Headline
Now’s not the time to take our foot off the gas when it comes to fighting disinformation online
YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”
Thursday, June 8, 2023 14:06
Welcome to this week’s edition of the Threat Source newsletter.
In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.
Now I’m worried we’re already moving backward with another presidential election just around the corner (somehow).
In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on the matter at YouTube, leaving only one person solely in charge of the platform’s misinformation policy worldwide.
Then last week, YouTube announced it was changing its policy on removing videos that spread misinformation about the results of the 2020 election. Politicians and online personalities have repeatedly tried to spread lies that the presidential election that year was rigged in favor of U.S. President Joe Biden, despite there not being any concrete evidence of voter fraud. The former administration was also doing plenty to sow distrust around mail-in ballots prior to the election.
YouTube’s misinformation policies states that it reserves the right to remove any content from the platform that is “Content advancing false claims that widespread fraud, errors, or glitches occurred in certain past elections to determine heads of government.”
It specifically lists the 2021 German federal election and the 2014, 2018, and 2022 Brazilian Presidential elections as examples of where they are looking for this type of content. Weirdly, the U.S. presidential elections aren’t named anywhere, and instead, YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”
The company said that “In the current environment, we find that while removing this content does curb some misinformation, it could also have the unintended effect of curtailing political speech without meaningfully reducing the risk of violence or other real-world harm.”
These types of reversals are likely the result of a few things — companies are currently cutting the sizes of their workforce after staffing up during the COVID-19 pandemic, and these misinformation-fighting teams seem like an easy line item to cut now that we’re three years removed from the 2020 election. It also seems like these false claims around the election have largely “blown over” among the general public, so there is not nearly as much pressure on these outlets to enforce these rules as there may have been in the immediate aftermath of the attempted insurrection on the U.S. Capitol in January 2021.
This sets up history to repeat itself during the 2024 election cycle. People start spreading lies and sowing doubt about the outcome of the election before any ballots are even cast, we all get upset and pressure these companies into doing something, and then a few years later when no one is looking, they can make cuts in these areas.
As Talos has written about previously, there are several facets to disinformation campaigns. There is no one-size-fits-all solution that will just make our fake news problem go away. But giving up on many of those solutions just a few years into trying them is not the answer, either.
The one big thing
Cisco Talos Incident Response is reporting increased attacks utilizing stolen vendor or other third-party account credentials. These are accounts created for third-party workforce members – employees of external partner organizations that maintain physical or virtual access to an organization’s environment. Attackers are stealing these login credentials to carry out software supply chain attacks and quietly sitting on targeted networks, which can often be overlooked when major supply chain attacks involving phony updates dominate the headlines.
Why do I care?
These accounts are frequently leveraged for initial access and then used to move laterally through the organization’s network, especially when the victim hasn’t deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim’s supply chain. Any organization that works with an outside third party for things from software to support is at risk of falling victim to this type of threat.
So now what?
Talos’ blog outlines several steps organizations can take to protect against the worst-case scenario. One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they’re not needed. Or adopt the principle of least privilege across the network for all accounts, whether they’re a vendor or not.
Top security headlines of the week
Threat actors are actively exploiting a zero-day exploit in Progress Software’s MOVEit Transfer app to steal data from a wide range of companies and organizations, including the government of Nova Scotia and British Airways. Microsoft reported that the attacks can be attributed to the CLOP ransomware group, along with follow-on attacks that are the result of the attackers infiltrating Zellis, a U.K. payroll company. The MOVEit vulnerability, CVE-2023-34362, could allow an attacker to gain access to the software’s database, and then infer information about the structure of said database and execute SQL statements that could alter the database or delete information. Progress issued a patch for the vulnerability last week but said it had been exploited as early as May. Staff at the affected companies have been warned that personal data could be at risk, including U.K. national insurance numbers and bank account details. (Dark Reading, BBC)
Google released an emergency patch for its Chrome web browser to fix a high-severity zero-day vulnerability. As of Tuesday afternoon, only limited details about CVE-2023-3079 were available. Google says it’s a type confusion vulnerability in the V8 JavaScript engine that Chrome and other Chromium-based browsers like Microsoft Edge use. Google’s Threat Analysis Group said that a commercial spyware vendor has already leveraged the vulnerability. This is the third zero-day vulnerability Google has disclosed in Chrome this year. (SecurityWeek, PCMag)
Microsoft Outlook’s mobile app and web app experienced intermittent outages on Monday and Tuesday, with a hacktivist claiming responsibility for a distributed denial-of-service attack. Microsoft said the issue stemmed from technical errors in the product, but a group known as Anonymous Sudan says it was behind the disruptions, claiming responsibility while saying it was protesting the U.S.’s involvement in Sudanese affairs. The group said on its Telegram channel that it would “continue to target large US companies, government and infrastructure.” Anonymous Sudan was also behind recent DDoS attacks against Swedish airline SAS and nine hospitals in Denmark. (The Register, Bleeping Computer)
Can’t get enough Talos?
