Cybercrime

US authorities disrupt Russian AI-powered disinformation campaign

Authorities from multiple countries have issued warnings about a sophisticated disinformation campaign backed by Russia that leverages AI-powered software to spread false information both in the US and internationally. The operation, known as Meliorator, is reportedly being carried out by affiliates of RT (formerly Russia Today), a Russian state-sponsored media outlet, to create fake online personas and disseminate misleading content. Since at least 2022, Meliorator has been employed to spread disinformation targeting the US, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel, as detailed in a joint advisory released by US, Canadian, and Dutch security services.

Meliorator is designed to create fake social media profiles that appear to be real individuals, primarily from the US. These bots can generate original posts, follow users, like, comment, repost, and gain followers. They are capable of mirroring and amplifying existing Russian disinformation narratives. The identities of these bots are crafted based on specific parameters like location, political ideologies, and biographical data. Meliorator can also group bots with similar ideologies to enhance their personas.

Moreover, most bot accounts had over 100,000 followers to avoid detection and followed genuine accounts aligned with their fabricated political leanings. As of June 2024, Meliorator was only operational on X, but there are indications that its functionality might have expanded to other social media networks.

The US Justice Department (DOJ) announced the seizure of two domain names and the search of nearly a thousand social media accounts used by Russian actors to establish an AI-enhanced bot farm with Meliorator’s assistance. The bot farm operators registered fictitious social media accounts using private email servers linked to the seized domain names. The FBI took control of these domains, while social media platform X (formerly Twitter) voluntarily suspended the remaining identified bot accounts for violating terms of service.

FBI Director Christopher Wray emphasised that this marks a significant step in disrupting a Russian-sponsored AI-enhanced disinformation bot farm. The goal of the bot farm was to use AI to scale disinformation efforts, undermining partners in Ukraine and influencing geopolitical narratives favouring the Russian government. These accounts commonly posted pro-Kremlin content, including videos of President Vladimir Putin and criticism of the Ukrainian government.

US authorities have linked the development of Meliorator to a former deputy editor-in-chief at RT in early 2022. RT viewed this bot farm as an alternative means of distributing information beyond its television broadcasts, especially after going off the air in the US in early 2022. The Kremlin approved and financed the bot farm, with Russia’s Federal Security Service (FSB) having access to the software to advance its goals.

The DOJ highlighted that the use of US-based domain names by the FSB violates the International Emergency Economic Powers Act, and the associated payments breach US money laundering laws. Deputy Attorney General Lisa Monaco stated that the DOJ and its partners will not tolerate the use of AI by Russian government actors to spread disinformation and sow division among Americans.

Why does it matter?

The disruption of the Russian operation comes just four months before the US presidential election, a period during which security experts anticipate heightened hacking and covert social media influence attempts by foreign adversaries. Attorney General Merrick Garland noted that this is the first public accusation against a foreign government for using generative AI in a foreign influence operation.

Australia accuses China-backed APT40 of cyberattacks on national networks

Australia’s government cybersecurity agency has pointed fingers at a China-backed hacker group, APT40, for pilfering passwords and usernames from two undisclosed Australian networks back in 2022. The Australian Cyber Security Centre, in collaboration with leading cybersecurity agencies from the US, Britain, Canada, New Zealand, Japan, South Korea, and Germany, released a joint report attributing these malicious cyber operations to China’s Ministry of State Security, the primary agency overseeing foreign intelligence. Despite these claims, China’s embassy in Australia refrained from immediate comments on the matter, dismissing the hacking allegations as ‘political manoeuvring’.

The accusations against APT40 come in the wake of previous allegations by US and British officials in March, implicating Beijing in a large-scale cyberespionage campaign that targeted a wide range of individuals and entities, including lawmakers, academics, journalists, and defence contractors.  Moreover, New Zealand also reported on APT40’s targeting of its parliamentary services and parliamentary counsel office in 2021, which resulted in unauthorised access to critical information.

