China Is Increasingly Using AI to Target Voters With Disinformation

According to US officials and new research from Microsoft, online actors linked to the Chinese government are increasingly leveraging artificial intelligence to target voters in the US, Taiwan, and elsewhere with disinformation.

Chinese-linked campaigns laundered false information through fake accounts on social media platforms, seeking to identify divisive domestic political issues and potentially influence elections.

The tactics are among the first uncovered that directly tie the use of generative AI tools to a covert state-sponsored online influence operation against foreign voters. They also demonstrate more advanced methods than previously seen.

Accounts on X, some of which were more than a decade old, began posting last year about topics including American drug use, immigration policies, and racial tensions, and in some cases, asked followers to share opinions about presidential candidates, potentially to glean insights about US voters’ political opinions. In some cases, these posts relied on relatively rudimentary generative AI for their imagery, Microsoft said.

Tom Burt, Microsoft’s head of customer security and trust, said China’s disinformation operations have become much more active in the past six months, mirroring rising activity of cyberattacks linked to Beijing.

Separately, Microsoft detected a surge of more sophisticated AI tools in the January presidential election in Taiwan, including an AI-created fake audio clip of a former presidential candidate endorsing one of the remaining candidates. That marked the first time the technology giant’s researchers on threats had seen a nation-state actor using AI to attempt to influence a foreign election.

The posts have so far failed to achieve much traction, Microsoft said, but they offer a preview of state-backed election-influence operations to come. Western intelligence officials have expressed growing concerns about how AI tools could flood elections this year with misleading videos or other content, including in the 2024 US presidential contest. (Dustin Volz / Wall Street Journal)

Related: Microsoft on the Issues, Microsoft, AI News, The Guardian, Interesting Engineering, Infosecurity Magazine, Newsbytes, Cyberscoop, Silicon Republic

Czech Transport Minister Martin Kupka told the Financial Times (FT) that Russia is actively trying to sabotage European railways by hacking into their signaling systems.

Russia has engaged in a variety of disruptive behavior toward Europe, often using its cyber capabilities to target civilian infrastructure. Estonia and other countries have accused Russia of being responsible for a recent uptick in GPS jamming emanating from the Russian exclave of Kaliningrad.

Kupka said that Russia has made "thousands of attempts to weaken our (railway) systems" since the beginning of the full-scale war.

"It's definitely a difficult point . . .(but) I'm really very satisfied because we are able to defend all systems (from) a successful attack," Kupka added. (Nate Ostiller and The Kyiv Independent news desk / The Kyiv Independent)

Related: Financial Times, Radio Prague International, FirstPost

Japanese lens maker Hoya said the production of several of its products has stopped after a system failure, which was "most likely caused by unauthorized access" to its servers.

Hoya said the company discovered a system discrepancy in one of its overseas offices on Saturday and confirmed the disruption despite its efforts to isolate affected servers.

The company is investigating whether its confidential or personal data has been compromised and is cooperating with authorities to resume production as soon as possible.

The company apologized on its website that it had stopped taking lens orders due to a group-wide system failure.

According to its latest annual report, Hoya is the world's second-largest eyeglass lens maker, with about 90% of its sales coming from outside Japan. (Kantaro Komiya / Reuters)

Related: The Record, The Register, The Stack, Bleeping Computer

Researchers at Forescout report that the number of Chinese-manufactured internet-connected devices on US corporate networks continues to grow despite Washington's attempts to curb their presence.

Forescout says that in the last year, the number of internet-connected devices made by Chinese companies on US enterprise networks grew 41%, and as of February, close to 300,000 devices from 473 Chinese manufacturers operating on US networks accounted for 3.8% of all internet-connected devices, an increase over the 185,000 devices researchers spotted in February 2023.

Nearly 60% of the internet-connected devices Forescout identified are computers or mobile devices, like smartphones and tablets. Surveillance equipment accounted for 4% of the devices, video conferencing tools comprised 4%, and internet networking equipment was 2%.

