Threat Research

TikTok’s latest actions to combat misinformation shows it’s not just a U.S. problem

Securonix

TikTok is rolling out in-app election centres across EU languages to curb misinformation and help users distinguish fact from fiction. The article also notes broader global misinformation trends and highlights ongoing cyber threats tied to misused cloud infrastructure, spyware, and espionage operations.
#Astaroth #Guildma #Mekotio #Ousaban #Pegasus #NSOGroup #Variston #VoltTyphoon #MMSFingerprint #GoogleCloudRun

Keypoints

  • TikTok announces in-app election centres to combat misinformation in EU nations, using 27 language-specific apps.
  • The misinformation issue is global and persists across platforms and countries, not just the U.S.
  • Google Cloud Run is being abused in high-volume malware campaigns delivering banking trojans (Astaroth, Mekotio, Ousaban) via a shared storage bucket.
  • Astaroth targets more than 300 institutions across 15 Latin American countries, with activity also observed in Europe and North America.
  • Talos released ClamAV signatures and Snort rules and alerted Google to address Cloud Run abuse.
  • Related security topics include Poland’s Pegasus spyware investigation, NSO Group’s MMS Fingerprint exploit, Variston’s reported shutdown, and Volt Typhoon exfiltrating OT data.

MITRE Techniques

  • [T1566] Phishing – High-volume email campaigns delivering banking trojans via Google Cloud Run. ‘the volume of emails associated with these campaigns has significantly increased since September 2023’
  • [T1583] Acquire Infrastructure – Use Google Cloud Run storage bucket to host and distribute malware campaigns (Astaroth, Mekotio, Ousaban). ‘delivered during the same timeframe from the same storage bucket within Google Cloud.’
  • [T1496] Resource Hijacking – Coinminer malware campaigns distributed; evidenced by ‘Detection Name: Win.Worm.Coinminer::1201’
  • [T1041] Exfiltration – Volt Typhoon exfiltrating sensitive information on OT networks. ‘exfiltrating sensitive information on operational technology (OT) networks.’
  • [T1203] Exploitation for Client Execution – MMS Fingerprint zero-click exploit enabling Pegasus device fingerprinting with no user interaction. ‘No user interaction, engagement, or message opening … to receive the device fingerprint.’

Indicators of Compromise

  • [SHA256] file hashes – 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507, 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1 and 2 more hashes
  • [MD5] hashes – 2915b3f8b703eb744fc54c81f4a9c67f, 36503fd339663027f5909793ea49ccbc
  • [Typical Filename] VID001.exe, telivy_agent_2.3.1.exe
  • [Detection Name] Win.Worm.Coinminer::1201, W32.File.MalParent
  • [Detection Name] Win.Dropper.Coinminer::1201, Trojan.GenericKD.33515991

Read more: https://blog.talosintelligence.com/threat-source-newsletter-feb-22-2024/