In this article, I will write about the XML External Entity attack. For this attack to occur, the application must have logic for parsing XML input.

This injection will happen if there is a weakly configured XML parser. A successful attack would be if the attacker would be able to view files on the application server and interact with the backend. This XXE vulnerability could be used to perform server-side request forgery (SSRF) attacks, denial of service (DoS) Billion Laughs Attack, and many more.

What are XXE types?

There is no strict classification of XXE attacks, but we can divide them into two types: in-band and out-of-band(blind).

· In-band are more common than out-of-band ones. In this case, the attacker will receive an immediate response to the XXE payload.

· Out-of-band or so-called Blind XXE, there is no immediate response. This type involves the creation of an external Document Type Definition. For this type, the XML parser also needs to make an additional request to an attacker-controlled server.

What are the cases when attacker can execute this injection?

· In old applications where the version of SOAP is less than 1.2

· Applications where users are logged in based on their sessions – SAML(single sign-on (SSO) login standard). Chances for this attack to happen in this case can be very high because SAML uses XML for identity assertions

· If there are XML inputs or XML uploads into XML documents that can be added from untrusted data and parsed by an XML processor after that.

· There is a high risk when Document Type Definitions (DTD) is enabled

When would application parse XML?

XML is often used in both: frontend and backend web development.

Examples:

The Frontend side of the application can request, for example, an XML file from API and create and present a UI form based on the data in XML. Then we can have an option to add a new field into the form and if we would like to save the changes. Afterward, the XML input would be added into the XML document.

From the backend parsing, XML would be used to transfer the data in some standard format. Also, in mobile development, Android applications use it to create layouts and store configurations.

On the OWASP site, you can find more examples of XXE attacks. Portswigger has a nicely explained example of this attack:

For example, suppose a shopping application checks for the stock level of a product by submitting the following XML to the server:

The application performs no particular defenses against XXE attacks, so you can exploit the XXE vulnerability to retrieve the /etc/passwd file by submitting the following XXE payload:

This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value. This causes the application’s response to include the contents of the file:

Invalid product ID:

List of preventions for XXE

• Using JSON instead of XML and avoiding serialization of sensitive data
• As I mentioned before, this attack can happen easily when the application is using SOAP < 1.2, so try to update to the higher version
• Implement XSD validation in your application (“XML Schemas”) for all XML file inputs
• Patch or upgrade all XML libraries
• Use SAST tools for checking out if there are XXE vulnerabilities.

How to prevent if you are using SAML?

SAML language is used to construct authorization statements, whose authenticity is protected by the XML digital signature applied over the statements.

Many attacks happen because of wrong assumptions made by developers; for example, the token is always properly formed XML compliant with SAML schema.

The developers can assume that SAML would have just one Assertion tag in the document (the properly formed SAML would have). With that fact, developers can validate just the first element they get when searching for elements by the tag name in the XML document.

To get list of nodes JS “getElementsByTagName” method can be used:

To xmlNodes will be assigned the list of matching elements from document with tag Name “saml:Assertion”.

As developers can assume that this is the properly formed SAML with one Assertion tag, they will get the first element and validate it after:

*As you can guess, this is not the proper way to validate the tag because the attacker can also assume that developers used this approach for the validation. In this case, the attacker can catch the first element (tag) and replace it with a malicious assertion before the original one, and it will never be detected.

With the same logic, some developers use “getElementsByTagNameNS” but the result would be the same: easily inserted malicious script in the first element.

Proper prevention would be:

· Parsing the XML document. Using structure validation based on the supplied schema. Never allow automatic download of schemas from the third party but prefer to use local trusted copies. It would also be good if it is possible to inspect schemas and perform schema hardening. This could be used to disable possible wildcard types or relaxed processing statements.

· Digital signature validation, which verifies the authenticity and integrity of the assertion embedded in the SAML document. This prevents forgery.

**Most important when writing schema is to describe the intended document’s structure precisely.

How to prevent using XSD validation?

I will explain how to create a C# solution to validate XML data.

