Robins Newsletter #103

7 June 2020. Volume 3, Issue 23
REvil launch auction site, while Maze and LockBit team up to pool resources, know-how. Plus inside a BEC scam and DROP DATABASE tickets.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

You will, no doubt, have seen some of the horrific coverage of violence used against protesters this week that is indicative of what is suffered by many every week. You may feel detached or removed from events however the issues are systemic and pervasive even in a ‘modern’ field like cyber security. Whitelist/blacklists. Master/slave. The language we use is a powerful thing and it is an area where you can make a change. Use allow lists and block lists (instead of whitelists and blacklists), and primary and secondary (instead of master/slave). Be the change you want to see in the world. #BlackLivesMatter.

This week

REvil launches auction site for ransomware files

The Maze ransomware group started releasing copies of files that their ransomware had encrypted at the end of 2019. That effectively turned ransomware attacks, that previously only impacted integrity and availability, into data breaches impacting confidentiality too. Thirteen groups now adopt the tactics, designed to put pressure on organisations to pay up.

This week the REvil (aka Sodinokibi) group took things a step further and added eBay like auction functionality to their site on the dark web. Previously the site had hosted samples and snippets of data to allow victims to confirm the authenticity of the request. If they didn’t pay, then copies of the data were released in full for anyone to download.

Now, rather than giving the information away for free if the victim doesn’t pay, the group are monetising the data and allowing people can bid on it.

Listings have a start price - in the case of a Canadian agricultural firm $50,000 - and a ‘Blitz,’ or buy it now, price double the starting price. To make a bid you must deposit 10% of the starting price in an apparent move to discourage time-wasters.

Ransomware has seen a shift over the last 12 months from automated ‘worm’ like infections that self-propagate, to manual operations that make use of compromised credentials and use the organisations own IT administration tools to deploy the malware.

Meanwhile, the Maze group has joined forces with ‘LockBit’ and another party to form an ‘extortion cartel’ pooling resources and infrastructure. The group are quoted in BleepingComputer as saying that “this cooperation [will lead the way] to mutual beneficial outcome, for both actor groups.”

Both developments indicate how bullish cybercriminals are feeling, while many businesses are struggling with the impact of the global Coronavirus pandemic. Making sure that multi-factor authentication is enabled on external accounts, and patching remote access products are two steps organisations can take to make themselves a more challenging target.,,

Interesting stats

67% of users did not change their passwords after receiving a breach notification, of those who changed it… 42% changed it to a stronger password, according to Bhagavatula et. al (PDF)

37% increase in mobile phishing attacks between end of 2019 and start of 2020, according to Lookout Smartphones and mobile device management solutions (vol. 3, iss. 18) are increasingly being targeted for onward access into organisations.

The best defense is a good offense, the old adage goes… “[Homeland Security’s] NCCIC, which is supposed to be the ‘Nation’s flagship cyber defense, incident response, and operational integration center,’ gets just one dollar for every 10 that goes to military offensive and defensive operations.”

“[DoD’s] cyber operations budget is higher than the budgets for the CISA, the FBI and the Department of Justice’s National Security Division combined ($3.7 billion compared to $2.21 billion)”

59% think that cyber risk assessment is more useful than cyber maturity assessment, according to respondents of my poll on

Other newsy bits

Inside a business email compromise scam

A plea agreement in the case of a fraudster is a good read into how scammers carry out Business Email Compromise (BEC), or ‘CEO impersonation’ frauds. Details of the how a construction firm and electrical appliance manufacturer Electrolux were tricked out of $500,000 also detail the ‘back office’ work of establishing bank accounts to receive funds, and attempts to cash-out the proceeds of crime. Over 50% of cyber losses reported to the FBI’s Internet Crime Complaint centre in 2019 stemmed from BEC schemes (vol. 3, iss. 7). These losses are typically 33x higher than data breaches and 17x higher than ransomware. Professional service firms that advise or process large financial transactions have been targeted in the past: a scheme last year targeted property conveyancers in Australia and a breach this week at the Chartered Professional Accountants of Canada (CPA) could provide useful details to embellish frauds in Canada.,

