Iranian Threat Group Is Scoping Out Influence Ops Ahead of US Elections, Microsoft

Sponsor message

In today's digital landscape, protecting your software supply chain from rising threats is essential. This free whitepaper offers five key strategies for enhancing container security, one of the main attack surfaces in dynamic software development practices. Learn about using SBOMs for transparency, shifting vulnerability detection left, and automating policy enforcement, all for a superior developer experience and securing third-party code. 

Interested in reaching the elite audience of cybersecurity decision-makers, public policy professionals, and journalists who read Metacurity? Send an email to info [at] Metacurity.com with the subject line "Sponsorship."

Researchers at Microsoft report that an Iranian hacking group called Cotton Sandstorm is actively scouting US election-related websites and American media outlets as Election Day nears, with activity suggesting preparations for more "direct influence operation."

Microsoft said the hackers, linked to Iran's Islamic Revolutionary Guard Corps, performed reconnaissance and limited probing of multiple "election-related websites" in several unnamed battleground states. In May, they also scanned an unidentified US news outlet to understand its vulnerabilities.

"Cotton Sandstorm will increase its activity as the election nears given the group's operational tempo and history of election interference," the researchers wrote.

In 2020, Cotton Sandstorm launched a different cyber-enabled influence operation shortly before the last presidential election, according to US officials. Posing as the right-wing "Proud Boys," the hackers sent thousands of emails to Florida residents, threatening them to "vote for Trump or else!"

The group also released a video on social media purporting to come from activist hackers, showing them probing an election system. While that operation never affected individual voting systems, senior US officials said at the time that the goal was to cause chaos, confusion, and doubt. Following the 2020 election, Cotton Sandstorm also ran a separate operation that encouraged violence against US election officials who had denied claims of widespread voter fraud, Microsoft said.

More broadly speaking, Microsoft Threat Analysis Center (MTAC) warned that malicious foreign influence operations launched by Russia, China, and Iran against the US presidential election are continuing to evolve and should not be ignored even though they have come to feel inevitable.

MTAC says it is all but certain that these actors will attempt to stoke division and mistrust in vote security on Election Day and in its immediate aftermath. (Christopher Bing and A.J. Vicens / Reuters and Lily Hay Newman / Wired)

Related: Microsoft, ET CISO, CNN, Politico, PBS, Wired, Recorded Future, New York Times, The Verge, CBS News, Associated Press, The Hill, CNN, Wall Street Journal, US News, NDTV, Associated Press, Politico, Times Of India on YouTube, Semafor, Benzinga, India Today, Nextgov/FCW, Newsweek, Bloomberg

According to Russian documents obtained by a European intelligence service, John Mark Dougan, a former deputy Palm Beach County sheriff who fled to Moscow and became one of the Kremlin’s most prolific propagandists, is working directly with Russian military intelligence to pump out deepfakes and circulate misinformation that targets Vice President Kamala Harris’s campaign.

The documents show that Dougan, who also served in the US Marines and has long claimed to be working independently of the Russian government, was provided funding by an officer from the GRU, Russia’s military intelligence service. Some of the payments were made after fake news sites he created began to have difficulty accessing Western artificial intelligence systems this spring, and he needed an AI generator.

Dougan’s liaison at the GRU is a senior figure in Russian military intelligence working under the cover name Yury Khoroshevsky, the documents show. The officer’s real name is Yury Khoroshenky, though he is referred to only as Khoroshevsky in the documents. He serves in the GRU’s Unit 29155, which oversees sabotage, political interference operations, and cyber warfare targeting the West, according to two European security officials who spoke anonymously to discuss sensitive intelligence.

Disinformation researchers say Dougan’s network was probably behind a recent viral fake video smearing Democratic vice-presidential nominee Tim Walz. US intelligence officials said Tuesday that Russia created the video, which received nearly 5 million views on X in less than 24 hours, Microsoft said.

McKenzie Sadeghi, who has closely followed Dougan’s sites and is a researcher at NewsGuard, a company that tracks disinformation online, said that since September 2023, posts, articles, and videos generated by Dougan and some of the Russians who work with him have garnered 64 million views.

The documents show that Dougan is also subsidized and directed by a Moscow institute founded by Alexander Dugin, a far-right imperialist ideologue sometimes referred to as “Putin’s brain” because of his influence on the Russian president's revanchist thinking; Dugin’s ideas became a driving force behind Russia’s invasion of Ukraine. One 2022 document shows Dugin’s Eurasia movement, which promotes his theories of a Russian empire, “actively cooperates with the Russian Defense Ministry.”

Dougan’s contact at the Moscow institute, the Center for Geopolitical Expertise, is its head, Valery Korovin. According to Korovin’s social media page on the Russian version of Facebook, President Vladimir Putin awarded him a medal in 2023 for “services to the Fatherland” for “carrying out special tasks.” The documents show that Korovin also works closely with Khoroshenky, who, under his cover name, serves as the institute’s deputy director.

