Cybersecurity Help: The flaw (CWE-284) exists due to an IDOR issue. A threat actor could send a specially crafted request with the post ID to delete arbitrary posts.
Facebook and Instagram suspended or removed 652 accounts linked to Iran and Russia over “inauthentic behavior”
Facebook and Instagram suspended or removed 652 accounts linked to Iran and Russia over “inauthentic behavior”, the organization announced. “Today we removed multiple Pages, groups and accounts for coordinated inauthentic behavior on Facebook and Instagram – the Facebook blog reports -. Some of this activity originated in Iran, and some originated in Russia. These were distinct campaigns and we have not identified any link or coordination between them. However, they used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing. There is always a tension between taking down these bad actors quickly and improving our defenses over the long term. If we remove them too early, it’s harder to understand their playbook and the extent of their network. It also limits our ability to coordinate with law enforcement, who often have investigations of their own. It’s why we’ve investigated some of these campaigns for many months and why we will continue working to find out more.”
Nathaniel Gleicher, head of cyber security policy at Facebook, explained what happened and how the investigation, still ongoing, worked
Nathaniel Gleicher, head of cyber security policy at Facebook wrote that “we’ve removed 652 Pages, groups and accounts for coordinated inauthentic behavior that originated in Iran and targeted people across multiple internet services in the Middle East, Latin America, UK and US. FireEye, a cybersecurity firm, gave us a tip in July about ‘Liberty Front Press,’ a network of Facebook Pages as well as accounts on other online services. They’ve published an initial analysis and will release a full report of their findings soon. We wanted to take this opportunity to thank them for their work. Based on FireEye’s tip, we started an investigation into ‘Liberty Front Press’ and identified additional accounts and Pages from their network. We are able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins.”
The first phase of the Facebook cyber security experts on Iran’s Liberty Front Press
“The first ‘Liberty Front Press’ accounts we’ve found were created in 2013. – Gleicher continued -. Some of them attempted to conceal their location, and they primarily posted political content focused on the Middle East, as well as the UK, US, and Latin America. Beginning in 2017, they increased their focus on the UK and US. Accounts and Pages linked to ‘Liberty Front Press’ typically posed as news and civil society organizations sharing information in multiple countries without revealing their true identity”. The social networks cyber security experts found 74 Pages, 70 accounts, and 3 groups on Facebook, as well as 76 accounts on Instagram. About 155,000 accounts followed at least one of these Pages, 2,300 accounts joined at least one of these groups, and more than 48,000 accounts followed at least one of these Instagram accounts. More than $6,000 in spending for ads on Facebook and Instagram, paid for in US and Australian dollars. The first ad was run in Jan 2015, and the last was run in August 2018. Some ads have been blocked since the launch of our political ads transparency tools launched.”
The second part of the probe against the fake Facebook and Instagram accounts
“The second part of our investigation found links between ‘Liberty Front Press’ and another set of accounts and Pages, the first of which was created in 2016 – the cyber security expert explained -. They typically posed as news organizations and didn’t reveal their true identity. They also engaged in traditional cybersecurity attacks, including attempts to hack people’s accounts and spread malware, which we had seen before and disrupted”. The cyber investigators found 12 Pages and 66 accounts on Facebook, as well as 9 accounts on Instagram; about 15,000 accounts followed at least one of these Pages and more than 1,100 followed at least one of these Instagram accounts. But no advertising associated with these accounts or Pages.
The last step of the anti-propaganda and misinformation investigation
“The third part of our investigation – the Facebook head of cyber security wrote – uncovered another set of accounts and Pages, the first of which was created in 2011, that largely shared content about Middle East politics in Arabic and Farsi. They also shared content about politics in the UK and US in English. We first discovered this set in August 2017 and expanded our investigation in July 2018 as we stepped up our efforts ahead of the US midterm elections”. The experts found 168 Pages and 140 accounts on Facebook, as well as 31 accounts on Instagram; about 813,000 accounts followed at least one of these Pages and more than 10,000 followed at least one of these Instagram accounts, and more than $6,000 in spending for ads on Facebook and Instagram, paid for in US dollars, Turkish lira, and Indian rupees. The first ad was run in July 2012, and the last was run in April 2018.
Finally, Facebook and Instagram removed the pages, groups and account lined to the Russian military intelligence services
Finally, “we’ve removed Pages, groups and accounts that can be linked to sources the US government has previously identified as Russian military intelligence services.” – Facebook expert concluded – “This is unrelated to the activities we found in Iran. While these are some of the same bad actors we removed for cyber security attacks before the 2016 US election, this more recent activity focused on politics in Syria and Ukraine. For example, they are associated with Inside Syria Media Center, which the Atlantic Council and other organizations have identified for covertly spreading pro-Russian and pro-Assad content. To date, we have not found activity by these accounts targeting the US”.