- Researcher Spotlight: How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
- Cybersecurity for businesses of all sizes: A blueprint for protection
- Talos Takes Ep. #141: The Predator spyware and more “mercenary” groups
- Horabot campaign targeted businesses for more than two years before finally being discovered
- Horabot Campaign Targets Spanish-Speaking Users in the Americas
Upcoming events where you can find Talos
Discover Cyber Workshop for Women (June 8)
Doha, Qatar
REcon (June 9 - 11)
Montreal, Canada
Most prevalent malware files from Talos telemetry over the past week
SHA 256: a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848
MD5: 8cb26e5b687cafb66e65e4fc71ec4d63
Typical Filename: dattService.exe
Claimed Product: Datto Service Monito
Detection Name: W32.Auto:a8a6d6.in03.Talos
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2
MD5: 3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc
Typical Filename: PDFShark.exe
Claimed Product: PDFShark
Detection Name: Win.Dropper.Razy::95.sbx.tg
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
Related news
The data leak was not actually due to a breach in Amazon's systems but rather that of a third-party vendor; the supply chain incident affected several other clients as well.
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Gentoo Linux Security Advisory 202401-34 - Multiple vulnerabilities have been discovered in Chromium and its derivatives, the worst of which can lead to remote code execution. Versions greater than or equal to 120.0.6099.109 are affected.
Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild. The vulnerability, assigned the CVE identifier CVE-2023-7024, has been described as a heap-based buffer overflow bug in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution. Clément
Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have been
Gentoo Linux Security Advisory 202311-11 - Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to remote code execution. Versions greater than or equal to 5.15.10_p20230623 are affected.
Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.
Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser. Tracked as CVE-2023-5217, the high-severity vulnerability has been described as a heap-based buffer overflow in the VP8 compression format in libvpx, a free software video codec library from Google and the Alliance for Open Media (AOMedia). Exploitation of such buffer overflow flaws can
Google on Monday rolled out out-of-band security patches to address a critical security flaw in its Chrome web browser that it said has been exploited in the wild. Tracked as CVE-2023-4863, the issue has been described as a case of heap buffer overflow that resides in the WebP image format that could result in arbitrary code execution or a crash. Apple Security Engineering and Architecture (SEAR
The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint
A security defect was discovered in Foundry Issues that enabled users to create convincing phishing links by editing the request sent when creating an Issue. This defect was resolved in Frontend release 6.228.0 .
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
Categories: Threat Intelligence Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. (Read more...) The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.
A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized
A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.
Hello everyone! This episode will be about Microsoft Patch Tuesday for June 2023, including vulnerabilities that were added between May and June Patch Tuesdays. As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews. This time there […]
This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
Gen Digital, the parent company of the security companies, is the latest victim in a rash of Cl0p attacks on the bug in the MOVEit transfer software, leading to employee data being revealed.
The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.
MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: Moveit Tags: CVE-2023-34362 Tags: CVE-2023-35036 Tags: Cl0p Progress has released an advisory about yet another MOVEit Transfer vulnerability while new victims of the first one keep emerging. (Read more...) The post MOVEit discloses THIRD critical vulnerability appeared first on Malwarebytes Labs.
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The
The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.
Microsoft has rolled out fixes for its Windows operating system and other software components to remediate major security shortcomings as part of Patch Tuesday updates for June 2023. Of the 73 flaws, six are rated Critical, 63 are rated Important, two are rated Moderated, and one is rated Low in severity. This also includes three issues the tech giant addressed in its Chromium-based Edge browser
By Waqas Ofcom, the UK communications regulator, is the latest victim of the infamous Cl0p extortion gang, who have been exploiting MOVEit vulnerabilities to target high-profile firms. This is a post from HackRead.com Read the original post: UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: MOVEit Tags: Progress Tags: Cl0p Tags: ransomware Tags: CVE-2023-34362 A security audit of the MOVEit code has revealed more SQL injection vulnerabilities, while victims of the first vulnerability are coming to the surface. (Read more...) The post More MOVEit vulnerabilities found while the first one still resonates appeared first on Malwarebytes Labs.
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain
Debian Linux Security Advisory 5420-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection
Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Chrome Tags: V8 Tags: heap corruption Tags: type confusion Tags: CVE-2023-3079 Google has released a Chrome update for a zero-day for which an exploit is actively being used in the wild. (Read more...) The post Update Chrome now! Google patches actively exploited zero-day appeared first on Malwarebytes Labs.
Google on Monday released security updates to patch a high-severity flaw in its Chrome web browser that it said is being actively exploited in the wild. Tracked as CVE-2023-3079, the vulnerability has been described as a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on June 1, 2023. "Type
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: MOVEit Tags: Transfer Tags: CVE-2023-34362 Tags: BBC Tags: Zellis Tags: BA The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks. (Read more...) The post Cl0p ransomware gang claims first victims of the MOVEit vulnerability appeared first on Malwarebytes Labs.
Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest. "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.