The most important reason we want to use XSD (XML Schema Definition) validation is that we want the sender and receiver to have the same “expectations” about the content. Using schemas, we need to describe exactly the data so both parties would be clear about them.

Steps:

· Add XML file into the code

When adding XML file, you will just see xml tag:

I will add object User with properties FirstName, LastName, Address, so xml file would look like this:

· Create XML Schema for this file

You will get XML schema structure like this:

· Modify XSD

Now you can modify the file- add validations for FirstName and Address. In this case, I just show how to add validations for these fields, but they will, of course, not prevent the attack; they will just validate the length and the type of mentioned fields.

· Validate XML using XSD

What am I doing in the code?

• Getting the local path of Assembly so I can after add XML file name and XSD file name to get their full paths
• Creating schema using XmlSchemaSet and XmlSeverityType which are from System.Xml.Schema
• Using XMLReader from System.XML so I can create XDocument imported from System.Xml.Linq
• When I create document, I want to use validate method that class has and pass schema by which I will validate and the method ValidationEventHandler (I named it like that) which is throwing exception if type is error. In this method you should add all validation logic.

This is just an example on how to create XSD for XML file and which libraries you can use for the validation.

How to prevent with implementation of DTD?

We can also validate XML file using DTD. Here are some differences between XSD and DTD on site.

In this example, I am validating an XML file using a DTD file with DtdProcessing.

Steps:

• Setting the validation settings using XmlReaderSettings
• Creating the XmlReader object so I can parse the file using the method read()
• Creating ValidationEventHandler method which is throwing an exception if the type is an error. In this method, you should add all validation logic.

List of SAST testing tools

SAST testing tools will help you with static application security testing.

SAST tools can be free, commercial, and open-source tools.

A list of the most popular SAST Tools currently are:

• Veracode
• LGTM
• Checkmarx
• Klocwork
• Reshift
• SpectralOps
• HCL AppScan
• Codacy
• Insider CLI
• Argon

         

Why is SOAP version < 1.2 vulnerable to XXE attack and why you should use later versions?

 

Before version 1.2 external entities were allowed within SOAP messages.

Since version 1.2 some changes were introduced to the envelope and encoding schemas. Both schemas have been updated to be compliant with the XML Schema Recommendation.

You can see the list of recommendations which were used:

· http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/

· http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/

· http://www.w3.org/TR/1999/REC-xml-names-19990114

· http://www.w3.org/TR/2000/REC-xml-20001006

· http://www.w3.org/TR/2000/PR-xlink-20001220/

Also, additional changes occurred in this version, within the names of datatypes in the XML Schema specification, and some datatypes were removed. If you want check out all changes which were made you can go to this site.

 

Conclusion

This article presented some prevention steps that could help you defend your application from XXE attack.

The OWASP team, which is constantly working to discover new ways the attackers can exploit your application and perform their malicious actions, are always updating their Prevention Cheat Sheet.

The best way to secure your application would be to always be up to date with the new prevention ways: best libraries to use, best detection tools, etc.

In the end, secure code is the cheapest code!    

Cover photo by Joshua Woroniecki

#XXE_attack #XSD #DTD #SAML #vicarius_blog

On 19 July 2020, CISA released an Industrial Control Systems (ICS) Advisory (ICSA-22-200-01) regarding the MiCODUS MV720 GPS tracker, a hidden design tracker that is wired directly to a vehicles power and oil pump. This device allows the interested party to remotely track a vehicle’s location and cut off the oil pump, disabling the vehicle. It can be installed and hidden in approximately two and a half minutes according to a video available on MiCODUS’ website.

BitSight, a cybersecurity ratings company, uncovered the critical vulnerabilities that led to CISA’s advisory. They also determined that these trackers are in use across 169 countries “by individual consumers, government agencies, militaries, law enforcement, and corporations.”

Out of the six vulnerabilities discovered, two have been deemed critical:

• Hardcoded Password – CVE-2022-2107: Although the API server has an authentication mechanism, devices use a hardcoded master password allowing an attacker to log into the web server, impersonate the user, and directly send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
• Broken Authentication – CVE-2022-2141: The API server provides a way to directly send SMS commands to the GPS tracking device as if those messages were coming from the administrator’s mobile device.