According to documents and disinformation researchers, Dougan is responsible for content on dozens of fake news sites, including DC Weekly, Chicago Chronicle, and Atlanta Observer.

In the months that followed his reboot with the new GRU-facilitated server and AI generator, the sites and fake news videos spread by Dougan and his associates have produced some of the most viral Russian disinformation targeting Harris, according to Microsoft and NewsGuard, including a deepfake audio in August that purported to show Barack Obama implying that the Democrats had ordered the July assassination attempt against Donald Trump. (Catherine Belton / The Washington Post)

As first reported by WSB-TV in Atlanta, Georgia’s secretary of state warded off a most likely foreign country DDoS attack this month that targeted its website voters can use to request absentee ballots.

The secretary of state’s office thwarted a sudden rise in users trying to access the site on Oct. 14.

“We saw a spike of around 420,000 individual entities attempting to access the absentee ballot portal,” Gabe Sterling, an official in the secretary of state’s office, told WSB-TV. “We identified it and attempted to mitigate it immediately, and you see it start to drop back down.”

Sterling also said the attack may have come from a foreign country, although details were unclear. (Simon J. Levien / New York Times)

Related: WSB-TV, TechNadu, CBS News, Reuters, CNN, 11Alive

According to spokeswoman Maria Zakharova, the Russian Foreign Ministry was targeted by a severe DDoS attack, coinciding with the major BRICS summit in the country.

She noted that the ministry regularly encounters similar attacks, but today's attack was "unprecedented in scale."

The BRICS summit, which aims to demonstrate Moscow's global standing despite Western sanctions, is scheduled to run from Oct. 22 to 24. (Maxim Rodionov / Reuters)

Related: Databreaches.net, Cyber Daily, Agenzia Nova

A new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access digital tracking capability thanks to a proliferation of commercial services that collect the digital exhaust emitted by widely-used mobile apps and websites.

Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers and people-search services online. Backed by millions of dollars in litigation financing, Atlas has sued 151 consumer data brokers this year on behalf of a class with more than 20,000 New Jersey law enforcement officers signed up for Atlas services.

Atlas alleges all of these data brokers have ignored repeated warnings that they are violating Daniel’s Law, a New Jersey statute allowing law enforcement, government personnel, judges, and their families to have their information completely removed from commercial data brokers. Daniel’s Law was passed in 2020 after the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge and his mother.

Last week, Atlas invoked Daniel’s Law in a lawsuit (PDF) against Babel Street, a little-known technology company incorporated in Reston, Va. Babel Street’s core product allows customers to draw a digital polygon around nearly any location on a map of the world, and view a slightly dated (by a few days) time-lapse history of the mobile devices seen coming in and out of the specified area.

Atlas found that for the right price (typically $10-50k a year), brokers can access tens of billions of data points covering large swaths of the US population and the rest of the world.

Based on the data sets Atlas acquired, they estimate they could locate roughly 80 percent of Android-based devices and about 25 percent of Apple phones. (Brian Krebs / Krebs on Security)

Related: The Verge

Researchers at Kaspersky Labs report that North Korea’s Lazarus Group created a blockchain game called DeTankZone or DeTankWar to exploit a vulnerability in Google’s Chrome browser, install spyware, and steal crypto wallet credentials and other user data. 

They say hackers in the Lazarus Group used the game to coax users to a malicious website and infect computers with its malware Manuscript, which it has been using since at least 2013.

The code allowed the hackers to corrupt Chrome’s memory, eventually giving them access to users’ cookies, authentication tokens, saved passwords, browsing history, and everything they needed to steal user funds.

An issue with the Javascript security mechanism V8 sandbox allowed Lazarus to access PCs to investigate whether continuing a cyber attack was worthwhile.

The game was a fully playable play-to-earn multiplayer online battle arena game with non-fungible tokens (NFT) tanks. Players could battle each other in online competition. It had a website and promotional images generated using artificial intelligence.

Microsoft Security also flagged the game in a May post on X, noting that the malicious game DeTankWar was delivering new custom ransomware that Microsoft dubbed FakePenny.

Two days after Google became aware of the exploit, it released an updated patch to solve the issue. (Steve Katte / Cryptopolitan)

Related: Securelist, Cointrust, Coinmarketcap, TechNadu, Binance

Researchers at Palo Alto Networks Unit 42 report that a new jailbreak method for large language models (LLMs) called “Deceptive Delight” has an average success rate of 65% in just three interactions.

Unit 42 developed and evaluated the method, which tested the multi-turn technique on 8,000 cases across eight different models. The jailbreak technique requires just two interactions, although an optional third step significantly increases the success rate.

In the first step of the jailbreak, the attacker asks the LLM to produce a narrative that logically connects two benign topics and one unsafe topic, such as connecting a family reunion and the birth of a child to the creation of a Molotov cocktail. The second step asks the LLM to elaborate on each topic in the narrative.

