Russia Is Using AI to Produce Doctored and Demeaning Video Clips of Kamala Harris

Telegram to field legal requests on criminal activity, Biden unveils ban on Chinese & Russian connected car tech, MSFT updates Secure Future Initiative, Kaspersky abruptly deletes AV software, Cyber attack hits Arkansas City water facility, 13M Binance users' data for sale on Telegram, much more

Cynthia B Brumfield

Sep 24, 2024 — 16 min read

Lawrence Jackson, Public domain, via Wikimedia Commons

Check out our sponsor's video on the building blocks of secure software!

Learn the building blocks for adopting a secure software factory model in this webinar. The Department of Defense (DoD) software factory model has emerged as a cornerstone of innovation and security for national defense and cybersecurity. Software factories represent an integration of principles and practices found within the DevSecOps movement, with technical guidelines to support continuous cyber-readiness with real-time visibility.

Watch now

US intelligence officials say Russia, Iran, and China are using artificial intelligence tools as they increase their efforts to sway the American population ahead of the November election, with Moscow especially set on denigrating Vice President Kamala Harris.

Officials from the Office of the Director of National Intelligence and the FBI said Russia, the most aggressive and skilled of the three countries, is emphasizing stories and comments that demean the Democratic presidential candidate’s personal qualities or positions.

The ODNI also released a one-page summary of its assessment, the latest in a series on foreign influence during the campaign. An ODNI official said Russia has doctored clips of Harris’s speeches to replace some of her words and has used generative AI to create false text, photos, video, and audio.

Officials said they agreed with a determination by Microsoft researchers a week ago that Russia was behind a viral staged video in which an actress falsely claimed that Harris had injured her in a hit-and-run car accident, garnering millions of views. (Joseph Menn / Washington Post)

Telegram CEO Pavel Durov said Telegram will provide users’ IP addresses and phone numbers to relevant authorities in response to valid legal requests and has changed the messaging app's terms of service to deter criminals from abusing it.

The move comes less than a month after his arrest in France, where he faces charges of alleged complicity in the spread of child sexual abuse materials.

The move represents a marked difference between Telegram’s approach to government requests for data and its reputation for lax moderation. The United Arab Emirates-based platform has been notoriously non-responsive to takedown requests from governments worldwide and often ignored requests for information about suspected criminals.

Durov said the app, using artificial intelligence and a team of moderators, has now begun concealing problematic content from its search results to prevent misuse.

The move also follows years of users warning Durov of the need for less-freewheeling management of Telegram. For example, more than two dozen organizations wrote a letter to Durov in late 2021, asking him to implement transparent content rules and policies, develop ways for people to communicate with his company, and add an appeals process for frustrated parties. Durov didn’t respond, the organizations said. (Jeff Stone / Bloomberg and Georgia Wells / Wall Street Journal)

The US Department of Commerce announced it is proposing a rule that would ban the sale or import of connected vehicles containing specific software and hardware produced by China or Russia or with a “sufficient nexus” to them.

According to the White House, the move aims to reduce the threat of adversaries breaking into connected cars, collecting sensitive data, including personal information and details about US critical infrastructure, and controlling vehicles as they travel on American roads.

The proposed rule, which would also prohibit the import of targeted component technologies, would focus on the hardware or software used in connected vehicle systems to enable their “external connectivity” and the technology that allows autonomous driving in some cars.

Commerce said the targeted technologies specifically include those that allow vehicles to communicate with the outside world via telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules. The technologies involved in autonomous vehicles allow them to move without a driver.

Chinese or Russian-made vehicles or components powering connected cars, trucks, and buses would be impacted, with the proposed rule only exempting vehicles not used on public roads, such as those driven on farms.

The White House focused on how connected vehicles could become a tool for Chinese and Russian hackers to learn about American critical infrastructure.

“Certain hardware and software in connected vehicles enable the capture of information about geographic areas or critical infrastructure and present opportunities for malicious actors to disrupt infrastructure operations or the vehicles themselves,” the White House said.

“These countries of concern could use critical technologies within our supply chains for surveillance and sabotage to undermine national security,” it added.

The ban on software would take effect for the model year 2027, while the hardware ban would not become law until the beginning of the model year 2030. Cars released as new models are typically available in the summer preceding the latest model year.

Since most of the car technologies the administration targets are made in China rather than Russia, the latter is likely unaffected. (Suzanne Smalley / The Record)

Six months after Microsoft CEO Satya Nadella told the entire company that security should be prioritized above all else, the software giant provided a report on the progress of its Secure Future Initiative.