There are a number of troubling effects that could occur due to a successful exploitation of the found vulnerabilities. According to BitSight, individuals could be tracked unlawfully, vehicles could be disabled remotely, national militaries using the GPS tracker could themselves be monitored, and supply chains disrupted.

Because there is no fix available and MiCODUS has disregarded repeated attempts by BitSight and CISA to share information, all users are advised to immediately discontinue or disable any MiCODUS MV720 GPS trackers.

According to MiCODUS, approximately 1.5 million of its GPS trackers are in current use.

Given the exponential expansion of IoT, we can expect more vulnerabilities to be uncovered.

Sources:

Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720)

BitSight Discovers Critical Vulnerabilities in Widely Used Vehicle GPS Tracker

The term Coordinated Inauthentic Behavior (CIB) is used frequently in the news to describe the propagation of misinformation, misrepresentation, and other types of negative online influence operations. As seen in the news as of late, reports of CIB have recently led to the large-scale removal of accounts and pages on social media platforms. An example of CIB could be a political news site purportedly headquartered in America but operates from Macedonia or a Russian-created social media account. The said account might use a fictitious name as well as random images as a way to feign American perspectives blogging about US politics. 

It can take the following two forms:

1. Coordinated inauthentic behavior (CIB) regarding domestic non-government campaigns
2. Coordinated inauthentic behavior in the case of a foreign or government actor, termed as Foreign or Government Interference (FGI)

The objectives of both variants are the same. They are a part of larger coordinated campaigns that seek to influence public perspectives across social media platforms to further their agendas, both politically and socially.

What is Coordinated Inauthentic Behavior (CIB)?

Any domestic, non-government initiatives/campaigns that comprise groups of accounts and pages on the internet, especially social media, aiming to deceive people regarding who they are and what they do is often regarded as Coordinated Inauthentic Behavior (CIB). Whether they are accounts, pages, or groups, such behavior occurs when numerous bogus identities/personas collaborate to promote a specific idea/item or media subject with an ulterior  intent. It comprises influence operations aimed at manipulating public opinion for a strategic purpose. Their objective could be financial or political. For instance, during the Covid-19 outbreak, a network of web pages was active in spreading coronavirus misinformation.

What Impact Does CIB Have on the Regular Public?

Coordinated Inauthentic Behavior intends to manipulate public debate, push users towards political and social extremes, and inevitably lead to inter-community and inter-religious opinion clashes. The goal of CIB is to sway public opinion or coerce users with financial scams (if the objective is financial exploitation).

The potential for misinformation to impact international politics and public opinion is large, and has proven time and time again. CIB goes a step further, intentionally targeting and misleading individuals instead of merely propagating false news. A large problem with CIB lies in its ability to shift public opinion in such a short period of time, therefore making the removal of said account almost useless in the long term as its original goal has been accomplished. 

Identifying CIB on Facebook and Other Social Media Platforms

In recent years, the global increase of trolls and bots that manipulate public discussions on social media has caused significant challenges for political elections, natural disaster communication systems, and global health emergencies such as  the Covid-19 pandemic. However, progress has been made in using standard supervised learning to combat adversaries.

If you know where to look, coordinated inauthentic behavior by people and organizations on social media is simple to spot. Different indications on Facebook pages and groups, like those mentioned below, can help users better comprehend the data they’re viewing and the intentions of those behind it.

1. The Section on ‘Page Transparency’

Every Facebook page features a “Page Transparency” feature that allows viewers to see countries from which the page admins upload information. The section is available on both mobile and desktop views. However, this option does not apply to Facebook groups.

2. Posts with Multiple ‘Like and Share’ Requests Might Signal a Problem

It might indicate organized inauthentic conduct if a page is overloaded with photographs and memes urging users to like and share the content. According to Snopes’ study, though it does not always point towards questionable activity, an overload of this type of media is frequently associated  with inauthentic pages trying to gain more traction.