In response to these cyber threats, Defence Minister Richard Marles emphasised the commitment of the Australian government to safeguard its organisations and citizens in the cyber sphere. The attribution of cyber attacks marks a significant step for Australia, signalling its proactive stance in addressing cybersecurity challenges. The timing of this report is noteworthy as Australia and China are in the process of repairing strained relations following tensions that peaked in 2020 over the origins of COVID-19, leading to retaliatory tariffs imposed by Beijing on Australian exports, most of which have now been lifted.

The identification of APT40’s cyber activities stresses the persistent threat posed by state-sponsored hacker groups and the critical importance of robust cybersecurity measures to protect sensitive information and national security. The incident serves as a reminder of the importance of joint attribution networks and international cooperation in combating cyber threats.

Thousands of event tickets leaked because of Ticketmaster hack

In an ongoing extortion scheme targeting Ticketmaster, nearly 39,000 print-at-home tickets for 150 upcoming concerts and events featuring artists like Pearl Jam, Phish, Tate McCrae, and Foo Fighters have been leaked by threat actors. The person responsible, known as ‘Sp1derHunters,’ is the same individual who sold data stolen from recent data breaches targeting Snowflake, a third-party cloud database provider.

The chain of events began in April when threat actors initiated the download of Snowflake databases from over 165 organisations using stolen credentials acquired through information-stealing malware. Subsequently, in May, a prominent threat actor named ShinyHunters started to sell the data of 560 million Ticketmaster customers, allegedly extracted from Ticketmaster’s Snowflake account. Ticketmaster later verified that their data had indeed been compromised through their Snowflake account.

Initially, the threat actors demanded a ransom of $500,000 from Ticketmaster to prevent the dissemination or sale of the data to other malicious actors. However, a recent development saw the same threat actors leaking 166,000 Taylor Swift ticket barcodes and increasing their demand to $2 million.
In response to the situation, Ticketmaster asserted that the leaked data was ineffective due to their anti-fraud measures with a system that continuously generates unique mobile barcodes. According to Ticketmaster, their SafeTix technology safeguards tickets by automatically refreshing barcodes every few seconds, making them impervious to theft or replication.

Contrary to Ticketmaster’s claims, Sp1d3rHunters refuted the assertion, stating that numerous print-at-home tickets with unalterable barcodes had been stolen. The threat actor emphasised that Ticketmaster’s ticket database has online and physical ticket types, such as Ticketfast, e-ticket, and mail, which are printed and cannot be automatically refreshed. Instead, they suggested that Ticketmaster must invalidate and reissue the tickets to affected customers.

The threat actors shared a link to a CSV file containing the barcode data for 38,745 TicketFast tickets, revealing ticket information for various events and concerts, including those featuring Aerosmith, Alanis Morissette, Billy Joel & Sting, Bruce Springsteen, Carrie Underwood, Cirque du Soleil, Dave Matthews Band, Foo Fighters, Metallica, Pearl Jam, Phish, P!NK, Red Hot Chili Peppers, Stevie Nicks, STING, Tate McRae, and $uicideboy$.

French study uncovers Russian disinformation tactics amid legislative campaign

Russian disinformation campaigns are targeting social media to destabilise France’s political scene during its legislative campaign, according to a study by the French National Centre for Scientific Research (CNRS). The study highlights Kremlin strategies such as normalising far-right ideologies and weakening the ‘Republican front’ that opposes the far-right Rassemblement National (RN).

Researchers noted that Russia’s influence tactics, including astroturfing and meme wars, have been used previously during the 2016 US presidential elections and the 2022 French presidential elections to support RN figurehead Marine Le Pen. The Kremlin’s current efforts aim to exploit ongoing global conflicts, such as the Israeli-Palestinian conflict, to influence French political dynamics.

Despite these findings, the actual impact of these disinformation campaigns remains uncertain. Some experts argue that while such interference may sway voter behaviour or amplify tensions, the overall effect is limited. The CNRS study focused on activity on X (formerly Twitter) and acknowledged that further research is needed to understand the broader implications of these digital disruptions.