Microsoft first kicked off its Secure Future Initiative (SFI) in November 2023, just months before the US Cyber Safety Review Board concluded that “Microsoft’s security culture was inadequate and requires an overhaul.” That blistering review kicked Microsoft into gear, and the company is revealing today that it now has the equivalent of 34,000 full-time engineers working toward its SFI, making it the most significant cybersecurity engineering effort ever inside of Microsoft.

Last month, the company tied its security efforts to employee performance reviews, so every Microsoft employee is now judged on their security work. In recent months, Microsoft has also completed a series of improvements to its security processes due to the SFI.

Microsoft has updated its Entra ID and Microsoft Account (MSA) systems to generate, store, and automatically rotate access token signing keys using an Azure-managed hardware security module. To reduce attack surfaces, 5.75 million inactive tenants have also been eliminated. Microsoft also now uses a new testing system with secure defaults to prevent legacy systems from causing security headaches in the future.

Microsoft is tracking over 99 percent of its physical network in a central inventory system that helps with firmware compliance and logging. Microsoft has also improved its audit logs to retain logs for at least two years.

Engineering teams inside Microsoft have now had personal access tokens reduced to seven days, SSH access disabled for all internal engineering repos, and the number of groups with access to crucial engineering systems reduced.

Finally, Microsoft is implementing new standards using a “Start Right, Stay Right, and Get Right” approach. “Start Right ensures projects adhere to security standards using templates, policies, and self-service tools. Stay Right then ensures project monitoring and relevant policy enforcement. The final part is “Get Right,” which was designed to monitor Microsoft's compliance.

The software giant has also created a new Cybersecurity Governance Council and appointed 13 deputy CISOs, four of whom are new Microsoft hires. (Tom Warren / The Verge)

$OPENAI doesn’t exist, and the post on X is linked to a phishing site designed to mimic the legitimate OpenAI website (minus the conspicuously incorrect URL “token-openai.com”). A prominent “CLAIM $OPENAI” button on the fake site encouraged unsuspecting users to connect their cryptocurrency wallets, likely in an attempt to steal those users’ login credentials.

Although the post seemingly stayed up for hours after press outlets reported the seeming compromise, it has now been removed from the X account. (Kyle Wiggers / TechCrunch)

Metacurity could really use your support. If you enjoy checking out Metacurity daily, please consider supporting us with an upgraded subscription that gives you access to our archives and much more. Thank you.

Upgrade

Researchers at Google's Mandiant report that a cyber operation called UNC1860 housed within Iran’s Ministry of Intelligence and Security (MOIS) has become a sophisticated initial access broker for the country’s hackers, providing persistent entry to the systems of telecommunications and government organizations across the Middle East.

According to the researchers, hackers connected to the unit have developed an impressive collection of specialized tools and passive backdoors that continue to assist other Iranian hacking operations.

“These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP,” Mandiant said, noting that while they cannot independently confirm that UNC1860 was involved in both operations, they found tooling that was “likely designed to facilitate hand-off operations.”

Mandiant said a key feature of UNC1860 includes its “maintenance of this diverse collection of passive/listener-based utilities that support the group’s initial access and lateral movement goals.”

The tools are designed to evade anti-virus software and provide secret access to systems that can be used for various purposes.

Mandiant called UNC1860 a “formidable threat actor” supporting “various objectives ranging from espionage to network attack operations.”

The security company found evidence of UNC1860’s tools being used by other MOIS-affiliated hacking groups, such as APT34, a prominent Iranian threat group responsible for intrusions into government systems in Jordan, Israel, and Saudi Arabia. Last week, researchers uncovered a wide-ranging APT34 operation targeting government officials in Iraq. (Jonathan Greig / The Record)

Researchers at Google Mandiant report that they have been contacted by several major US companies recently who discovered that they unknowingly hired North Koreans using fake identities for remote IT roles.

They describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018. In most cases, the IT workers “consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.”

The goal is for workers to earn salaries at multiple companies, generate revenue for the North Korean government, and gain pivotal access to US tech firms that can be used for further cyberattacks or intrusions.

Mandiant found that remote workers “often gain elevated access to modify code and administer network systems,” warning of the downstream effects of allowing malicious actors into a company’s inner sanctum.

Charles Carmakal, Mandiant's CTO, said he has spoken to “dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers.”

The actors are generally hired as remote contractors using stolen or fictitious identities. Mandiant has seen the workers hired in various complex roles across several sectors. Some workers are employed at multiple companies, bringing in several monthly salaries.

The tactic is facilitated by someone in the US who runs a laptop farm where workers’ laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to addresses other than those listed on their resumes, which raised companies' suspicions.

Mandiant said it found evidence that the laptops at these farms are connected to a “keyboard video mouse” device or multiple remote management tools, including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer, and others.

In several incident response engagements, Mandiant found the workers used the same resumes with links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites.

Many resumes and profiles included poor English and other clues indicating the actor was not US-based.