3. ‘Blue Ticked’ Verified Pages

Blue badges appear next to the group or profile name on verified pages. Be it on Facebook, Twitter, or Instagram, the blue tick next to the user’s profile name represents an authenticated account. If you see one of these, it implies that the page or profile belongs to an authorized individual or organization. An unverified page, i.e., one without the blue badge representing your favorite celebrity asking for money for some social cause, is unlikely to be genuine. Being more cautious about what accounts are acting as certain organizations or people is an important part of staying safe online. 

4. Check the ‘Page Creation Date’ 

Check the date the page/group/profile was created, especially for politically focused forums involving serious debates. For instance, it is a red flag if a page regarding some hot-button American political issue was created merely a week ago and shows that the real page managers are people from another nation. It takes time for outsiders to get involved in a country’s debate on a serious domestic issue. You can click the “Page Transparency” link on a page or the “About” tab in a group to determine the creation date.

5. Examine the Administrators and Moderators of a Facebook Community

Since the Facebook groups (but not pages) disclose their administrators, moderators, and members, you may check the “Members” section on a group to check who is operating it and whether the admins appear to be authenticated individuals.

Examples/Case Studies of CIB

The following are a few well-known campaigns involving CIB that occurred in recent times. 

1. #SaveTheChildren Campaign

The #SaveTheChildren campaign purposefully propagated the notion that a “cabal” of celebrities and political figures participated in satanic, ritual sexual assault of children worldwide.

In 2020, a conspiracy protest movement known as #SaveTheChildren surged throughout the United States, Canada, the United Kingdom, and Europe, sparking hundreds of in-person marches and protests. The #SaveTheChildren campaign’s claimed purpose was to raise awareness about the atrocities of “child sex trafficking.” 

The main inspiration behind the campaign was the QAnon conspiracy movement, which started in October 2017 by an anonymous 4chan website user later known as “Q.” They had claimed to be privy to top-secret government intel suggesting that Hillary Clinton was wanted by the Federal government and was about to be arrested, among other fraudulent theories.

2. Ebola and the United States Border

Brian Kolfage, a Trump supporter and anti-immigrant activist, raised millions of dollars in internet donations to build a wall at the US-Mexico border. After two days, when the US government ordered the work to be stopped, he tweeted that an “insider” had notified him that there were nine migrants with “proven” Ebola cases at the Texas border due to which construction had been stopped. This assertion was false, but the Ebola hoax quickly spread across the country on social media and in right-wing organizations. 

He used disinformation to promote panic as a way to exploit the issue of immigration and gather support for his political aim of curbing immigration—a long-standing pledge of then-US President Donald Trump. 

3. The Milk Tea Alliance 

It is an online multinational network of young people manipulating the media under the hashtag #MilkTeaAlliance. Youngsters from Thailand, Hong Kong, Taiwan, and Myanmar are among its supporters. The alliance uses the hashtag #MilkTeaAlliance to combat what they see as authoritarianism, either directed at the CCP (Chinese Communist Party) or their governments.

It surfaced in April 2020, following the commencement of an online campaign by pro-Chinese Communist Party (CCP) accounts to harass a Thai celebrity and his fans. A loosely organized group of young, largely Southeast Asian, pro-democracy netizens banded together, culminating in a meme war between the two sides on Twitter.

4. The Antifa Fires Rumor

During the Oregon wildfires in September 2020, allegations circulated locally and globally that left-wing activists were to blame. The evidence alleging “anti-fa” involvement was based on a series of misinterpretations made by public authorities. The rumor was boosted by far-right political influencers, bogus Antifa Twitter accounts, and various anonymous trolling communities on the 4chan website.

5. “Hammer” and “Scorecard“

The 2020 US presidential election was disturbed by unfounded accusations of widespread voting fraud, promoted by former President Donald Trump, whose allegations came to be known as “the big lie.” The idea that prompted this coordinated behavior is said to have included two aspects, Hammer and Scorecard, where an alleged government-run supercomputer called “Hammer,” and the system software, the “Scorecard” worked in tandem… The allegation was that the “Hammer and Scorecard” operation influenced real votes across the country in favor of President Joe Biden.