Crypto thefts surge in 2024

The first half of 2024 saw a significant surge in cryptocurrency thefts, with over $1.38 billion stolen by 24 June, compared to $657 million during the same period in 2023, according to blockchain researchers TRM Labs. The increase in stolen crypto, driven by a few large-scale attacks and rising crypto prices, highlights the growing motivation among cybercriminals. Ari Redbord, global head of policy at TRM Labs, noted that while the security of the crypto ecosystem hasn’t fundamentally changed, the higher value of various tokens has made crypto services more attractive targets.

One of the year’s largest thefts involved $308 million worth of bitcoin stolen from Japanese exchange DMM Bitcoin. Large-scale losses remain relatively rare, although cryptocurrency companies face hacks and cyberattacks frequently. The theft increase comes as crypto prices rebound from the lows following the 2022 collapse of FTX, with bitcoin reaching an all-time high of $73,803.25 in March.

In 2022, around $900 million in cryptocurrency was stolen, partly due to a major $600 million theft from a blockchain network linked to the game Axie Infinity. The US has attributed that theft to North Korean hackers, who the UN has accused of using cyberattacks to fund its nuclear and missile programs. However, North Korea has denied involvement in hacking activities.

International law enforcement coalition dismantles illegal uses of penetration testing tool used in ransomware

An international coalition of law enforcement agencies has dismantled hundreds of illegal installations of Cobalt Strike, a penetration testing tool frequently abused by state-sponsored and criminal hackers in ransomware attacks. The operation, coordinated by Britain’s National Crime Agency (NCA), targeted 690 IP addresses hosting illegal versions of the software across 27 countries.

Cobalt Strike, now owned by Fortra, was developed in 2012 to simulate hacker attacks on networks. However, its effectiveness has led to widespread abuse by malicious actors using pirated versions. The crackdown is part of broader efforts to combat ransomware gangs by disrupting critical points in their operations, similar to the recent seizure of bulletproof hosting provider LolekHosted.

In addition to legitimate uses, Cobalt Strike has been exploited by hackers linked to Russia, China, and North Korea. The NCA highlighted that pirated versions of the software, available on illegal marketplaces and the dark web since the mid-2010s, have become a preferred tool for network intrusions and rapid ransomware deployment.

Typically, unlicensed versions of Cobalt Strike are used in spear phishing campaigns to install beacons on target devices, allowing attackers to profile and remotely access networks. Its multifunctional nature, including command and control management, makes it a ‘Swiss army knife’ for cybercriminals and nation-state actors, according to Don Smith, VP of threat research at Secureworks Counter Threats Unit.

Europol confirmed Fortra’s significant efforts to prevent software abuse and its partnership throughout the investigation. Nevertheless, older versions of Cobalt Strike have been cracked and used by criminals, linking the tool to numerous malware and ransomware cases, including those involving RYUK, Trickbot, and Conti.

Decade-old vulnerabilities patched addressing supply chain risks to numerous Apple devices

Researchers at cybersecurity firm EVA Information Security have uncovered three major vulnerabilities in CocoaPods, a widely used tool that simplifies the process of updating apps on iOS and macOS devices. These vulnerabilities, which went unnoticed for nearly a decade, posed significant risks as they could have allowed attackers to inject malware into apps utilizing CocoaPods. Given that CocoaPods is commonly used to integrate pre-written code into iOS and macOS apps, the vulnerabilities could have enabled attackers to modify app architectures with malicious code.

The vulnerabilities stem from a migration process in May 2014, which left thousands of CocoaPods packages ‘orphaned’ and potentially vulnerable. According to EVA researchers, CocoaPods is extensively used by iOS developers, including major companies like Google, GitHub, Amazon, Dropbox, and others, making the impact widespread across various projects and dependencies.

One of the most critical vulnerabilities, identified as CVE-2024-38368, could have been exploited by malicious actors to inject malware into apps using compromised packages, effectively bypassing security measures and compromising user data.

