Twitter Tailspins After Privacy and Security Executives Bolt, Fake Verified Accounts Soar
GRU adopts new cyberwarfare tactics in Ukraine, Oz cops say Russia is behind Medibank attack, One-third of Android apps downloaded by Uyghurs contain malware, much more
Metacurity is now on Mastodon! Please follow us there at @email@example.com
In what appears to be an accelerating death spiral for Twitter, several crucial top executives at the company responsible for the privacy and security features of the site quit as fake verified accounts ran rampant to the dismay of advertisers, attracting investigatory interest by the Federal Trade Commission and a possible probe by the Biden administration into Saudi Arabia’s investment in the ailing platform.
First, Twitter’s head of moderation and safety, Yoel Roth, quit following the resignation of Chief Information Security Officer Lea Kissner, the company’s chief privacy officer, and its chief compliance officer. Several other members of the site’s privacy and security unit also had resigned, including chief privacy officer Damien Kieran, and chief compliance officer, Marianne Fogarty. Those left behind struggle to stop a tsunami of abuse in the company’s expanded paid service, Twitter Blue.
A company lawyer is encouraging employees to seek whistleblower protection, saying in a note they should do so “if you feel uncomfortable about anything you’re being asked to do.” The lawyer also said they “heard Alex Spiro (current head of Legal) say that Elon is willing to take on a huge amount of risk in relation to this company and its users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’”
The FTC reached a settlement with Twitter in May after the company was caught using personal user information to target ads. According to the lawyer's note, if Twitter doesn’t comply with that agreement, the FTC can issue fines reaching into the billions of dollars. Musk’s new legal department is now asking engineers to “self-certify” compliance with FTC rules and other privacy laws, according to the lawyer’s note.
An FTC spokesperson said the agency was “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Meanwhile, President Biden said he would support a U.S. government review of the foreign investors backing Elon Musk’s $44 billion Twitter purchase. Saudi Prince Alwaleed bin Talal and his Kingdom Holding Company have become the second largest investor in Twitter since Musk officially bought the platform in late October. Alwaleed has had a large share in the social media site since 2011 and chose to roll over its ownership after Musk took over. And foreign investment in Twitter has led to a call from Sen. Chris Murphy (D-CT.) for a government review over potential national security concerns.
In an email to employees, mercurial and overwhelmed Twitter owner Elon Musk said, “Without significant subscription revenue, there is a good chance Twitter will not survive the upcoming economic downturn,” Musk said in the email. “We need roughly half of our revenue to be subscription.” (Joseph Menn, Cat Zakrzewski, Faiz Siddiqui, Nitasha Tiku and Drew Harwell / The Washington Post, Casey Newton and Zoë Schiffer / The Platformer, Alex Heath / The Verge, Rebecca Kern / Politico)
Researchers at Mandiant say that at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics in Ukraine that allow for quicker intrusions, often breaching the same target multiple times within just months and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.
According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they're now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.
The shift has allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it's enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyber espionage. And because the edge devices that give the GRU their footholds inside these networks aren't necessarily wiped in the agency's cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.
Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country's energy, media, telecom, and finance industries, as well as government agencies. Out of these, four examples of intrusions highlight how the GRU's focus on hacking edge devices has enabled its new tempo and tactics. (Andy Greenberg / Wired)
Australian Federal Police Commissioner Reece Kershaw said that cyber criminals in Russia are behind a ransomware attack on one of Australia’s largest private health insurers, Medibank, that’s seen sensitive personal data published to the dark web.
Kershaw told reporters investigators know the identity of the individuals responsible for the attack on health insurer Medibank, but he declined to name them. “The AFP is undertaking covert measures and working around the clock with our domestic agencies and international networks, including Interpol. This is important because we believe those responsible for the breach are in Russia,” he said.
The group has started releasing curated tranches of customer data onto the dark web in files with titles including good-list, naughty-list, abortions and boozy, which included those who sought help for alcohol dependency. (Hillary Whiteman / CNN)
Related: UrduPoint, Teiss, Japan Today, The Register - Security, New Statesman Contents, South China Morning Post, ABC.net.au, Sydney Morning Herald, News.com.au, The West Australian, Daily Mail, POLITICO EU, ABC.net.au, ARN, RNZ News, OpIndia, Business Insider, Washington Post, Washington Post, VICE News, Macworld, The Guardian, Reuters, Al Jazeera English, Tech Times
Researchers at Lookout say that nearly a third of Uyghur-language Android apps shared on social media platforms or downloaded from third-party app stores since July are infected with spyware originating with likely Chinese attackers.
The apps are predominately infected by two new malware strains that secretly enable hackers to access and transmit private photos, messages, and contacts. Because Google Play is blocked to Android users in China, many users download apps from “sketchy, unofficial app stores” or links circulate on platforms such as Telegram that turn out to be infected.