Final Words

With the ever increasing accessibility and widespread popularity of the internet and social media, influence operations and new deceptive behaviors will continue to emerge and spread despite pertinent regulations. Social media networks must continue to work to identify and stop Coordinated Inauthentic Behavior or CIB campaigns and any other kind of large-scale misinformation campaigns. However, as previously noted, users must also stay educated and cautious about the phenomenon. It will help them recognize CIB activity and take precautions to avoid falling into traps.

References

1. Aziz, Z. (2020, November 2). What is Coordinated Inauthentic Behavior? Nisos. https://www.nisos.com/blog/what-is-coordinated-inauthentic-behavior/
2. Meta. (2018, December 6). Coordinated inauthentic behavior. 

https://about.fb.com/news/tag/coordinated-inauthentic-behavior/

3. Graham, T. (2020, May 29). Detecting and analyzing coordinated inauthentic behavior on social media. QUT Centre for Data Science. 

https://research.qut.edu.au/qutcds/events/detecting-and-analysing-coordinated-inauthentic-behaviour-on-social-media/

4. Gleicher, N. (2018, December 6). Coordinated inauthentic behavior explained. Meta. https://about.fb.com/news/2018/12/inside-feed-coordinated-inauthentic-behavior/
5. Johnson, S. (2021, December 21). How to spot ‘coordinated inauthentic behavior’ on Facebook, according to Snopes. Lifehacker. 

https://lifehacker.com/how-to-spot-coordinated-inauthentic-behavior-on-faceb-1848253059

6. McGregor, S. (2020, September 17). What even is ‘coordinated inauthentic behavior’ on platforms? Wired. 

https://www.wired.com/story/what-even-is-coordinated-inauthentic-behavior-on-platforms/

#CIB #Facebook #vicarius_blog

CVE-2022-22047, an actively exploited zero-day affecting a range of Microsoft Windows and Windows Server versions, was added to CISA’s Known Exploited Vulnerabilities list with an order to all US agencies to patch by the 2nd of August.

Understandably, there’s a dearth of information regarding this new vulnerability’s scope and use cases, but Microsoft released a patch along with 83 others in their July 2022 Patch Tuesday update.

What we do know is that CVE-2022-22047 is an elevation of privilege bug in Windows’ Client/Server Runtime Subsystem (CSRSS). It was given a CVSSv3 score of 7.8 and a rating of Important. If exploited, the vulnerability gives SYSTEM privileges, allowing an attacker full control of a Microsoft endpoint.

Given the potential repercussions of this exploit, one might wonder why it hasn’t been deemed critical. According to Mike Walters of Action1, it can only be executed locally. But he also adds that “vulnerabilities of this type are great for taking control over a workstation or server when they are paired with phishing attacks that use Office documents with macros. This vulnerability can likely be paired with Follina to gain full control over a Windows endpoint.”

On 11 July 2022, Microsoft also released an article stating that VBA macros from the internet will be blocked by default.

#cisa_analysis #vicarius_blog

Sharing authentic information is critical in today’s world of the internet. It becomes more significant if the information shared benefits everyone, including the individual who uses the internet for leisure or the organization dependent on the internet for their operations. The Adversarial Threat Reports are vital bits of information that keep the community aware of the significant cyber threats that appear from time to time. Generally, security agencies and digital establishments issue adversarial threat reports quarterly, highlighting the significant challenges that emerge during the specific quarter. This article summarizes the findings of various such threat reports published in 2022. 

What Are Adversarial Threats?

Adversarial threats generally denote enterprise disruptions or losses caused by the deliberate actions of malicious third parties interacting with their information systems. Any threat associated with accidental human error or environmental or structural failure is not considered an adversarial threat. The deliberate and malicious intention is critical for the threat to qualify as one.