EVA responsibly disclosed these vulnerabilities to CocoaPods, which promptly patched them in October 2023 before publicly disclosing the findings. As of now, there are no known instances of these vulnerabilities being exploited by malicious actors. The proactive response from CocoaPods mitigated potential risks to app developers and users relying on the platform for their software development needs.

RockYou2024 password leak exposes nearly 10 billion unique passwords

The largest compilation of nearly ten billion unique passwords, titled RockYou2024, was leaked on a popular hacking forum, posing significant risks for users prone to reusing passwords. Discovered by Cybernews researchers, the file contains 9,948,575,739 plaintext passwords and was posted by a user named ObamaCare. The leak is believed to combine data from various old and new breaches, dramatically increasing the threat of credential-stuffing attacks.

Credential stuffing attacks exploit leaked passwords to gain unauthorised access to accounts, affecting users and businesses. The RockYou2024 leak significantly heightens this risk, as previous attacks on companies like Santander and Ticketmaster demonstrated. Cybernews highlighted the need for robust security measures, such as resetting compromised passwords, using strong, unique passwords, and enabling multi-factor authentication (MFA).

The RockYou2024 leak follows the 2021 release of a similar but smaller compilation, RockYou2021, which contained 8.4 billion passwords. The new dataset has grown by 15 percent, incorporating an additional 1.5 billion passwords. The compilation is believed to include information from over 4,000 databases collected over more than two decades, making it a potent tool for cybercriminals.

To protect against potential breaches, Cybernews advises users to reset exposed passwords, use MFA, and utilise password managers. The company will also integrate RockYou2024 data into its Leaked Password Checker, allowing individuals to verify if their credentials have been compromised. The leak follows another significant breach, the Mother of All Breaches (MOAB), which involved 12 terabytes of data and 26 billion records earlier this year.

Hacker steals AI design details from OpenAI

A hacker infiltrated OpenAI’s internal messaging systems last year, stealing details about the design of its AI technologies, according to Reuters’ sources familiar with the matter. The breach involved discussions on an online forum where employees exchanged information about the latest AI developments. Crucially, the hacker needed access to the systems where OpenAI builds and houses its AI.

OpenAI, backed by Microsoft, did not publicly disclose the breach, as no customer or partner information was compromised. Executives briefed employees and the board but did not involve federal law enforcement, believing the hacker had no ties to foreign governments.

In a separate incident, OpenAI reported disrupting five covert operations that aimed to misuse its AI models for deceptive activities online. The issue raised safety concerns and prompted discussions about safeguarding advanced AI technology. The Biden administration plans to implement measures to protect US AI advancements from foreign adversaries. At the same time, 16 AI companies have pledged to develop the technology responsibly amid rapid innovation and emerging risks.

UN ITU condemns Russia for alleged satellite system interference in European countries

The UN’s International Telecommunication Union (ITU) condemned Russia for allegedly interfering with the satellite systems of several European countries, including Ukraine, France, Sweden, the Netherlands, and Luxembourg. These incidents, reported over recent months, have disrupted GPS signals and jeopardised air traffic control.

ITU’s review indicated that the interference originated from earth stations near Moscow, Kaliningrad, and Pavlovka. The organisation called the interference ‘extremely worrisome and unacceptable’ and urged Russia to cease these actions immediately and investigate the incidents. It also proposed a meeting between the affected countries and Russia to resolve the issue.

Swedish authorities blamed Russia for harmful interference shortly after Sweden joined NATO, while France reported significant disruptions to its Eutelsat satellites. Additionally, Lithuania and Estonia raised alarms about navigation signal interference impacting flights. Earlier in the year, a jet carrying UK Defence Secretary Grant Shapps experienced GPS jamming over Kaliningrad.

Russia denied any wrongdoing and complained about alleged interference by NATO countries, which ITU did not address. Russia’s presidential press secretary, Dmitry Peskov, expressed unawareness of the UN agency attributing interference to Russia and questioned the UN’s authority to discuss the matter.