Lookout researchers called the newest malware family BadBazaar. It was first identified in late 2021, but samples date back to 2018, and it is still found now, including this month in a popular prayer app named Quran Majeed. The other malware family, Moonshine, was first disclosed in 2019 by the University of Toronto’s Citizen Lab as being used in targeted phishing attacks of Tibetans sent over WhatsApp. The company shared its findings with Google, Apple, and others in advance of publication and also sent take-down requests to the servers that host malicious infrastructure. (Katrina Manson / Bloomberg)
Researchers at Microsoft said that an attack on transportation and logistics companies in Ukraine and Poland last month, dubbed Prestige, was the work of a notorious Russian military intelligence unit the company calls Iridium but is known more widely as Sandworm.
The attack attempted to cripple access to computers across the organizations it targeted. When successful, the attack effectively made it impossible for companies to access their computer systems. “The Prestige campaign may highlight a measured shift in IRIDIUM’s destructive attack calculus, signaling increased risk to organizations directly supplying or transporting humanitarian or military assistance to Ukraine,” the researchers said Thursday in an update. (AJ Vicens / Cyberscoop)
The FBI has warned that sextortion scammers have become increasingly ruthless, targeting families of teenage victims who took their own lives after sending nude images to highly organized cybercriminal gangs.
According to the agency’s previously unreported research, the gangs have demanded that parents or siblings pay to ensure that the sexualized photos of their deceased relatives are not publicly released. In a search warrant detailing an investigation into a sextortion campaign, the FBI said it had witnessed “a high rate of suicide in minor male victims of financially motivated sextortion schemes” and that victims “committed suicide within a relatively short period, sometimes within hours, of the sextortion occurring.”
The crimes were often tied to groups based out of Nigeria and Cote d’Ivoire, but similar activity amongst criminal organizations in the Philippines and Bangladesh was observed. (Thomas Brewster / Forbes)
Researcher David Schütz discovered that an “attacker with physical access [can] bypass the Pixel 7 lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device.”
Schütz, who was ultimately paid a bounty of $70,000 for this bug (CVE-2022-20465), reported it to Android’s Vulnerability Rewards Program in the middle of this year, but Google did not move on the Pixel lock screen issue until September. (Abner Li / 9to5Google)
Europol announced the arrest of Mikhail Vasiliev, a Russian national linked to LockBit ransomware attacks targeting critical infrastructure organizations and high-profile companies worldwide.
Europol arrestedVasiliev, in Ontario, Canada, last month following an investigation led by the French National Gendarmerie with the help of Europol's European Cybercrime Centre (EC3), the FBI, and the Canadian Royal Canadian Mounted Police (RCMP). Law enforcement agents also seized eight computers and 32 external hard drives, two firearms, and €400,000 worth of cryptocurrency from the suspect's home,
Europol said that this LockBit operator "was one of Europol's high-value targets due to his involvement in numerous high-profile ransomware cases," and he is known for trying to extort victims with ransom demands between €5 to €70 million.
A separate press release from the Department of Justice says that LockBit has claimed at least 1,000 victims in the United States and has extracted tens of millions of dollars in actual ransom payments from their victims. (Sergiu Gatlan / Bleeping Computer)
A research project led by Karen Nershi, a researcher at the Stanford Internet Observatory and the Center for International Security and Cooperation, found a loose but visible alignment between Russian government priorities and activities and ransomware attacks leading up to elections in the six countries.
The project analyzed over 4,000 ransomware attacks perpetrated against victims in 102 countries between May 2019 and May 2022. It found a statistically significant increase in ransomware attacks from Russia-based gangs against organizations in the six victim countries ahead of their national elections. These nations suffered the most ransomware attacks per year in the data set, about three-quarters of all the attacks. (Lily Hay Newman / Wired)
Norwegian security company Promon says it discovered an “easily” exploitable vulnerability in a door entry security system used in government buildings and apartment complexes but warns that the vulnerability cannot be fixed.
The bug affects several Aiphone GT models that use NFC technology, often found in contactless credit cards. It allows bad actors to access sensitive facilities by brute-forcing the door entry system’s security code. (Zack Whittaker / TechCrunch)
The Massachusetts Law Reform Institute (MLRI), a nonprofit organization, is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state.
MLRI filed a class action lawsuit on behalf of low-income families whose Supplemental Nutrition and Assistance Program (SNAP) benefits were stolen from their accounts. The SNAP program serves over a million people in Massachusetts and 41 million nationally.
Deborah Harris is a staff attorney at the MLRI. Harris said the lawsuit's goal is to force Massachusetts to reimburse SNAP skimming victims using state funds and convince The U.S. Department of Agriculture (USDA), which funds the program that states draw from, to change its policies and allow states to replace stolen benefits with federal funds. (Brian Krebs / Krebs on Security)