One characteristic that was repeatedly seen was the use of US-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan, or Hong Kong. According to Mandiant, companies typically don’t verify credentials from universities overseas. They describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018. (Jonathan Greig / The Record)

Russian cybersecurity company Kaspersky deleted its anti-malware software from customers' computers across the United States and automatically replaced it with UltraAV's antivirus solution.

This move comes after Kaspersky decided to shut down its US operations and lay off US-based employees in response to the US government adding Kaspersky to the Entity List, a catalog of "foreign individuals, companies, and organizations deemed a national security concern" in June.

In early September, Kaspersky also emailed customers, assuring them they would continue receiving "reliable cybersecurity protection" from UltraAV (owned by Pango Group) after Kaspersky stopped selling software and updates for US customers.

However, those emails failed to inform users that Kaspersky's products would be abruptly deleted from their computers and replaced with UltraAV without warning.

According to many online customer reports, UltraAV's software was installed on their computers without any prior notification, with many concerned that their devices had been infected with malware.

Some also found UltraVPN installed, likely because they had a Kaspersky VPN subscription.

Not much is known about UltraAV besides being part of Pango Group, which controls multiple VPN brands (e.g., Hotspot Shield, UltraVPN, and Betternet) and Comparitech (a VPN software review website).

Kaspersky said that it "partnered with antivirus provider UltraAV to ensure continued protection for US-based customers that will no longer have access to Kaspersky's protections."

"Kaspersky has additionally partnered with UltraAV to make the transition to their product as seamless as possible, which is why on 9/19, US Kaspersky antivirus customers received a software update facilitating the transition to UltraAV," it added. (Sergiu Gatlan / Bleeping Computer)

TikTok said it had removed accounts belonging to the Russian state media outlets RT and Sputnik for engaging in “covert influence operations.”

The social video app said on its website that it removed accounts associated with TV-Novosti and Rossiya Segodnya, the parent organizations of the RT television network and the Russian news agency Sputnik. TikTok said the accounts had violated its community guidelines, particularly its ban on deceptive behavior.

A TikTok spokesperson said that the associated accounts are now permanently banned.

TikTok said that, even before Monday, it had restricted the visibility of the accounts in the European Union and the United Kingdom and had already ruled their content ineligible for TikTok’s “For You” feed. (David Ingram / NBC News)

Related: TikTok, The Hill, LBC, Sky News

Researchers at Kaspersky discovered that a new version of the Necro malware loader for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks.

This new version of the Necro Trojan was installed through malicious advertising software development kits (SDK) used by legitimate apps, Android game mods, and modified versions of popular software, such as Spotify, WhatsApp, and Minecraft.

Necro installs several payloads to infected devices and activates various malicious plugins, including adware that loads links through invisible WebView windows (Island plugin, Cube SDK), modules that download and execute arbitrary JavaScript and DEX files (Happy SDK, Jar SDK), tools specifically designed to facilitate subscription fraud (Web plugin, Happy SDK, Tap plugin) and mechanisms that use infected devices as proxies to route malicious traffic (NProxy plugin).

Kaspersky discovered the presence of Necro loader on two apps on Google Play, both of which have a substantial user base, including Wuta Camera by 'Benqu,' a photo editing and beautification tool with over 10,000,000 downloads on Google Play and Max Browser by 'WA message recover-wamr,' which had 1 million downloads on Google Play until it was removed, following Kaspersky's report. (Bill Toulas / Bleeping Computer)

The City of Arkansas City, Arkansas, experienced a cybersecurity breach early Sunday morning affecting its water treatment facility.

City Manager Randy Frazer assured residents that the water supply remains entirely safe and unaffected by the incident. As a precaution, the Water Treatment Facility has temporarily transitioned to manual operations while cybersecurity experts work to resolve the issue.

One city employee said she found a note on a computer screen instructing the city to send payment, indicating a likely ransomware attack.

Frazer emphasized that residents can continue to rely on the safety of their drinking water. The city is operating under full control during this period, and no disruptions to water service are anticipated. (Derek Nester / Sunflower State Radio)

Related: KWCH, KAKE, CTNewsOnline

Background check firm MC2 Data experienced a massive data leak that exposed a wide range of public sources, including criminal records, employment history, family data, and contact details for around one-third of the US population.

The company left a database with 2.2TB of people’s data that was passwordless and easily accessible to anyone on the internet.

What was likely to be a human error exposed 106,316,633 records containing private information about US citizens, raising serious concerns about privacy and safety. Estimates suggest that this massive data leak affected at least 100 million individuals.

People and organizations needing background checks have also been exposed, as the data of 2,319,873 users who subscribed to MC2 Data services was leaked. (Paulina Okunytė / Cybernews)

A "cybersecurity issue" has shut down MoneyGram's systems and payment services since Friday, and the fintech leader has yet to update customers as to when it expects to have its global money transfer services back up and running.