Forescout's analysis identified 21,842 such devices on networks tied to government organizations. About 2,500 of those devices, or 11.5%, were cameras and surveillance equipment made in China for international conglomerate Honeywell. (Sam Sabin / Axios)

Related: Forescout, Security Week, SC Media

Researchers at Trend Micro discovered that the Chinese Winnti hacking group was using previously undocumented malware called UNAPIMON to let malicious processes run without detection.

The researchers document previously unseen custom malware used in an operation they have been monitoring closely, attributing the cyberespionage attack to a cluster they named Earth Freybug.

The attack begins with a malicious process injected into the legitimate VMware Tools vmtoolsd.exe process, which executes a remote scheduled task to run a batch file that collects system information, including network configurations and user details.

Next, a second batch file (cc.bat) leverages DLL side-loading (TSMSISrv.dll) involving the SessionEnv service to load UNAPIMON in memory, injecting it into a cmd.exe process.

UNAPIMON is a C++ malware delivered in DLL form (_{random}.dll), which uses Microsoft Detours for hooking the CreateProcessW API function, allowing it to unhook critical API functions in child processes.

Because many security tools employ API hooking to track malicious activity, UNAPIMON's mechanism allows it to unhook those APIs from a malicious child process to evade detection.

Trend Micro explains that most malware employs hooking to intercept calls, capture sensitive data, and alter software behavior. UNAPIMON's approach to unhooking for evasion is, therefore, unusual. (Bill Toulas / Bleeping Computer)

Related: Trend Micro, CSO Online, Dark Reading, SC Media, TechRadar, GBHackers

Officials warn citizens to be alert following a March cyberattack on the Leicester City Council in the UK by a group called INC Ransom after the attackers posted 25 documents on their leak site and claimed to have much more to post.

Officials said they did not know if the claims were valid, but they would contact anyone whose details were confirmed to have been taken.

The group has claimed to have taken 3 TB of data, roughly equivalent to 1 million smartphone photographs. (Jeremy Ball / BBC News)

Related: The Record, The Register, Evesham Journal, Leicestershire Live, Computing, IT Pro, Cybernews

Minister-President Daniel Gunther of Schleswig-Holstein, Germany’s most Northern state, announced his government is starting to switch from Microsoft Office to LibreOffice and is planning to move from Windows to Linux on the 30,000 PCs it uses for local government functions.

"Independent, sustainable, secure: Schleswig-Holstein will be a digital pioneer region and the first state to introduce a digitally sovereign IT workplace in its state administration," said Gunther. "[T]he government has given the starting signal for the first step towards complete digital sovereignty for the country, with further steps to follow."

Concerns over data security are also front and center in the Minister-President's statement, especially data that may make its way to other countries. In 2021, when the transition plans were first drawn up, the hardware requirements for Windows 11 were also mentioned as a reason to move away from Microsoft.

Switching to an open-source office software suite and operating system isn't the only component of Schleswig-Holstein's open-source strategy. The switch to LibreOffice and later to Linux and the effort to operate them in tandem are just three of six pillars Gunther lays out in his announcement. The state's email servers, directory, and telephony software will also be going open source, making for three additional pillars (or at least that's the plan). (Matthew Connatser / The Register)

Related: Schleswig-Holstein, ZDNet, The Stack, PCMag, TechSpot, WebProNews, Neowin, Windows Central, It’s Foss News

Hackers broke into the computer network of the Florida Department of Juvenile Justice in Tallahassee, which runs the state's juvenile detention centers and programs to steer troubled kids away from crime, leading to a continuing shutdown of the digital backbone the agency uses to manage cases statewide.

The department took some of its computer systems offline as early as March 29 due to what spokeswoman Amanda Slama described as an unspecified security concern.

A department employee said hackers were seeking a ransom to restore the agency’s systems. This person said the break-in happened last week when an employee opened an infected email.

State and local government agencies in Florida are prohibited under a 2022 state law that Gov. Ron DeSantis signed from paying ransoms to hackers. (Vivienne Serret / Tallahassee Democrat)

Related: Databreaches.net

The University of Winnipeg in Canada says personal data from potentially thousands of students and staff was stolen in a cyberattack late last month, potentially going back twenty years.

