Welcome to this week’s edition of the Threat Source newsletter.
After asking ChatGPT to write the newsletter for me two weeks ago, I was tempted to have Google’s Bard do the same, but I resisted making this the newsletter’s new gimmick.
Instead, I wanted to write about another tech giant — Meta.
The company recently doubled down on a threat to remove news links and sharing from its Facebook and Instagram platforms if Canada passes its proposed Online News Act, or bill C-18. The proposed legislation would compel companies like Meta and Google to sign agreements with Canadian news organizations that would pay them each time a user clicks on a news link through one of their platforms (i.e., via a shared link on Facebook or a Google search result).
But as the great Tobey Maguire once said in the cinematic classic “Spider-Man:” “I fail to see how that’s my problem.”
If Facebook stops users from sharing news links on their pages, it could be a net positive. Facebook users are notoriously the biggest offenders for sharing fake news and misinformation. A May 2020 study published in Nature Human Behavior found that Facebook pointed users to fake news websites during the 2016 presidential election at a higher rate than any other social media platform.
A separate study from Harvard found that during the first few months of 2020, the rate of user engagement with fake news to mainstream news stories was 1:3.5, and the International Communications Association found via a study of social media users that, “sharing countermedia content on Facebook is positively associated with ideological extremity and negatively associated with trust in the mainstream news media.”
If Instagram, Facebook and other social media sites were to follow along with this with Canada (Google already started quietly removing news links from its search engine last month in protest of the Online News Act), I think it could go a long way toward fighting disinformation. If users can’t get their news through social media, they may be forced to seek out information independently rather than blindly clicking “share” on Great Aunt Betty’s post, which is just a bad parody from the Babylon Bee.
I also would be remiss to not discuss the benefits this legislation would possibly have on newsrooms in Canada. As a former journalist, and someone who was worried about being laid off 24/7 in my previous jobs, it’s a financial struggle out there right now for legitimate news organizations. Online advertising isn’t what it once was, so many outlets are being forced to pivot to hard paywalls or rely on clickbait articles that don’t deliver any news. If this presents a new way to fund legitimate journalism, especially if the only financial burden falls on the richest companies in the world, it could go a long way to sustaining newsrooms.
Just because something becomes legal in Canada doesn’t mean other countries are going to be adopting the same rules any time soon. But if news sharing does suddenly go away on Facebook in Canada, maybe it will force all of us to think about where we’re really consuming our news from and how we consumed news even just 15 years ago.
The one big thing
We’re still reminding people to update their Microsoft Outlook clients as soon as possible after the disclosure of CVE-2023-23397. Attackers have reportedly been exploiting this vulnerability since last year, though a fix is available now through Microsoft. Adversaries could manipulate a targeted system into supplying the user’s Net-NTLMv2 hash to the attacker, which can then be used in NTLM Relay attacks against other systems.
Why do I care?
Multiple sources, including Microsoft itself, have confirmed that this vulnerability is being used in the wild. Plus, users don’t even have to open the email or any malicious attachments to trigger this vulnerability, the specially crafted email just has to hit the target’s Outlook inbox. This is a high-severity, low-complexity vulnerability everyone should be patching for if they haven’t already.
So now what?
Microsoft has released a patch that should be applied, but Talos also has several layers of detection and protection available. If, for some reason, your organization cannot apply this patch, Microsoft also provided a few mitigation options, including adding users to the Protected Users Security Group to prevent the use of NTLM as an authentication mechanism as well as blocking port TCP/445 outbound from your network to block the NTLM messages from leaving the network.
Top security headlines of the week
The popular dark web site BreachForums shut down this week after the FBI arrested its main admin. This is the latest in a string of law enforcement wins against cybercrime groups, who also brought down the Hive ransomware gang in January and RaidForums, BreachForums’ predecessor, last year. The site’s administrator, who goes by the username “Pompompurin,” also claimed responsibility for a data breach of the FBI’s email system in November 2021. Cyber criminals commonly used BreachForums to buy and sell stolen databases of information and had been at the center of recent high-profile data breaches, including this month's attack on DC Health Link that led to the theft of sensitive information belonging to several Congressional representatives. (Krebs on Security, Axios)
Google’s security research team discovered several zero-day vulnerabilities in certain Samsung chips that leave many Google smartphones and other wearable devices vulnerable. There are four critical flaws that could compromise affected devices “silently and remotely” over the cellular network, according to Google Project Zero’s blog post on the matter. An attacker could exploit those vulnerabilities to “remotely compromise a phone at the baseband level with no user interaction and require only that the attacker know the victim’s phone number.” Google says it was forced to disclose the vulnerabilities without a patch for many of the affected devices because Samsung did not adhere to its 90-day deadline to issue a fix. (TechCrunch, Google Project Zero)
TikTok’s CEO was scheduled to appear before a U.S. Congressional committee Thursday to discuss the popular app’s data security and privacy policies as there are renewed calls among the federal government to block the app. Prepared statements from CEO Shou Zi Chew showed that he would tout TikTok’s $1.5 billion investment in storing U.S. users’ information on Oracle servers and allow outside monitors to inspect the company’s source code. U.S. regulators have reportedly threatened to ban TikTok unless the company’s Chinese owners sell their stake, though the actual mechanics of blocking and de-listing the app are more complicated than they seem on the surface. (ABC News, New York Times)
Can’t get enough Talos?
- New threat actor wages espionage campaigns across Central Asia and Eastern Europe
- Threat Roundup for March 10 - 17
- Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution
- Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities
- Talos Takes Ep. #131: Why does the Prometei botnet keep growing?
Upcoming events where you can find Talos
RSA (April 24 - 27)
San Francisco, CA
Cisco Live U.S. (June 4 - 8)
Las Vegas, NV
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: de3908adc431d1e66656199063acbb83f2b2bfc4d21f02076fe381bb97afc423
Typical Filename: teams15.exe
Claimed Product: teams15
Detection Name: Gen:Variant.MSILHeracles.59885
SHA 256: 280c8c4f08700f0fea08f0e3ca6e96eadccf49c414c56b6a855c945769678e66
Typical Filename: cd1f364e46c6367dd96f8469eb226981.scr
Claimed Product: N/A
Detection Name: Win.Dropper.Upatre::dk
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201