image of breaking badness
Breaking Badness
Breaking Badness

134. OSINTillating Conversation

Coming up this week on Breaking Badness. Today we discuss: Checkmarx The Spot, The Disinformation Superhighway, and Two Truths and a Lie.

Here are a few highlights from each article we discussed:

Checkmarx The Spot

  • A number of notable software supply chain cyber incidents have been linked to ‘LofyGang,’ an attack group that has been operating for over a year, according to a new analysis by Checkmarx.
  • You know what’s not in short supply? Supply chain attacks. But we digress
  • Just to get the major players introduced, Checkmarx is a software security company out of Atlanta, Georgia 
    • In their latest research, they set out to map LofyGang’s operation and further understand their goals and impact
    • LofyGang is a cybercrime group that appears to not try to hide themselves – they have YouTube videos, hold Discord giveaways, and promote their hacking tools on their GitHub page – not exactly a subtle crowd
      • Their bread and butter is offering fake Instagram followers as-a-service to their community
        • Some of those accounts have links to malicious package profiles
      • They aim to obtain credit card information, Discord “Nitro” upgrades, and credentials to streaming services including Disney+, Minecraft accounts and others
      • Speaking of Discord, the group created their Discord server almost a year ago on October 31, 2021. It appears to be their preferred channel for communication
      • They’re very active in the underground hacking community as DyPolarLofy, leaking the aforementioned streaming credentials
      • Based on their sock puppet accounts using some keywords in Portuguese (specifically Brazilian Portuguese), Checkmarx guesses they originate from Brazil 
  • So what did Checkmarx find?
    • Back in the summer, Checkmarx found several malicious packages traced back to LofyGang
    • Using retro-hunting tools, Checkmarx was able to review the indicators of compromise (IOCs), and find more connections to other packages
    • While looking into this cybercrime group, Checkmarx created their own tools to collect open source-related information. It helps them connect the dots between historical evidence that was deleted and inspect samples that begin to paint a picture over time

The Disinformation Superhighway

  • The Federal Bureau of Investigation (FBI) warns of foreign influence operations that might spread disinformation to affect the results of this year’s midterm elections.
  • The article states that “foreign actors intensify their efforts to influence outcomes,” but where are we seeing that?
    • Social media is ground zero of this stuff and has been for several election cycles and it’s no different this time. While the advisory from the FBI and CISA mentions “publicly available and dark web media channels, online journals, messaging applications, spoofed websites, emails, [and] text messages” as some of the methods, social media is still where it’s really happening 
    • We don’t mean to downplay the significance of, for example, spoofed websites. But these disinformation campaigns are trying to reach as many individuals as possible, and overwhelmingly, the major social media platforms are the vehicles they use to do that
  • What steps should likely targets for disinformation take as we gear up for the election?
    • There is definitely an echo-chamber aspect to all of this and it is significant. For example, within Tim’s Twittersphere, which is heavily infosec-oriented, he tends not to see a lot of content that is clearly trying to push false narratives, except when it is quote-tweeted by others who are pointing out examples of this stuff
    • On the other hand, people who occupy certain social spheres, especially those who are 2020 election deniers or those who already think that there are major examples of election fraud, are more likely to receive this kind of disinformation, further reinforcing views they already held
    • So in an odd way, the “targets” here are people who are already inclined to accept the false narratives, and the objective by the foreign actors is just to stoke those flames ever more
  • What’s a citizen to do when the article urges Americans to “use trusted sources only” and those sources become compromised? 
    • There are two kinds of targeting that we could think of, and mixing the two up could make this a bit more confusing
      • From a disinformation campaign, a targeted news source could be one of the major newspapers like the New York Times or Washington Post; or it could be the websites or social media profiles of government agencies or officials
        • Targeting those outlets in this sense means creating false narratives about them, or impersonating them and then spreading false information
      • The other kind of targeting would be actually hacking them – attempting to disrupt, deface, or otherwise compromise the actual news outlets or agencies
        • That second kind of targeting could make it a catch-22 for folks—if they want to find out what a state secretary of state has to say about voting security, and then it turns out that that secretary’s website has been pwned, then the citizen is in a tough spot
      • On the other hand, if the citizen reads a Facebook story claiming that there is incontrovertible evidence that the state election official is in fact a reptilian from Antares B, then that citizen would do well to cross-check that information against some more traditional news sources or official government agencies
  • Just so we’re clear, there’s no evidence that cyber activity actually changed the outcome of an election

Two Truths and a Lie

Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.

You’ll have to tune in to find out!

Current Scoreboard

This Week’s Hoodie/Goodie Scale

Checkmarx The Spot

[Taylor]: 4/10 Hoodies
[Tim]: 4.5/10 Hoodies

The Disinformation Superhighway

[Taylor]: .5/10 Hoodies
[Tim]: 9/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!