While this second step often leads the model to produce harmful content related to the unsafe topic, a third turn, which asks the model to expand further on the unsafe topic specifically, increases the success rate to an average of 65% and increases the harmfulness and quality of the unsafe content by 21% and 33% on average, respectively.

The harmfulness and quality of the generated content—i.e., how relevant and detailed the content is about the harmful topic—were scored on a one-to-five scale developed by Unit 42 and incorporated into a prompt for another LLM that was then used to evaluate each test run of the jailbreak. The jailbreak was successful if it scored at least a three for both harmfulness and quality. (Laura French / SC Media)

Related: Unit 42

Researchers at Trend Micro report that an eight-year-old modular botnet called Prometei is still kicking around, spreading a cryptojacker and Web shell on machines across multiple continents.

Trend Micro depicts Prometei as clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in various services and systems, and focused on cryptojacking but capable of more.

It is noteworthy that Prometei does not touch victims in some former Soviet countries, and "Prometei" is a translation of "Prometheus" in various Slavic languages. (Nate Nelson / Dark Reading)

Related: Trend Micro

Researchers at Sentinel One report that NotLockBit, a new macOS malware family capable of encrypting files and pretending to be the LockBit ransomware, is making the rounds.

Written in Go and targeting both Windows and macOS systems, the threat employs the tactics typically observed in ransomware operations: it steals victim data for double extortion, encrypts files, and deletes shadow copies to prevent data recovery.

What makes the new malware family stand out is its impersonation of LockBit, the notorious ransomware disrupted by law enforcement in February and September 2024.

The malware is distributed as an x86_64 binary, which suggests it only works on Intel and Apple silicon macOS devices running the Rosetta emulation software.

The threat was seen harvesting system information upon execution and using a public key to encrypt a randomly generated master key used during the file encryption.

By relying on RSA asymmetric encryption, the threat actor behind NoLockBit ensures that the master key cannot be decrypted without the attacker-held private key.

According to SentinelOne, NotLockBit appears to be the first functional ransomware family targeting macOS systems, as previously observed attempts were mere proof-of-concept (PoC) samples. (Ionut Arghire / Security Week)

Related: Sentinel One, SC World

Researchers at ESET report that a recently formed and apparently well-resourced ransomware player is developing and testing tools to disable security defenses, including a method that exploits a vulnerability in drivers to bypass protection systems.

The malware is linked to the deployment of Embargo ransomware, which uses a custom loader and an endpoint detection killer. Embargo first surfaced in April amid an ongoing shakeup in the ransomware world propelled by law enforcement crackdowns and the unexpected exit of mainstay BlackCat.

The group claims ten victims on its dark web leak site, including an Australian non-bank lender, a South Carolina police department, and an Idaho community hospital. A June interview with a self-proclaimed Embargo representative said the group works on the ransomware-as-as-service model, with affiliates keeping up to 80% of any extortion payment.

The toolkit spotted by Eset comprises two primary components: MDeployer, a loader designed to deploy Embargo's ransomware and other payloads, and MS4Killer, an EDR killer that disables endpoint detection and response systems by exploiting vulnerable drivers.

Both MDeployer and MS4Killer are written in Rust. The language's memory safety features and low-level capabilities make it effective for creating efficient and resilient malware. Eset researchers said Rust allows Embargo to target both Windows and Linux systems. (Prajeet Nair / GovInfoSecurity)

Related: WeLiveSecurity

Fortinet finally disclosed a critical FortiManager API vulnerability, tracked as CVE-2024-47575, with a severity of 9.8 out of ten, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.

The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails that contained steps to mitigate the flaw until a security update was released.

However, customers on Reddit and cybersecurity researcher Kevin Beaumont on Mastodon began leaking news of the vulnerability throughout the week. Beaumont calls this flaw "FortiJump."

Fortinet device admins have also shared that this flaw has been exploited for a while, with a customer reporting being attacked weeks before the notifications were sent to customers. (Lawrence Abrams / Bleeping Computer)

Related: FortiGuard, The Register, TechTarget, Help Net Security, Google Cloud Blog, PaymentSecurity.io, The Record

Police surveillance startup Flock Safety announced that it had bought drone startup Aerodome, with sources saying the acquisition price was over $300 million.

Andreessen Horowitz backs both Flock Safety and Aerodome, which have raised over $680 million and $28 million, respectively. (Margaux MacColl / TechCrunch)

Related: DroneXL.co, DroneDJ, GovTech

Best Thing of the Day: Rectifying a Terrible Wrong

A Nigerian court has dropped all charges against Tigran Gambaryan, Binance’s head of financial crime compliance and a prominent former IRS investigator, who had been detained in Nigeria since February and who has been in poor health and needs urgent medical care.

Worst Thing of the Day: In No Real or Artificial World Should This Ever Happen Again

Fourteen-year-old Sewell Setzer III developed an emotional attachment to an AI chatbot made by Character.AI who posed as both a friend and a romantic partner and at the chatbot's urging, killed himself.

Closing Thought