The names, social insurance numbers, birth dates, and addresses of former and current students and school employees have likely been exposed to the attackers. The bank account information of anyone employed by the university since 2015 is also part of the potential exposure.

The university said the leak potentially affects all graduate and undergraduate students enrolled since the fall of 2018, those enrolled in professional, applied, and continued education and English-language programs since September 2019, and students who were issued T4A forms by the U of W since 2016.

All current employees and all former employers since 2003 are also likely affected. (Arturo Chang / CBC News)

Related: University of Winnipeg, Global News, CTV News, Winnipeg Free Press, CHVN, The Cyber Express, City News, Winnipeg Sun

Researchers at Check Point report that more than 11,000 Australian companies were targeted in recent cyberattacks that rely on an aging but still dangerous malware strain dubbed Agent Tesla.

Agent Tesla is a remote access Trojan (RAT) that first surfaced in 2014. The malware is widely distributed and frequently used by various threat actors, including cybercriminals and spies.

Prospective victims were bombarded by booby-trapped emails with lures about purchasing goods and order delivery inquiries, which came with malicious attachments. Victims tricked into opening the attachments exposed their Windows PCs to Agent Tesla infections.

Check Point said a threat actor, Bignosa, first installed Plesk (for hosting) and Round Cube (email client) onto a hosted server. The attackers then disguised the Agent Tesla payload using a package called Cassandra Protector that hid the malicious code and controlled its delivery.

Cassandra Protector bundles various options that allow cybercriminals to configure sleep time before execution. Among other functions, it controls the text in the fake dialogue box that appears when victims open a malicious file.

The threat actors behind the Agent Tesla malware campaign were primarily targeting Australian businesses, as shown by a mailing list file named "AU B2B Lead.txt" on their machines. (John Leyden / Dark Reading)

Related: CheckPoint, Cybersecurity News

Researchers at Proofpoint and Team Cymru believe a relatively new malware called Latrodectus is an evolution of the IcedID loader, which has been used in malicious email campaigns since November 2023.

IcedID is a malware family first identified in 2017 that was initially classified as a modular banking trojan designed to steal financial information from infected computers. Over time, it became more sophisticated, adding evasion and command execution capabilities.

Starting in 2022, several IcedID campaigns demonstrated diversified delivery tactics, but the primary distribution method remained malicious emails. In late 2022, new variants of the malware were used in attacks, which experimented with various evasion tricks and new attack sets.

In February 2024, one of the leaders behind the IcedID operation pleaded guilty in the United States, facing 40 years of imprisonment.

The researchers now believe that the developers of IcedID created Latrodectus after noting they shared infrastructure and operational overlaps.

Whether Latrodectus will ultimately replace IcedID is too soon to tell. However, the researchers say that initial access brokers (TA577 and TA578) who previously distributed IcedID have now begun to increasingly distribute Latrodectus in phishing campaigns. (Bill Toulas / Bleeping Computer)

Related: Proofpoint, Decipher, Dark Reading, HackRead, SC Media

Credit card giant Visa’s Payment Fraud Disruption unit warned about a spike in detections for a new version of the JsOutProx malware targeting financial institutions and their customers.

First encountered in December 2019, JsOutProx is a remote access trojan (RAT) and highly obfuscated JavaScript backdoor that allows its operators to run shell commands, download additional payloads, execute files, capture screenshots, establish persistence on the infected device, and control the keyboard and mouse.

Visa says they became aware of a new phishing campaign distributing the remote access trojan on March 27, 2024. This campaign targeted financial institutions in South and Southeast Asia, the Middle East, and Africa.

The alert provides indicators of compromise (IoCs) related to the latest campaign and recommends several mitigation actions, including raising awareness about phishing risks, enabling EMV and secure acceptance technologies, securing remote access, and monitoring suspicious transactions.