Examples of Adversarial Threats

Adversarial threats are of various types and characteristic features. Ransomware, phishing, and cyber espionage attacks are a few of them. For example, Ukraine’s invasion by Russia has greatly impacted the phishing threat landscape. Since its initiation,  phishing has seen a 10-percentage point increase over the previous year. The increase in the number and types of phishing attacks has been seen as a common concern across security service providers.

(Source: Cofense 2022 Annual State of Phishing Report)

Sophos 2022 Adversarial Threat Report states that ransomware constituted 79% of cyber threats, followed by Cobalt Strike at 6% and Web shells at 4%. Other hazards include data exfiltration and miscellaneous malware. Even the Global Threat Report 2022 by Crowdstrike indicates that ransomware is an ever-increasing threat today, growing 82% between 2020 and 2021.

What Do the Adversarial Threat Reports Signify?

The significance of adversarial threat reports is that they highlight the latest threats the internet communities face from various malicious sources. For instance, the Meta Adversarial Threat Report Q1-2022 focuses on state actors, especially in the backdrop of the Russian Ukrainian War. Thus, it discusses cyber warfare, an ominous large-scale threat in today’s circumstances.

The Meta Adversarial Threat Report aims to highlight coordinated inauthentic behavior (CIB), cyber espionage efforts by Iran, and malicious mass reporting attempts from Russia. Besides reporting inauthentic behavior, such reports also examine the efforts put in by the security community to counter these activities.

The Purpose Behind the Adversarial Threat Reports

The primary reason behind the compilation of these adversarial threat reports is to share information on malicious threats capable of causing significant global damage to enterprise network systems. A glance through these reports can help educate  security teams concerning the latest threats in the internet environment, even if all of them might not pose immediate cybersecurity risks. 

Below are the findings of the Meta Adversarial Threat Report for the first quarter of 2022.

• Cyber Espionage Operations Linked to Iran

Cyber espionage targets people to gather intelligence, manipulate them into sharing critical information, and compromise their devices and accounts. The Meta Adversarial Threat Report Q1 2022 highlights three groups of malicious actors engaging in cyber espionage. 

1. A group of Iranian adversaries, also known as UNC788, targeted people from the Middle East, including the Saudi military, dissident groups from Iran and Israel, and US politicians and journalists. The malicious actors used phishing to steal users’ credentials and share links to malicious websites that hosted malware. The modus operandi included social engineering tactics, phishing, and malware injection.
2. Similarly, an unreported group of threat actors from Iran used spoofing to target various organizations in multiple industrial sectors. They include energy establishments in Russia, Italy, Canada, and Saudi Arabia and targets in the IT industry in UAE and India. Other industrial sectors include the maritime logistics industry in the US, Israel, UAE, Norway, Iceland, etc., the telecommunication industry in the UAE and Saudi Arabia, and the semiconductor industrial sector in the US, Germany, and Israel. The methods of attack include using social engineering and interactive targeting, spoofing of corporate websites, and injecting malware.
3. It also identified another malicious group from Azerbaijan engaging in CIB and cyber espionage targeting Azerbaijani democracy activists, opposition party leaders, journalists, and government critics. Though the group maintained a low profile and focused on news and social media websites like Twitter, Facebook, and LinkedIn, there were resemblances to a prominent threat actor named ‘Ghostwriter’ that targeted Ukraine. The modus operandi was compromising and spoofing websites, injecting malware, credential phishing, and CIB.  

• Security Updates on Ukraine

The risk of the ongoing hostilities between Russia and Ukraine escalating into a full-fledged cyber war is omnipresent. Under such circumstances, almost every adversarial threat report includes security updates on Ukraine. The Meta Adversarial Threat Report identifies government-linked Russian and Belarusian actors engaging in online cyber espionage and covert influence operations. For instance, it detected CIB activity linked to the Belarusian KGB spreading misinformation about Ukrainian troops’ withdrawal even before Russia commenced war activities.

This report refers to a spike in Ghostwriter’s attempts to target people through email compromise and use the information to access their social media accounts. The group also attempted to attack the Facebook accounts of various Ukrainian military personnel by posting videos of people calling on the Army to surrender. Meta detected and took down various networks belonging to politically aligned actors for violating its policy on inauthentic behavior by mass reporting their political opponents and spreading hate speech.

