Robins Newsletter #100

17 May 2020. Volume 3, Issue 20
Pricing cyber risk from external data, attack on 'UK electricity system' and mining crypocurrency with supercomputers
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Assessing cyber risk from external information

An interesting post on the LawFare blog on assessing cyber risk from external information. Particularly the idea of hedging cyber risk and market pricing.

In a similar vein, there is an interesting data set (vol. 1, iss. 13; vol. 3, iss. 2) that analyses the relative market performance of public companies that suffered a data breach.

The headline is share prices fall an average of 7.27%, and underperform markets by -4.18%, however, it was another subtle mention that really caught my eye with that data: “The companies underperformed the NASDA by -1.65% leading up to the breach”

Correlation needn’t necessarily mean causation, though is helpful enough on its own when trying to build these types of external models.

CyberHedge, the company mentioned in the LawFare post, have created an index they claim is “market-based proof that cyber governance impacts shareholder value”. Or more simply, that good cyber governance makes more money for shareholders.

It’s an interesting area of research that could lead to ‘credit rating’ style labels for a businesses security or privacy trustworthiness., and some interesting comments to my post on,

Interesting stats

$761,106 average cost to remediate a ransomware attack ($506k for organisations with 100-1k employees; $981K for 1k-5k employees) $1.448M (~2X) the cost to remediate when the ransom is paid 27% of victims pay the ransom demands, and 94% of payments are covered by the victims cyber insurance 1/4 attacks were stopped before any data could be encrypted, according to a survey of 5,000 IT managers by Sophos (PDF)

Other newsy bits

Attack on ‘UK electricity system’ limited to administrative player

A participant in the UK’s electricity market is reported to have suffered a ransomware incident this week. Elexon help run the UK’s electricity market - that is they monitor how much electricity is being generated by different providers, vs what is required by the grid, and what each forecast. Based on these measurements they then send out invoices so everyone gets paid the right amounts for their contributions. They’re not involved in the actual generation, transmission or distribution of electricity. Electricity grids make for good headlines, though in this case… potential for accounting headaches… yes, power outages… not so much.,,

Google omits firebase databases from its search index

Research from website Comparitech has found thousands of apps that have failed to secure access to their backend databases hosted using Google’s Firebase cloud service. Access rules need to be configured and, apparently, these can often be circumvented by adding ‘.json’ to the end of the request. It’s similar to leaving an Amazon AWS S3 bucket unprotected, like so many ‘passive’ breaches of the last couple of years. However, the thing that stuck out to me was that Google is omitting the data from their search index (where they would readily index and cache S3 data). It will show up in other search engines like Bing or DuckDuckGo.

Supercomputers across Europe hijacked to mine cryptocurrency

Earlier this week the UK’s ARCHER supercomputer inaccessible after administrators reported that SSH keys had been compromised on login jump box. Then reports surfaced from Germany, Switzerland and Spain that other high-performance computers (HPCs) have suffered similar security incidents. The processing power appears to have been commandeered to mine the Monero cryptocurrency. It’s a reminder of the value some attackers see in different commodities. Your compute power, network connectivity, or storage capacity may make attractive targets in their own right.,

Calm down about ThunderSpy

Some great research that’s led to the discovery of a vulnerability in Intel’s thunderbolt interface. An attacker can prise the case open on a computer and connect onto the chip directly, refreshing it and removing security protections. It’s been given a trendy name - ThunderSpy - and picked up by the media, but as the folks on the Risky Business podcast pointed out: this is going to be far more useful to law enforcement getting access to powered-on, seized machines than it is a threat to many of us. The vulnerability does not affect Macs, either.

Analysing malware as images

Cool use of machine learning by Microsoft and Intel here: converting malware code into images for analysis. It makes it easy to identify structural patterns and similarities, apparently with over 99% accuracy. Hopefully not coming to a captcha system near you soon! Select all the images that contain ransomware ;-)

Fraudsters using NHSX Contact tracing app lure to steal data

Scammers are sending ‘smishing’ (SMS phishing) messages pretending to be related to the NHSX contact tracing app, but that redirect users to spoofed websites trying to steal personal and financial information.

In brief

Attacks, incidents & breaches

  • HR system of outsourcer Interserve breached, 100,000 employee records stolen
  • ATM manufacturer Diebold Nixdorf ransomwared by ProLock; claims ‘limited to corporate IT network’; rolls out “takes the security of our systems and customer service very seriously” boilerplate
  • Norwegian state-owned investment fund, Norfund, victim of $10M business email compromise fraud
  • Inboxes of 47 New South Wales government employees ‘illegally accessed’
  • Germany points finger at Russia’s Fancy Bear group for 2015 Bundestag breach
  • Sodinokibi/REvil ransomware crew doubles demand for GSM law (vol. 3, iss. 19) to $42M

Threat intel

  • Microsoft open-sources its Coronavirus (COVID-19) threat intelligence
  • Sodinokibi (REvil) ransomware now uses Windows Restart Manager API to encrypt locked files of databases, mail servers, etc
  • Aka strain of ransomware now demands two payments: one to unlock files, second to not release copies of data
  • Mandrake Android malware has done its best to remain undetected for four years (PDF)
  • New airgap-jumping malware toolkit Ramsay may be linked to South Korean arkHotel group, according to ESET
  • US accuses China of stealing COVID-19 vaccine research - in reality all foreign intelligence services globally will be doing the same, trying to understand who knows what, where they are sourcing reagents and PPE, and what prices they’re paying for them. Spies gonna spy!


  • ‘Top 10’ most exploited vulnerabilities in the last four years, according to DHS, FBI
  • SAP release patches to address ‘contractual gaps’ (vol. 3, iss. 19) in range of their cloud software platforms
  • Zerodium drops price offered for Safari remote code vulnerabilities to $0


  • Amendment to revised US PATRIOT Act fails, allowing the FBI and other government agencies access Americans’ web history without probable cause or a warrant
  • Privacy International’s damning teardown of the NHSX contact tracing app hints at the real reason for UK’s centralised approach: lack of testing
  • Legal challenge over Android’s ‘opt-out of ads personalisation’ not removing unique advertising ID

Public policy

  • Calls for greater Congressional oversight of how local law enforcement are using spyware in US

Law enforcement

  • Romanian police arrest four planning ransomware attacks on hospitals in protest of lockdown measures

Mergers, acquisitions and investments

  • VMware acquires Octarine, plans to integrate Kubernetes tech into Carb Black Cloud

And finally

The ‘confessions’ of Marcus Hutchins

Marcus Hutchins - aka MalwareTech - the security researcher from Devon best know for ‘saving the Internet’ from WannaCry tells his story to Andy Greenberg in Wired this week. Hutchins was arrested a few months after WannaCry while visiting the US for his part in writing the Kronos banking trojan. It’s an interesting read about the descent, recovery and reckoning of a talented computer whiz struggling to make connections with those around him.


  Robin's Newsletter - Volume 3

  Cyber Risk Market Pricing Hedging CyberHedge Risk quantification Ransomware Ransomware costs Elexon Energy Google Firebase High-performance computing (HPC) ThunderSpy Thunderbolt Machine learning Malware analysis NHSX Marcus Hutchins (MalwareTech)