The downed services reportedly include in-person payments as well as online transactions. After initially alerting customers via X/Twitter on Saturday and describing the problem as a "network outage impacting connectivity to a number of our systems," the financial technology firm disclosed on Monday that the outage was due to some digital intrusion.

However, MoneyGram still has not characterized the intrusion as ransomware. MoneyGram said it had "identified a cybersecurity issue affecting certain of our systems." Following that detection, the payment processor says it "immediately launched an investigation and took protective steps to address it, including proactively taking systems offline, which impacted network connectivity." (Jessica Lyons / The Register)

Related: PVDN

A cybercriminal group known as “Greavys” is reportedly selling the personal data of thirteen million crypto exchange Binance users, either in blocks or full, to buyers via Telegram.

The data includes names, email addresses, phone numbers, and residential information. “Greavys,” along with cybercriminals like “Wiz” and “Box,” has a history of phishing attacks.

In August 2024, these individuals executed a $243 million phishing operation in Washington D.C., posing as support staff from Google and Gemini to gain access to a victim’s Bitcoin wallet through remote control software like AnyDesk.

Binance has not yet confirmed the validity of the leaked data. (Andrés Torres / BeInCrypto)

Related: Crypto News Flash

Researchers at Sentinel Labs report that an affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems.

This version is separate from other Linux-targeting variants of Mallox, such as the one described last June by Trend Micro researchers, highlighting the shifting tactics of the ransomware ecosystem.

This finding is another sign that Mallox, previously a Windows-only malware, is putting Linux and VMWare ESXi systems into its crosshairs, marking a significant evolution for the operation.

In late 2023, Kryptina was launched as a low-cost ($500-$800) ransomware-as-a-service (RaaS) platform for targeting Linux systems but failed to gain traction in the cybercrime community.

In February 2024, its purported administrator, using the alias "Corlys," leaked Kryptina's source code for free on hacking forums, which was presumably acquired by random ransomware actors interested in getting their hands on a working Linux variant. (Bill Toulas / Bleeping Computer)

UK Defense Secretary John Healey has unveiled a plan to fast-track tech-savvy recruits, including gamers and cyber experts, into the UK's military cyber forces to boost the country's defenses against Russia's rising threat.

The new "cyber track" recruitment scheme aims to remove bottlenecks and cut through red tape to integrate specialized talent swiftly into the UK's defense strategy.

Healey said, "As the world changes and threats evolve, we also need to ensure our recruitment is right for the 21st century. That's why we will remove unnecessary barriers and fast-track bright candidates into cyber defense to help face down [Vladimir] Putin's online aggression."

"If you are good at tech, if you have a passion for cyber, if you're good at gaming, then you may have the skills that the British military needs." (Dev Kundaliya / Computingdefenses)

Related: Daily Mail, The Independent, Forces News, The SunT

The Department of Homeland Security announced the availability of $279.9 million in grant funding for the Fiscal Year (FY) 2024 State and Local Cybersecurity Grant Program (SLCGP).

Now in its third year, this program funds state, local, and territorial (SLT) governments to help reduce cyber risk and build resilience against evolving cybersecurity threats.

Established by the State and Local Cybersecurity Improvement Act and part of the Bipartisan Infrastructure Law, the SLCGP provides approximately $1 billion in funding over four years to support SLT governments as they develop capabilities to detect, protect against, and respond to cyber threats. (Homeland Security Today)

Related: DHS

Cloudflare announced plans to launch a marketplace in the next year where website owners can sell access to scrape their site’s content to AI model providers.

The marketplace is the final step of Cloudflare CEO Matthew Prince’s larger plan to give publishers greater control over how and when AI bots scrape their websites.

“If you don’t compensate creators one way or another, then they stop creating, and that’s the bit which has to get solved,” Prince said.

As the first step in its new plan, Cloudflare launched free customer observability tools called AI Audit. Website owners will get a dashboard to view analytics on why, when, and how often AI models are crawling their sites for information.

Cloudflare will also let customers block AI bots from their sites with the click of a button. Website owners can block all web scrapers using AI Audit or let certain web scrapers through if they have deals or find their scraping beneficial. (Maxwell Zeff / TechCrunch)

Best Thing of the Day: Using Math to Check AI Errors

The rigid discipline of mathematics looks promising for building AI technologies that don't hallucinate.

Worst Thing of the Day: Don't Give 'Em an Inch

A data deletion service called Optery recently updated its terms of service to say the company may transfer user data to OpenAI. Optery turned on the data transfer for users by default, but after a privacy forum flagged this practice, Optery backtracked and made the data transfer opt-in only.