As a way to protect users, Meta also suggested Ukrainians and Russians strengthen the security of their online accounts, emails, and social media. The company suggested downloading a VPN (Virtual Private Network) app, enabling MFA (Multi-factor authentication), and avoiding reusing passwords along with practicing other online safety tactics.

• Continuous CIB Enforcement

CIB includes opening fake social media accounts and coordinating with others to mislead users and manipulate public debate for a strategic goal. Meta Adversarial Threat Report identifies many such people globally, which the company has removed from the network. In addition, Meta monitors these removed accounts to ensure they do not resurface under different aliases. 

The Meta Adversarial Threat Report has identified and removed 14 Facebook accounts, nine web pages, and 39 Instagram accounts in Brazil for violating Meta’s CIB policy. While the malicious actors started misleading people on Covid-19 in 2020, they later shifted their attention toward Amazon deforestation issues in 2021.

Similarly, Meta has removed 233 Facebook accounts, 84 pages, and 27 Instagram profiles in Costa Rica and El Salvador for using fake accounts to post misinformation on both sides of the political spectrum. The report also mentions fake Russian and Ukrainian social media accounts that spread misinformation about the war. Meta has successfully identified and removed 27 of these Facebook accounts and 4 of these Instagram accounts, respectively.  

• Mass Reporting Network in Russia

Meta successfully identified nearly 200 social media accounts that spread fake information using mass reporting techniques. Besides focusing on Ukrainian and Russian nations, these accounts had users from the US, Poland, and Israel. The modus operandi was spreading fake information regarding the war and making people believe in false reports, thereby misleading them with the intent of causing widespread distrust in the government and local news.

• Removing Coordinated Violating Networks in the Philippines

Similarly, Meta has discovered a network of nearly 400 accounts and groups in the Philippines involved in DDoS attacks and compromising websites in the country. This network prided itself on bringing down news websites. Besides, it offered cybersecurity services to protect networks from such attacks they initiated. Eventually, they started inviting new members openly to carry out DDoS attacks. 

What Constitutes Inauthentic Behavior?

Inauthentic behavior is usually centered on amplifying and increasing false content distribution to manipulate public debate in order to achieve a strategic goal. The primary objective is to mislead people. If such behavior is financially motivated, it can qualify as spam and scam activity.

IB operators focus on quantity rather than quality. They need large numbers of fake accounts to post their content in order to reach the largest audience possible. Generally, you can also find these accounts monetizing people’s attention by driving them to off-platform websites filled with ads.

The Deceptive Strategies Used by IB Operators

Here are some deceptive strategies IB operators use to boost their engagement artificially.

• Context Switching

Generally, IB operators mislead their audience by claiming to be dedicated to a specific subject but switching to an unrelated one when the account or post goes viral. They perceive the pulse of their audience and use tactics like sensationalism to deceive people into clicking links to their websites.

• Posing as Authentic Communities

IB operators trick their audience by making them believe they are operating from a specific country or community when they are actually a different one. This tactic proves helpful to indulge in context switching by posting content related to political crises or natural calamities to attract audiences and monetize their attention. 

• Mass Posting, Sharing, and Liking of Content to Popularize it

Usually, IB operators use fake social media accounts to mass-post content. This way, their entire chain can start liking or sharing the content amongst their contacts to increase apparent popularity. There is not much actual engagement because there is no interaction with people outside their bubble that is composed of just their members.

While CIB is the trending threat today, especially in the backdrop of the Russian-Ukrainian war, one cannot ignore other adversarial threats. The Blackberry 2022 Threat Report lists various hazards that can affect the daily functioning of businesses globally, as listed below.

• Ransomware was the most dangerous of all adversarial threats in 2021. Trends indicate that ransomware will also continue to top the charts this year. The year 2021 saw massive ransomware attacks. Two examples are DarkSide crippling the Colonial Pipeline Network and the Russian ransomware threat group REvil attacking Acer and JBS Foods. Another significant attack included the infiltration of the insurer AXA by the Avaddon ransomware group. In a recent 2022 survey by ransomware.org, 80% of the survey respondents accepted that their organization is more likely to be a target of a ransomware attack in 2022 as compared to 2021.

