTube, leaving only one person solely in charge of the platform’s misinformation policy worldwide.
Then last week, YouTube announced it was changing its policy on removing videos that spread misinformation about the results of the 2020 election. Politicians and online personalities have repeatedly tried to spread lies that the presidential election that year was rigged in favor of U.S. President Joe Biden, despite there not being any concrete evidence of voter fraud. The former administration was also doing plenty to sow distrust around mail-in ballots prior to the election.
YouTube’s misinformation policies states that it reserves the right to remove any content from the platform that is “Content advancing false claims that widespread fraud, errors, or glitches occurred in certain past elections to determine heads of government.”
It specifically lists the 2021 German federal election and the 2014, 2018, and 2022 Brazilian Presidential elections as examples of where they are looking for this type of content. Weirdly, the U.S. presidential elections aren’t named anywhere, and instead, YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”
The company said that “In the current environment, we find that while removing this content does curb some misinformation, it could also have the unintended effect of curtailing political speech without meaningfully reducing the risk of violence or other real-world harm.”
These types of reversals are likely the result of a few things — companies are currently cutting the sizes of their workforce after staffing up during the COVID-19 pandemic, and these misinformation-fighting teams seem like an easy line item to cut now that we’re three years removed from the 2020 election. It also seems like these false claims around the election have largely “blown over” among the general public, so there is not nearly as much pressure on these outlets to enforce these rules as there may have been in the immediate aftermath of the attempted insurrection on the U.S. Capitol in January 2021.
This sets up history to repeat itself during the 2024 election cycle. People start spreading lies and sowing doubt about the outcome of the election before any ballots are even cast, we all get upset and pressure these companies into doing something, and then a few years later when no one is looking, they can make cuts in these areas.
As Talos has written about previously, there are several facets to disinformation campaigns. There is no one-size-fits-all solution that will just make our fake news problem go away. But giving up on many of those solutions just a few years into trying them is not the answer, either.
The one big thing
Cisco Talos Incident Response is reporting increased attacks utilizing stolen vendor or other third-party account credentials. These are accounts created for third-party workforce members – employees of external partner organizations that maintain physical or virtual access to an organization’s environment. Attackers are stealing these login credentials to carry out software supply chain attacks and quietly sitting on targeted networks, which can often be overlooked when major supply chain attacks involving phony updates dominate the headlines.
Why do I care?
These accounts are frequently leveraged for initial access and then used to move laterally through the organization’s network, especially when the victim hasn’t deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim’s supply chain. Any organization that works with an outside third party for things from software to support is at risk of falling victim to this type of threat.
So now what?
Talos’ blog outlines several steps organizations can take to protect against the worst-case scenario. One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they’re not needed. Or adopt the principle of least privilege across the network for all accounts, whether they’re a vendor or not.
Top security headlines of the week
Threat actors are actively exploiting a zero-day exploit in Progress Software's MOVEit Transfer app to steal data from a wide range of companies and organizations, including the government of Nova Scotia and British Airways. Microsoft reported that the attacks can be attributed to the CLOP ransomware group, along with follow-on attacks that are the result of the attackers infiltrating Zellis, a U.K. payroll company. The MOVEit vulnerability, CVE-2023-34362, could allow an attacker to gain access to the software’s database, and then infer information about the structure of said database and execute SQL statements that could alter the database or delete information. Progress issued a patch for the vulnerability last week but said it had been exploited as early as May. Staff at the affected companies have been warned that personal data could be at risk, including U.K. national insurance numbers and bank account details. (Dark Reading, BBC)
Google released an emergency patch for its Chrome web browser to fix a high-severity zero-day vulnerability. As of Tuesday afternoon, only limited details about CVE-2023-3079 were available. Google says it’s a type confusion vulnerability in the V8 JavaScript engine that Chrome and other Chromium-based browsers like Microsoft Edge use. Google’s Threat Analysis Group said that a commercial spyware vendor has already leveraged the vulnerability. This is the third zero-day vulnerability Google has disclosed in Chrome this year. (SecurityWeek, PCMag)
Microsoft Outlook’s mobile app and web app experienced intermittent outages on Monday and Tuesday, with a hacktivist claiming responsibility for a distributed denial-of-service attack. Microsoft said the issue stemmed from technical errors in the product, but a group known as Anonymous Sudan says it was behind the disruptions, claiming responsibility while saying it was protesting the U.S.’s involvement in Sudanese affairs. The group said on its Telegram channel that it would “continue to target large US companies, government and infrastructure.” Anonymous Sudan was also behind recent DDoS attacks against Swedish airline SAS and nine hospitals in Denmark. (The Register, Bleeping Computer)
Can’t get enough Talos?
- Researcher Spotlight: How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
- Cybersecurity for businesses of all sizes: A blueprint for protection
- Talos Takes Ep. #141: The Predator spyware and more "mercenary" groups
- Horabot campaign targeted businesses for more than two years before finally being discovered
- Horabot Campaign Targets Spanish-Speaking Users in the Americas
Upcoming events where you can find Talos
Discover Cyber Workshop for Women (June 8)
Doha, Qatar
REcon (June 9 - 11)
Montreal, Canada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848
MD5: 8cb26e5b687cafb66e65e4fc71ec4d63
Typical Filename: dattService.exe
Claimed Product: Datto Service Monito
Detection Name: W32.Auto:a8a6d6.in03.Talos
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2
MD5: 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc
Typical Filename: PDFShark.exe
Claimed Product: PDFShark
Detection Name: Win.Dropper.Razy::95.sbx.tg
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201