Threat Briefing: August 22, 2024

Cyber threat actors carry out attacks with the goals of profiting, stealing sensitive information, or swaying public opinion. This week, we examine how one company successfully disrupted the use of generative artificial intelligence in influence operations targeting the U.S.

The U.S. government is tackling the potential risks posed by Chinese-manufactured routers and is considering legislation to mandate a vulnerability disclosure program for all federal contractors. These efforts are part of the government’s ongoing strategy to enhance internet security by addressing hardware vulnerabilities and implementing policies to identify and mitigate threats.

• OpenAI Accounts Disables Accounts Used by Iranian Influence Actors – The OpenAI accounts were leveraged to support influence operations by generating social media comments and articles. The content was posted across various websites, masquerading as content from both conservative and progressive platforms. OpenAI also discovered an Instagram account and several accounts on X (formerly Twitter) connected to the operation. The influence campaign generated commentary on topics like the U.S. presidential election, the Israel-Gaza conflict, and other geopolitical issues. However, OpenAI noted that the posts gained minimal traction, with limited shares and engagement.CyberScoop
• Members of Congress Urge Investigation into Threat from TP-Link Devices – Two members of Congress are urging the U.S. Department of Commerce to launch an investigation into routers produced by TP-Link Technologies, a company based in China. The lawmakers expressed concern that TP-Link, like other Chinese companies, is subject to laws requiring it to provide data to the Chinese government. They also pointed out that a Chinese state-sponsored cyber group has been linked to a malware implant targeting TP-Link routers. Security Week
• New Legislation Calls for Federal Contractors to Implement Vulnerability Disclosure Policy – The proposed legislation aims to help contractors identify and address vulnerabilities in their products. It would require contractors to implement a vulnerability disclosure policy that aligns with the standards set by the National Institute of Standards and Technology. Currently, federal agencies are already mandated to have such policies in place. Under the new policy, contractors would be responsible for accepting, assessing, and managing any vulnerability reports they receive. CyberScoop
• Issue with Amazon Web Services (AWS) Application Load Balancer (ALB) Could Be Exploited to Compromise Applications – The technique, known as “ALBeast,” enables a cyber threat actor to create an ALB instance to sign a token and alter the ALB configuration by generating a forged ALB-signed token with the victim’s identity. This could allow the threat actor to gain access to a target application, bypassing its authentication and authorization processes. Amazon became aware of the issue in April 2024 and has since updated the ALB code to validate the token signer, providing mitigation steps to AWS users. The Hacker News
• Microsoft Copilot Vulnerability Can Lead to Leak of Cloud Data – Researchers discovered a vulnerability in the Copilot Studio tool which is used for creating chatbots. Exploiting the vulnerability allows for external HTTP requests which can lead to gaining access to Microsoft’s Instance Metadata Service (IMDS) and Cosmos DB instances. Researchers were able to use the Copilot Studio tool to make HTTP requests with redirects and server-side request forgeries to access managed identity access tokens from the IMDS. Microsoft had addressed the issue, which does not require any action from users of Copilot Studio. Dark Reading