(Source: ransomware.org)

• A zero-day vulnerability is also a potent adversarial threat, especially with the HAFNIUM group exploiting the Microsoft Exchange Server’s zero-day vulnerability. It allowed other threat actors to reverse engineer the patch and target organizations worldwide. Organizations and individuals can protect against zero-day vulnerabilities by keeping their network systems updated and looking for alternative security approaches like the Zero Trust framework and XDR (Extended Detection and Response) solutions.
• Supply chain attacks were the flavor of threat actors in 2020, especially with SolarWinds Attack making international headlines. Additionally, 2021 saw the supply chain attacks re-emerging with the compromising of Kaseya’s VSA software affecting over 1,000 businesses. As supply chain attacks betray the trust between service providers and customers, there is a pressing need for companies to adopt a Zero Trust framework. 
  

Threat actors were rampant in 2021, with many adept at mimicking private sector capabilities by leveraging services like IaaS (Infrastructure-as-a-Service), RaaS (Ransomware-as-a-Service), and MaaS (Metal-as-a-Service, for the deployment of large cloud and Big Data environments) to launch their malicious attacks. 

Final Words

Cyber threats and malicious actors will play around as long as the internet survives. Since one cannot eliminate all threats at all levels, it is a matter of co-existence with the utmost awareness and security. Adversarial threat reports make people aware of the latest threats looming over the horizon and waiting to attack unsuspecting network systems globally. 

Though phishing is considered the earliest of all cyber threats, it is significant even today because almost all the other threats rely on phishing (or its variants) in order to gain global access to network systems. Therefore, while anti-malware solutions are necessary to neutralize threats, cybersecurity awareness is critical in fighting the fundamental stages to avoid bigger contingencies. Documents like adversarial threat reports are handy for the purpose.

Every cybersecurity professional should go through these threat reports and acquire reliable knowledge of the current threat landscape and the modus operandi malicious actors use to carry out the threats. In essence, adversarial threat reports are critical for every industry.

References

1. Meta. (2022, April). Adversarial Threat Report. Meta. https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf
2. Crowdstrike. 2022 Global Threat Report. https://go.crowdstrike.com/global-threat-report-2022.html
3. Blackberry. BlackBerry 2022 threat report. 

https://www.blackberry.com/us/en/forms/enterprise/report-bb-2022-threat-report-aem?

4. Borges, R. Scribd. Meta Quarterly Adversarial Threat Report Q1 2022. 

https://www.scribd.com/document/568491724/Meta-Quarterly-Adversarial-Threat-Report-Q1-2022

5. Sophos. Sophos 2022 Threat Report: Interrelated threats target an interdependent world.

https://assets.sophos.com/X24WTUEQ/at/b739xqx5jg5w9w7p2bpzxg/sophos-2022-threat-report.pdf

6. NCC. (2022, June 27). Threat Report 10th June 2022. 

https://www.ncsc.gov.uk/pdfs/report/threat-report-10th-june-2022.pdf

7. Shier, J. (2022, June 7). The Active Adversary Playbook 2022. Sophos News. https://news.sophos.com/en-us/2022/06/07/active-adversary-playbook-2022/
8. National Cyber Security Centre. (2022, June 10). Threat Report 10th June 2022. https://www.ncsc.gov.uk/report/threat-report-10th-june-2022
9. Trellix. Trellix Advanced Threat Research Report: January 2022. 

https://www.trellix.com/en-us/threat-center/threat-reports/jan-2022.html

10. Cofense. (2022, April 12). Cofense 2022 annual state of phishing report highlights. Cofense. https://cofense.com/blog/three-highlights-from-cofense-2022-annual-state-of-phishing-report

#threatreport #cybersecurity #Russia #ransomware #phishing #espionage #Meta #Ukraine #vicarius_blog