The Good, the Bad and the Ugly in Cybersecurity – Week 35

The Good

This week, Stanford Internet Observatory reported on their collaborative effort with social media analytics firm, Graphika, to analyze a vast network of accounts removed from Facebook, Instagram, and Twitter. This removal was the result of an information operation said to have originated in the United States and targeted countries in Central Asia and the Middle East.

Between July and August 2022, Meta (Facebook and Instagram) and Twitter booted two related sets of accounts off their platforms for violating their terms of services. Violations included “platform manipulation and spam” and “coordinating inauthentic behavior”.

The joint investigation by Stanford and Graphika found that these accounts, along with five other social media platforms, employed deceptive tactics to promote pro-Western (US and its allies) narratives to users in Central Asia and the Middle East while openly criticizing opposing nations including Russia, China, and Iran.

Cyber influence operations like this one showcase the substantial role private entities and a large range of actors play in active campaigns to affect and sway online audiences. In this particular case, the actors created fake personas using GAN-generated faces, impersonated independent media outlets, and launched digital petitions – all behaviors noted in other similar operations.

The uneasy fact is that we are living in the age of disinformation and it has become a cybersecurity threat. While many socio-psychological factors and social media fuel this trend, there is no shortage of bad actors that are all too eager to take advantage. Disinformation campaigns often make use of social media platforms to compromise information security, manipulate significant data, or cause reputational damage. With this in mind, it’s always good news when disinformation gets the takedown it deserves.

The Bad

Trying to wind down with some screen time? Well, things just got a little more complex. Reports this week detail a data breach attack on widely-used American streaming media service, Plex. After unauthorized access to one of its databases, Plex has sent out password reset notices to many of its users including Troy Hunt, Australian web security consultant known for being the creator of the Have I Been Pwned website.

In an email sent to customers, Plex said that a third-party was successful in accessing a limited subset of data including emails, usernames, and encrypted passwords. They underscored that all potentially accessed passwords were hashed, no payment data was vulnerable in the incident, and that the method of breach has already been addressed and additional reviews and hardening procedures are being taken. Both BleepingComputer and ZDNet have reached out to Plex for more details as the impact of this breach is still developing.

At the level we are all digitally connected these days, cybercrimes both large and small affect everyone. Where there is sensitive information, there is security risk. Online streamlining services have boomed in recent years and bad actors continue to target these vendors to steal consumer personal information, entice users into scams, and or launch phishing campaigns.

Login credentials are always a hot commodity on the dark web, and we all need to make it more difficult for info-stealers by extending our cyber hygiene to sources of entertainment and updating passwords often, refraining from credential recycling, and staying alert for phishing attempts.

The Ugly

On Saturday, Greece’s largest natural gas distributor, DESFA, confirmed that they were hit with a ransomware-based data breach. In their official statement, DESFA reported that bad actors were able to access sensitive files.

DESFA has deactivated many of its online services and is reported to be working on a gradual return to normal operations. The gas operator also assured consumers that natural gas supplies across the country would not be impacted and reiterated its firm stance against negotiating with the actors over a ransom payment. The data breach has since been attributed to the Ragnar Locker ransomware gang, who have already posted details on their leak site.

The Ragnar Locker gang has been prolific in its attacks for over two years now and seems to have set its main sights on targeting critical infrastructure sectors. Just earlier this year, the FBI reported that the gang has breached the networks of at least 52 organizations across multiple US critical infrastructure sectors, including manufacturing, energy, finance, and government.

In the grip of the Russian invasion of Ukraine, ongoing economic downturn, and continuing Covid-19 and monkeypox outbreaks, cybercriminals are digging their heels in hard during periods of global distress to have their ransoms met. The increased attacks on critical infrastructure is especially devastating as Europe grapples with an energy crisis. Prices for natural gas and electricity have soared 1000% higher than those seen in 2021 to 2020 with fears that it will result in the lowest valuation of the euro in 20 years and a hard winter ahead fraught with large-scale power outages.