Now’s not the time to take our foot off the gas when it comes to fighting disinformation online

Welcome to this week's edition of the Threat Source newsletter.

In the wake of the 2016 and 2020 presidential elections, it seemed like big tech companies were taking the fight against disinformation seriously. Social media outlets set up new fact-checking procedures and got more aggressive about banning or blocking pages and profiles that spread disinformation around elections.

Now I'm worried we're already moving backward with another presidential election just around the corner (somehow).

In November, Twitter laid off a huge swath of its staff that heavily affected the teams tasked with keeping misinformation and fake news off the platform. Google reportedly laid off several experts on the matter at YouTube, leaving only one person solely in charge of the platform's misinformation policy worldwide.

Then last week, YouTube announced it was changing its policy on removing videos that spread misinformation about the results of the 2020 election. Politicians and online personalities have repeatedly tried to spread lies that the presidential election that year was rigged in favor of U.S. President Joe Biden, despite there not being any concrete evidence of voter fraud. The former administration was also doing plenty to sow distrust around mail-in ballots prior to the election.

YouTube's misinformation policies states that it reserves the right to remove any content from the platform that is "Content advancing false claims that widespread fraud, errors, or glitches occurred in certain past elections to determine heads of government."

It specifically lists the 2021 German federal election and the 2014, 2018, and 2022 Brazilian Presidential elections as examples of where they are looking for this type of content. Weirdly, the U.S. presidential elections aren't named anywhere, and instead, YouTube released a statement that "we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections."

The company said that "In the current environment, we find that while removing this content does curb some misinformation, it could also have the unintended effect of curtailing political speech without meaningfully reducing the risk of violence or other real-world harm."

These types of reversals are likely the result of a few things – companies are currently cutting the sizes of their workforce after staffing up during the COVID-19 pandemic, and these misinformation-fighting teams seem like an easy line item to cut now that we're three years removed from the 2020 election. It also seems like these false claims around the election have largely "blown over" among the general public, so there is not nearly as much pressure on these outlets to enforce these rules as there may have been in the immediate aftermath of the attempted insurrection on the U.S. Capitol in January 2021.

This sets up history to repeat itself during the 2024 election cycle. People start spreading lies and sowing doubt about the outcome of the election before any ballots are even cast, we all get upset and pressure these companies into doing something, and then a few years later when no one is looking, they can make cuts in these areas.

As Talos has written about previously, there are several facets to disinformation campaigns. There is no one-size-fits-all solution that will just make our fake news problem go away. But giving up on many of those solutions just a few years into trying them is not the answer, either.

The one big thing

Cisco Talos Incident Response is reporting increased attacks utilizing stolen vendor or other third-party account credentials. These are accounts created for third-party workforce members - employees of external partner organizations that maintain physical or virtual access to an organization's environment. Attackers are stealing these login credentials to carry out software supply chain attacks and quietly sitting on targeted networks, which can often be overlooked when major supply chain attacks involving phony updates dominate the headlines.

Why do I care?

These accounts are frequently leveraged for initial access and then used to move laterally through the organization's network, especially when the victim hasn't deployed multi-factor authentication (MFA). Since VCAs are usually given elevated permissions, theft of these credentials will often result in widespread damage to victim assets and could even be used to move along the initial victim's supply chain. Any organization that works with an outside third party for things from software to support is at risk of falling victim to this type of threat.

So now what?

Talos' blog outlines several steps organizations can take to protect against the worst-case scenario. One of the easiest steps an IT or infosec team can take to protect their VCAs is to disable them when they're not needed. Or adopt the principle of least privilege across the network for all accounts, whether they're a vendor or not.

Top security headlines of the week

Threat actors are actively exploiting a zero-day exploit in Progress Software's MOVEit Transfer app to steal data from a wide range of companies and organizations, including the government of Nova Scotia and British Airways. Microsoft reported that the attacks can be attributed to the CLOP ransomware group, along with follow-on attacks that are the result of the attackers infiltrating Zellis, a U.K. payroll company. The MOVEit vulnerability, CVE-2023-34362, could allow an attacker to gain access to the software's database, and then infer information about the structure of said database and execute SQL statements that could alter the database or delete information. Progress issued a patch for the vulnerability last week but said it had been exploited as early as May. Staff at the affected companies have been warned that personal data could be at risk, including U.K. national insurance numbers and bank account details. (Dark Reading, BBC)

Google released an emergency patch for its Chrome web browser to fix a high-severity zero-day vulnerability. As of Tuesday afternoon, only limited details about CVE-2023-3079 were available. Google says it's a type confusion vulnerability in the V8 JavaScript engine that Chrome and other Chromium-based browsers like Microsoft Edge use. Google's Threat Analysis Group said that a commercial spyware vendor has already leveraged the vulnerability. This is the third zero-day vulnerability Google has disclosed in Chrome this year. (SecurityWeek, PCMag)

Microsoft Outlook's mobile app and web app experienced intermittent outages on Monday and Tuesday, with a hacktivist claiming responsibility for a distributed denial-of-service attack. Microsoft said the issue stemmed from technical errors in the product, but a group known as Anonymous Sudan says it was behind the disruptions, claiming responsibility while saying it was protesting the U.S.'s involvement in Sudanese affairs. The group said on its Telegram channel that it would "continue to target large US companies, government and infrastructure." Anonymous Sudan was also behind recent DDoS attacks against Swedish airline SAS and nine hospitals in Denmark. (The Register, Bleeping Computer)

Can't get enough Talos?

• Researcher Spotlight: How Joe Marshall helps defend everything from electrical grids to grain co-ops across multiple continents
• Cybersecurity for businesses of all sizes: A blueprint for protection
• Talos Takes Ep. #141: The Predator spyware and more "mercenary" groups
• Horabot campaign targeted businesses for more than two years before finally being discovered
• Horabot Campaign Targets Spanish-Speaking Users in the Americas

Upcoming events where you can find Talos

Discover Cyber Workshop for Women (June 8)

Doha, Qatar

REcon** (June 9 - 11)**

Montreal, Canada

Most prevalent malware files from Talos telemetry over the past week

SHA 256: a8a6d67140ac6cfec88b748b8057e958a825224fcc619ed95750acbd1d7a4848 **MD5:**8cb26e5b687cafb66e65e4fc71ec4d63 **Typical Filename:**dattService.exe **Claimed Product:**Datto Service Monito Detection Name: W32.Auto:a8a6d6.in03.Talos

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 **MD5:**3e10a74a7613d1cae4b9749d7ec93515 **Typical Filename:**IMG001.exe **Claimed Product:**N/A Detection Name: Win.Dropper.Coinminer::1201

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934 **MD5:**93fefc3e88ffb78abb36365fa5cf857c **Typical Filename:**Wextract **Claimed Product:**Internet Explorer Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa **MD5:**df11b3105df8d7c70e7b501e210e3cc3 **Typical Filename:**DOC001.exe **Claimed Product:**N/A Detection Name: Win.Worm.Coinminer::1201

SHA 256: 7c8e1dba5c1b84a08636d9e6f225e1e79bb346c176e0ee2ae1dfec18953a1ce2 **MD5:**3e0fb82ed8ea6cd7d1f1bb9dca5f2bdc **Typical Filename:**PDFShark.exe **Claimed Product:**PDFShark Detection Name: Win.Dropper.Razy::95.sbx.tg

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c **MD5:**a087b2e6ec57b08c0d0750c60f96a74c **Typical Filename:**AAct.exe **Claimed Product:**N/A Detection Name: PUA.Win.Tool.Kmsauto::1201