Newsletters

Meta's numbers are eye-opening for anyone today thinking social media influence operations don't work. They obviously do; otherwise, they wouldn't have been around after five years and certainly not exploded like they did this past year.

But Meta says that we all have a skewed view of what influence operations really are and what they're used for.

While back in 2017, when Meta began tracking CIB networks, these operations would target foreign audiences, this has quickly turned, and for the past few years, the vast majority of CIB networks target internal audiences—which explains why we see influence ops in places like Uganda, Finland, or Zimbabwe.

Risky Business publishes sponsored product demos to YouTube. They're a great way for you to save the time and hassle of trying to actually get useful information out of security vendors. You can subscribe to our product demo page on YouTube here.

In our latest demo, Brett Winterford and Harish Chakravarthy demonstrate to host Patrick Grey how Okta can be used for passwordless authentication. These phishing resistant authentication flows — even if they are not rolled out to all users — can also be used as a high-quality signal of phishing attempts that can be used to trigger automated follow-on actions.

People are already examining how ChatGPT, which describes itself as "the most advanced artificial intelligence on the market" and claims to "deliver stunningly accurate responses to your every question and comment" can be used maliciously.

Twitter’s failed attempt to block bot farms: After Elon Musk, Twitter's controversial CEO, bragged on social media that he had a surprise for all the bot farms, Twitter managed to spectacularly shoot itself in the foot on Monday when the company blocked entire IP address blocks for around 30 mobile carriers across Asia. According to Platformer, this included the primary telecom providers in India and Russia, as well as the second-largest telecom in Indonesia. However, the block was short-lived, as Twitter had to revert its decision a few hours later after telcos and users complained all over Asia about not being able to access the service—go figure! The social network also officially dissolved its Trust and Safety Board as well on Monday, as, let's face it, it was getting in the way of Musk's attempts to influence US politics at this point.

Manipulated academic imagery: Dr. Neal Krawetz has an interesting write-up on the practice of forging and editing images in academic studies and how these can be spotted.

Vivaldi gets Mastodon support: Vivaldi browser version 5.6, released last week, now comes with a Mastodon widget.

Rackspace faces three CALs: Cloud hosting provider Rackspace will have to defend at least three different class-action lawsuits related to a ransomware attack that hit a part of its server infrastructure and has left countless companies without access to their email servers. In an interview last week, Rackspace suggested they might not be able to recover all their customers' data, which they referred to as "legacy data." The company also appears to have given up on hosting Exchange email servers in its cloud and said it was migrating all its existing customers to Microsoft 365. Migrating its Exchange customers to a rival will cost the company $30 million, according to documents Rackspace filed with the SEC.

Lodestar Finance crypto-heist: A threat actor has abused an exploit in the smart contract of the Lodestar Finance DeFi platform and has stolen more than $5.8 million worth of cryptocurrency. The platform said it already recovered $2.4 million of the stolen funds and is still working to secure the rest. Just like most cryptocurrency platforms that get popped these days, Lodestar has offered to let the hacker keep some of the stolen funds and hide the intrusion under a "white-hat agreement."

Edge support on Windows 7/8: Microsoft plans to end support for its Edge web browser on Windows 7 and Windows 8/8.1 versions next year, on January 10, 2023. This is the same date when both Windows 7 and Windows 8/8.1 will reach End-Of-Life (EOL) after their extended support periods expire. Google also announced earlier this fall that Chrome version 110 would be the last to support both Windows 7 and Windows 8/8.1. Chrome 110 is scheduled for release in February 2023.

Finally, the third and most positively welcomed feature is Advanced Data Protection for iCloud, which lets users encrypt their iCloud data, including iCloud Backup, Photos, Notes, and others. According to an Apple documentation page, 23 different iCloud data categories can be encrypted.

The feature is also opt-in, so users will have to manually enable it.

Furthermore, Advanced Data Protection for iCloud uses an end-to-end encryption (E2EE) scheme, meaning there's a chance that if you lose access to your devices, you may lose all your encrypted backups and their respective data.

