By Jon Munshaw.
Welcome to this week’s edition of the Threat Source newsletter.
I’m very excited about this video — it’s a project I’ve been working on with my team for a while now. Building off what I’ve written about in the past regarding fake news, this video examines what essentially equates to the propaganda being spread on social media during Russia’s invasion of Ukraine.
This includes everything from fake videos of soldiers dancing to Ukrainian laser cats and fairly convincing deepfake videos.
The Russia cybersecurity news doesn’t end there, either. State-sponsored actors have been busy over the past month, including the Killnet group, which recently targeted several U.S. local elections offices and major airports.
So far, these cyber attacks don’t seem to have had any major effects or disruptions so far, but I just think it’s worth noting that these groups are just as active as ever, which is what the U.S. government has been warning us about since the onset of Russia’s invasion.
While there are many Russian actors who are incredibly sophisticated and may want to carry out high-profile attacks, Killnet is a less “formal” group and more of a collection of an online angry mob looking to just wreak whatever havoc it can. This group does not have any formal goals in mind, per se, and don’t seem to be motivated by specific state interests or trying to generate millions of dollars of revenue. They just want to be disruptive and make life harder on its targets.
And in some ways, this is worse for defenders because it’s impossible to predict where this group is going to strike next. It’s not easy enough to say, “Well, it’s back-to-school season, so education sectors are more likely to be targeted.”
Groups like Killnet don’t seem to care about specific timing or trying to “strike while the iron’s hot.” After all, it’s not like last week was a particularly busy travel season in the U.S. so they really wanted to hit the aviation industry when it hurts the most.
It can be tiring to hear the same warnings repeatedly about how Russian state-sponsored actors are going to target Western entities. But even though they can become repetitive, these warnings are backed up with real-world examples and show that users and defenders from all industries need to be always on their toes.
The one big thing
A new attack and C2 framework called "Alchimist” is actively targeting Windows, Linux, and macOS systems in various cyber attacks. Alchimist offers a web-based interface using the Simplified Chinese language is very similar to Manjusaka, another new framework Talos recently discovered and is becoming increasingly popular among Chinese threat actors. Both frameworks have significant similarities, but there are enough technical differences that Talos believes they were likely written by different authors.
Top security headlines from the week
The Qakbot access-as-a-service group is active again after a few months of being relatively quiet, this time using several different second-stage payloads to allow other groups to execute follow-on attacks. Qakbot infected systems have seen the group use Brute Ratel, a simulation platform commonly used by penetration testers, the Emotet botnet and Cobalt Strike. Black Basta is one such group that’s been spotted acquiring access to targeted systems via Qakbot. In that group’s case, it uses Brute Ratel to move laterally to other systems on the network and execute various malicious payloads. (Dark Reading, Decipher)
Australia is becoming an increasingly popular target for threat actors, including several high-profile companies who’ve recently been hit with cyber attacks. A new study found there was an 81 percent increase in cybersecurity incidents in Australia between July 2021 and June 2022, with most of that jump coming in 2022. The Australian government is already looking at new cybersecurity standards and laws, including new rules forcing cyber attack targets to notify banks faster if there is a data breach, specifically highlighting a recent breach at Optus, one of the country’s largest telecommunications companies. Medibank, a massive health insurance company, was also hit with a cyber attack this week, although it said there is currently no evidence of sensitive information or customer data being affected. (Computer Weekly, Reuters, Bloomberg)
Social media and online advertising platforms have been slow to adopt new rules and regulations around fake news and disinformation related to birth control and abortion care. Several months removed from the Supreme Court’s ruling overturning Roe v. Wade, there are still massive amounts of misleading advertising, fake news links and incorrect information floating around on online platforms without any flags. Abortion rights advocate say that this issue has only gotten worse since the ruling. A new study from the Institute for Strategic Dialogue states that sites like TikTok, YouTube and Meta have allowed disinformation and misinformation about abortion care rights and laws to be monetized and spread. (Axios, Institute for Strategic Dialogue)
Can’t get enough Talos?
- Talos Takes Ep. #117: Tips for kickstarting your cybersecurity career
- The benefits of taking an intent-based approach to detecting Business Email Compromise
- Threat Roundup for Oct. 7 - 14
- Researchers detail new C2 attack framework targeting Windows, macOS and Linux
- Talos EMEA Threat Update (Oct. 2022): An overview of the current ransomware landscape
- Intent-based approach leverages neural networks to deliver targeted classifications to BECs
Upcoming events where you can find Talos
Conference On Applied Machine Learning For Information Security (Oct. 20 - 21)
Sands Capital Management, Arlington, Virginia
Click or Treat? How not to fall for a phishing attack this Halloween (Oct. 31)
BSides Lisbon (Nov. 10 - 11)
Cidade Universitária, Lisboa, Portugal