Cyber attacks between Israel and Iran

An attack to increase the chlorine levels in water suppliers and another to disrupt a major port are cited in this report in the FT. They are the latest tit-for-tat hostilities between Israel and Iran that have been going on for over forty years. The idea of a military cyber attack can still seem far-fetched and this stuck out for me as a reminder as to how they are already firmly established part of military and diplomatic action. Work at the United Nations continues on establishing International ‘cyber-norms’ though is split between proposals from Russia and the U.S. Ominously the piece quotes the head of Israel’s National Cyber Directorate as saying ‘cyber winter is coming.’

Penny for your thoughts…

Checking finances can be a daunting task, but for 8,000 customers of Australia’s Commonwealth Bank it was made worse by receiving disturbing messages in their transaction descriptions. The investigation spanned three months and found multiple low-value deposits using the 18 characters as a messaging service. Some were lighthearted jokes, whilst others were ‘clear references to domestic violence.’ It’s important to consider how platforms can be abused to cause harm when creating digital services.

In brief

Attacks, incidents & breaches

  • Public-sector office supplier Commercial Services Group (CSG) ransomwared
  • Fitness Depot suffer apparent MageCart attack, confusingly blames ISP for ‘failing to activate antivirus’
  • Another IT oursourcer hit, this time Conduent by Maze ransomware, as customer’s worry about onward risk to their networks

Threat intel

  • COVID-19 Contact-tracer spoofing is already happening, questions asked over how traders will identify and authenticate themselves to the public
  • ‘Stealthworker’ malware is targeting WordPress, Drupal and other content management systems to co-opt servers into botnet
  • How meta: fake ransomware decrypts are a thing, and they contain ransomware to double-lock your files
  • New ‘Tycoon’ ransomware varient uncovered by Blackberry, KPMG
  • More warnings of foreign intelligence espionage against health labs, pharmaceutical companies, this time from GCHQ
  • Iran and China targeting both Trump, Biden presidential campaigns
  • Office 365 phishing emails masquerading as corporate VPN profile update request
  • 74% increase in phishing emails reported to HMRC since January


  • Bug in Cisco’s Nexus switches can allow attacker to reroute traffic, aid Person-in-the-Middle attacks
  • $100,000 paid out by Apple for vulnerability in ‘Sign in with Apple’ feature

Security engineering

  • New open source project from Apple aims to improve recommendations from password managers by cataloguing different website’s requirements
  • IBM release toolkit allowing access to data while keeping it encrypted (homomorphic encryption is pretty cool!)

Internet of Things

  • New ransomware campaign targets QNAP network attached storage (NAS) devices
  • £400K government grant for British companies to establish ‘kitemark’ scheme to assure Internet of Things (IoT) devices


  • $5 billion lawsuit brought against Google for tracking users while using ‘private’ mode
  • UK gov publishes contracts for tech firms access to COVID-19 data, raises concerns over commercialisation of public health data

Public policy

  • Hey, Cyber Command! Nice programme to reduce data silos and improve your cyber data! Why on Earth don’t you have a strategy for securing it?

Mergers, acquisitions and investments

  • VMware acquiring sandbox firm Lastline, plans to axe 40% of staff

And finally

Breach report email wipes IT ticket system

The logo for the popular data breach notification site Have I Been Pwnd? features some SQL injection characters, as a nod to early ways in which database are often tricked into giving up customer account details. A bug in the GLPi ticket system caused the string to be rendered and executed, wiping the contents of tickets for one company after they received a breach notification from the HIBP service. Turns out the issue had already been fixed and is another lesson in why it’s important to keep your software up to date :-)


  Robin's Newsletter - Volume 3

  Ransomware REvil (Sodinokibi) Maze Group LockBit Cybercrime business model Password stats Cyber security spending Business Email Compromise (BEC) Cyber-norms Israel Iran United States of America Platform abuse