Microsoft continues to position itself as a bulwark against digital authoritarianism, but keeps pushing its rhetoric beyond the available evidence. This is consequential stuff, and we're disappointed that Microsoft seems more interested in hyping threats as opposed to seeking to help people understand them.

A few recent examples:

On Saturday, Microsoft released an article on "Preparing for a Russian cyber offensive against Ukraine this winter". In this article, Microsoft promotes the view that Russia is launching coordinated cyber and conventional attacks:

Amnesty International hack: A Chinese APT group has breached the network of the Canadian branch of Amnesty International, the organization said on Monday. The breach was discovered in early October and was investigated and confirmed with the help of cybersecurity firm Secureworks. Speaking to reporters, Amnesty International said the hackers searched for information on China, Hong Kong, and prominent Chinese activists. The organization said there found no evidence to suggest that Chinese hackers stole information on its donors and members. In August, threat intelligence firm Recorded Future warned that a Chinese APT named RedAlpha was registering lookalike domain names impersonating various human rights organizations, including Amnesty International.

It was ransomware: Rackspace has confirmed that the major outage of its Exchange email server infrastructure that took place over the weekend was caused by ransomware.

Mercury IT ransomware incident: The New Zealand government said that a ransomware attack on Mercury IT, a major local MSP, has impacted the services of several private and public institutions. The attack took place last week on November 30. According to the NZ Herald, the incident has impacted and compromised the data of the Ministry of Justice, the Ministry of Health, the NZ National Nurses Association, health insurer Accuro, and private industry group BusinessNZ.

Rackspace security incident: Cloud hosting platform Rackspace took down its hosted Microsoft Exchange email server infrastructure following what the company described as a "security incident." The incident took place on Friday, December 2, and Rackspace was still working on restoring affected services at the time of this newsletter on Monday morning. No confirmation yet that this is a ransomware attack. British security researcher Kevin Beaumont believes Rackspace's Exchange servers were most likely hacked using the ProxyNotShell vulnerability.

Accuro hack: New Zealand health insurer Accuro said that hackers gained access to its systems in a security incident last week. The company said that while it has no evidence that customer data was accessed, it can't rule out this possibility and urged users to be vigilant of possible fraud.

Ankr crypto-heist: Cryptocurrency platform Binance said it paused its integration with the Ankr DeFi protocol after an attacker used a leaked Ankr platform developer key and minted Binance BNB coins worth more than $4 billion in fiat currency. The attacker is believed to have stolen roughly $5 million worth of cryptocurrency before Binance stopped in to cut off their access, although it appears that Binance did manage to freeze $3 million of this.

LastPass discloses second breach this year: Password management utility LastPass says that a threat actor has breached one of its cloud storage servers using information the company believes was initially stolen during a previous security incident that took place in August 2022. LastPass says the intruder gained access to "certain elements of our customers' information," but that account master passwords remain safely encrypted. The company says it is working with Mandiant and law enforcement to investigate the incident. The incident also impacted the infrastructure of GoTo, a sister company part of the LogMeIn group.

Guatemala ransomware attack: The Guatemala government says it is investigating a ransomware attack that impacted the IT network of the Ministry of Foreign Affairs. The Ministry's data was added to the leak site of the Onyx ransomware group on September 27 and was added again on November 21, according to a report from The Record.

Full Medibank dump: The REvil ransomware gang has released the entire data set the group has stolen from Australian healthcare insurer Medibank. The data was published after the Australian company refused to pay the gang's extortion demand following a security breach in mid-October. Medibank has officially confirmed the leak of its entire data, which includes the personal and medical information of 9.7 million current and former customers.

In the US, the Federal Communications Commission (FCC) has banned Chinese telecommunications and video surveillance equipment from Huawei, ZTE, Hikvision and Dahua from sale in the United States. In the UK, the government banned Chinese surveillance camera manufacturers from installation at its "sensitive sites".

The UK government statement specifically mentioned the PRC's National Intelligence Law as the driver behind the ban. We don't think this is an overreaction. Article 7 of the law states:

It's clear: if the PRC government asks, companies must help.