A related report by Resecurity dives deeper into the details of the JSOutProx phishing operation, explaining that the malware has evolved its latest version for better evasion and now uses GitLab to host its payloads.

In the observed attacks against banking customers, Resecurity saw fabricated financial notifications sent to targets via emails that impersonate legitimate institutions, presenting them with fake SWIFT or MoneyGram payment notifications.

Attached to the emails are ZIP archives containing .js files that, when executed, download the malicious JSOutProx payloads from a GitLab repository. (Bill Toulas / Bleeping Computer)

Related: Resecurity, Security Affairs

Meta is resisting the US Federal Trade Commission’s bid to amend its 2020 privacy settlement, saying that the company voluntarily disclosed two flaws in its kids chat app to the agency and received no complaints from parents.

Meta said it discovered a bug in its Messenger Kids app in June 2019 that allowed some children to chat with users their parents had not approved. Fewer than 2,000 kids were affected by the bug, which the company said it fixed within 24 hours, Meta said in the filing.

While fixing the bug related to chats, Meta employees discovered a similar bug that let users add unapproved contacts to video calls, the company said. The bug only existed for three months on Apple devices and a few days on Android ones before it was fixed, according to an FTC filing from Meta.

The Facebook parent, under an FTC order for more than a decade, said it has taken agency requirements to improve its privacy protections seriously and has spent $5.5 billion on the effort since 2019.

Last year, the FTC said Meta had repeatedly violated its privacy promises and opened an internal proceeding to modify a 2020 settlement. The agency said it would seek to change the earlier settlement to ban Meta from using facial recognition tools or monetizing children’s data. (Leah Nylen / Bloomberg)

Related: FTC, Reuters, WION

Researcher Barket Nowotarski discovered HTTP/2 protocol vulnerabilities called CONTINUATION Flood that can lead to denial of service (DoS) attacks and crash web servers with a single TCP connection in some implementations.

HTTP/2 is an update to the HTTP protocol standardized in 2015. It is designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead.

Nowotarski said the vulnerabilities relate to using HTTP/2 CONTINUATION frames, which are not properly limited or checked in many protocol implementations.

HTTP/2 messages include header and trailer sections serialized into blocks. These blocks can be fragmented across multiple frames for transmission, and the CONTINUATION frames are used for stitching the stream.

The omission of proper frame checks in many implementations allows threat actors to potentially send an extremely long string of frames by simply not setting the 'END_HEADERS' flag. This can lead to server outages due to out-of-memory crashes or CPU resource exhaustion as these frames are processed.

The researcher warned that out-of-memory conditions could lead to server crashes using a single HTTP/2 TCP connection in some implementations. (Bill Toulas / Bleeping Computer)

Related: Nowotarski.info, Reddit cybersecurity, Cyber Kendra, Tech Radar

The United Kingdom Maritime Trade Operations (UKMTO) office reported an “electronic interference” incident involving a merchant ship in the Persian Gulf.

The incident is the first reported by the agency after informing shipping of the threat in November 2023.

“UKMTO has received a report of a vessel experiencing disruption to electronic navigation systems (GPS/AIS) between [April 2 and April 3], 95NM east of Las Al Zour, Saudi Arabia,” UKMTO’s advisory said.

The US Maritime Administration issued a global Maritime Security Communications with Industry (MSCI) advisory to shipping in October, informing mariners of significant GPS interference and AIS “spoofing” incidents globally. However, that advisory expired on March 30, 2024. (Mike Schuler / gCaptain)

Related: TradeWinds

Best Thing of the Day: Boosting AI Safety and Governance

The European Union and the United States issued a joint statement affirming a desire to increase cooperation over artificial intelligence covering AI safety and governance, but also an intent to collaborate across a number of other tech issues, such as developing digital identity standards and applying pressure on platforms to defend human rights.

Worst Thing of the Day: Fake DMCA Take-Down Requests From Fake Lawyers

A fake law firm, Commonwealth Legal, with a website replete with images of fake lawyers, has been threatening websites with fake DMCA take-downs in SEO backlink scams.

Closing Thought