A flimsy influence campaign, trouble for Drizly and ransomware updates

Part of the Forbidden City complex in Beijing. zhang kaiyv

Welcome to Changelog for 10/30/22, published by Synack! It’s me, Blake, compiling this week’s top news with help from README senior editor Nathaniel Mott. Hope everyone is having an amazing Halloween weekend — I’m excited to greet some trick-or-treaters tomorrow in Washington, D.C. Extra candy for anyone dressed up as Goblin Panda.

The payload

The U.S. midterm elections are around the corner, posing another stress-test of America’s resilience to misinformation and disruptive cyberthreats.

While Russian “troll farms” and intelligence agencies have earned a reputation for being the most persistent troublemakers in U.S. elections, China has also entered the fray.

U.S. cybersecurity firm Mandiant — now a Google subsidiary — recently spotted the pro-PRC “Dragonbridge” influence campaign seeking to discourage American citizens from voting.

The campaign escalated its past attempts to “sow discord and dissatisfaction” in U.S. society, spreading videos that argue voting is a waste of time while playing up the potential for a “civil war,” Mandiant said in a blog post Wednesday.

While such findings are important to air publicly, campaigns like Dragonbridge don’t always find much purchase with U.S. audiences.

“DRAGONBRIDGE as always has lots of activity but little observed impact,” said Shane Huntley, who leads Google’s Threat Analysis Group. “We took down over 9,000 channels tied to this actor in Q3 2022, most of which had zero organic engagement.”

Even a more successful influence campaign couldn’t hold a candle to the alarming prospect of a cyberattack manipulating or disrupting the voting process. Luckily, there are no signs such a dire cyber scenario will play out on Nov. 8.

“Given the extensive safeguards in place and distributed nature of election infrastructure, the FBI and CISA continue to assess that attempts to manipulate votes at scale would be difficult to conduct undetected,” the two government agencies concluded in an alert earlier this month.

The week, compiled

The Federal Trade Commission announced last week it is taking actions against Drizly and its CEO James Cory Rellas over a data breach that exposed the email addresses, dates of birth and in some cases physical addresses of 2.5 million users of the Uber-owned alcohol delivery service in 2020.

 1_1II8KuKFswjHhsIFHALT_g
Drizly is in hot water with regulators at the FTC.

“Drizly and Rellas were alerted to security problems two years prior to the breach yet failed to take steps to protect consumers’ data from hackers,” the FTC said, referring to a 2018 incident in which “a Drizly employee posted company cloud computing account login information” to GitHub.

The announcement — which comes shortly after former Uber CISO Joe Sullivan was convicted for covering up a 2016 data breach—suggests U.S. regulators are doubling down on efforts to hold executives more accountable for their companies’ security practices.

FTC chair Lina Khan and commissioner Alvaro Bedoya said that “today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive. If anything, it only grows more important as a firm grows.”

Here are some other takeaways from the past week:

SecurityWeek: The U.S. Department of Justice revealed on Oct. 25 that it had filed charges against Ukrainian citizen Mark Sokolovsky, the alleged developer of the Raccoon Infostealer malware that was dismantled shortly after Russia invaded Ukraine. Sokolovsky is being held in the Netherlands and has appealed the Amsterdam District Court’s decision last month to extradite him to the U.S.

Sophos: A report titled “The State of Ransomware in Manufacturing and Production 2022” was published on Oct. 26 with information about how the sector faced more ransomware attacks this year, but is still a less common target than other industries, perhaps because it’s also the least likely to pay a ransom.

CyberScoop: The Cybersecurity and Infrastructure Security Agency rolled out voluntary cyber performance goals for all 16 critical infrastructure sectors aimed at helping organizations prioritize baseline security investments.

A message from Synack

There is a better way to pentest that meets compliance requirements, ensures vulnerabilities are remediated and augments existing security teams, allowing them to focus on other risk management projects. Learn how continuous pentesting achieves all that in a webinar featuring Adam Keown, global CISO of Eastman Chemical Company; David R. Hale of Brownstein Hyatt Farber Schreck LLP; and Synack co-founder and CEO Jay Kaplan. Learn more and view the webinar on-demand here.

Flash memory

Halloween conjures up silly costumes, spooky decorations and the confectionary affront to decency commonly referred to as candy corn. (I dispute The Atlantic’s claim that candy corn is something “you must respect.”)

Despite being the worst trick-or-treat haul this side of toothpaste and dental floss, candy corn doesn’t deserve to be held for ransom. The connection between Halloween and candy corn got spookier in 2021 with the revelation of a ransomware attack on the Chicago sweets maker Ferrara Candy, which is said to produce 85 percent of the nation’s candy corn. This led Gizmodo to declare that “The Candy Corn Has Been Hacked.”

 1_ON8fbVli3yxStC08vwUedw
Would you eat this?

Fortunately for candy corn aficionados, Ferrara said at the time that its “Halloween products are on shelves at retailers across the country ahead of the holiday” despite partially suspending operations while it investigated the ransomware attack.

Ransomware attacks, a global pandemic, good taste; is there nothing candy corn cannot survive?

Local files

GAO: The U.S. Government Accountability Office said the Department of Education and CISA could better prepare K-12 schools for the security challenges they face, including ransomware attacks, phishing attempts and other cyber-related risks. The watchdog agency issued four recommendations for DOE and CISA to implement as a result of its report.

BleepingComputer: Dutch police announced the arrest of a 19-year-old who allegedly compromised a portal called Carenzorgt, which is used by thousands of healthcare providers to manage appointments, patient communications and medical data in the Netherlands. The portal’s operator, Nedap, is still investigating the potential impact of the breach.

The Record: Australian health insurance company Medibank said on Oct. 26 that an attacker had access to “significant amounts of health claims data” and that it has “evidence that the criminal has removed some of this data and it is now likely that the criminal has stolen further personal and health claims data.” The company’s investigation is ongoing, however, so the full extent of the attack is unknown.

Off-script

Many U.S. readers may not realize it, but an American is competing in a world championship event today with a six-figure prize pool on the line.

Japanese-American chess grandmaster Hikaru Nakamura is vying against Russian prodigy Ian Nepomniachtchi for the title of Fischer Random world champion — and a $150,000 first-place prize.

What is “Fischer Random”? It’s a chess variant that scrambles the starting order of pieces on the back rank—upending centuries of chess opening theory and well-trodden lines of play from the very first move.

Tune in live here. I’ll be rooting for Hikaru!

 1_E1jjGgvCNCiubFZ73bZUzA
Hikaru Nakamura squares off against classical chess world champion Magnus Carlsen in Day 1 of the Fischer Random World Championship this year. Photo: Maria Emelianova/Chess.com.

That’s all for now, folks — see you next Sunday! Send tips, feedback and pictures of your pets in cute Halloween outfits to bsobczak@synack.com or nmott@synack.com.