Russia (still) trying to weaponize Facebook for spying, Ukraine-war disinfo

Plus: More financially motivated miscreants try to monetize invasion


Facebook is fighting a surge in cyber-espionage attempts and misinformation campaigns related to the Russian invasion of Ukraine, according to a new report by parent group Meta.

Since the start of the war, Meta security teams have been busy disrupting threats and taking down fake news and accounts on its social media platforms, according to the company's quarterly adversarial threat report.

This includes Kremlin-backed operations looking to spy on and influence specific Ukrainian industries, including defense, energy, and telecoms, as well as journalists and activists in Ukraine, Russia and abroad. 

In one example, Meta says it removed fake-news posts linked to the Belarusian KGB. This account began posting misinformation in Polish and English about Ukrainian troops surrendering without a fight and the nation's leaders fleeing the country on February 24 when Russia began its "special military operation" against the neighboring state. 

Additionally, the social media giant tracked a growing number of misdeeds from the Ghostwriter criminal group since the war began. This gang, which threat intel firm Mandiant has linked to Belarus and/or Russia, typically starts with email compromise, and then uses that to gain access to social media accounts. 

In a February 27 security update, Meta documented increased targeting of Ukrainians, including military and public figures, by Ghostwriter. This included an attempt to trick people on Facebook into posting a fake YouTube video purporting to show Ukrainian soldiers emerging from a forest waving white flags.  

Since then, Ghostwriter has tried to hack into "dozens" of Ukrainian military personnel's Facebook accounts, according to Meta's new threat report. "In a handful of cases, they posted videos calling on the Army to surrender as if these posts were coming from the legitimate account owners," it said. "We blocked these videos from being shared."

Additionally, Meta shut down further attempts by the Russian Internet Research Agency (IRA), posing as a civil rights NGO, to create Facebook accounts. Back in December 2020, Facebook removed individuals associated with the IRA from the platform. The network tried unsuccessfully to create new accounts in late 2021 and January 2022, Meta reports. 

Since the Russian invasion, the group's website has posted fake news articles blaming Russia's attack on NATO and the West, Meta reported.

More financially motivated miscreants

In addition to the state-sponsored attempts at espionage and spreading misinformation about the war in Ukraine, Meta also noted an uptick in cybercriminals using the crisis to scam Facebook users for their own monetary gain. 

This isn't unusual. Miscreants are always quick to turn natural and man-made disasters into money-making opportunities. Still, the sheer number of scammers using others' misfortune for personal profit is shocking.

Since the war began, Meta claims it removed "tens of thousands" of accounts, pages and groups that used both automated and manual systems. "We've seen spammers from around the world use inauthentic behavior tactics including streaming live-gaming videos and reposting popular content including other people's videos from Ukraine as a way to pose as sharing live updates," according to the threat report.

Some of the lowlifes repeatedly switched names to trick others into following them in attempts to make money by either selling merch on the social media platforms, or sending traffic to off-platform websites.

Additionally, Meta shut down "multiple clusters of long-abandoned compromised accounts" that are now operating out of Russia. "Many of them shared identical pro-separatist videos and amplified accounts in their own clusters, likely as part of paid inauthentic engagement," the report noted. ®


Other stories you might like

  • Consultant plays Metaverse MythBuster. Here's why they're wrong
    Holograms, brands, NFTs, and a 1,000-consumer survey

    Opinion Consulting giant McKinsey & Company has been playing a round of MythBusters: Metaverse Edition.

    Though its origins lie in the 1992 sci-fi novel Snow Crash, the metaverse has been heavily talked about in business circles as if it's a real thing over the last year or so, peaking with Facebook's Earth-shattering rebrand to Meta in October 2021.

    The metaverse, in all but name, is already here and has been for some time in the realm of online video games. However, Meta CEO Mark Zuckerberg's vision of it is not.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading

Biting the hand that feeds IT © 1998–2022