Home / Robin's Newsletter

Robin’s Newsletter #108

 Vol. 3  Iss. 28  12/07/2020, last updated 19/07/2020   Robin Oldham  ~5 Minutes

This week

Hong Kong national security law increases security risk for region

China opened a national security office in Hong Kong as part of new legislation for the special administrative region (BBC). It changes the web dramatically for Hong Kong’s citizens and essentially brings them inside the ‘Great Firewall.’ Hong Kong police can now censor content, track citizens online and require sites to take content down.

On Monday Facebook, Twitter, Google, Microsoft, Zoom, and WhatsApp all pledged to refuse requests coming from Hong Kong authorities.

It will prove troublesome for the tech companies though as they can be fined and their employees arrested and jailed for failing to hand over data to Chinese authorities.

Wholesale Internet surveillance hasn’t been something widely reported on, with more immediate concerns focus on Hong Kong citizens, however, Hong Kong is also a major internet point of presence, with many trans-pacific, and pacific rim subsea cables landing in the region.

The law is potentially also a big headache for financial services firms based in the Asian banking hub. The security law imposed by China on Hong Kong last week, combined with expected US sanctions, could force organisations to choose between doing business with the US, or China: Hong Kong’s national security law now makes it illegal to comply with US sanctions against Hong Kong and China (FT).

The results are part of a macro-trend of ‘Internet Balkanisation’ as the world plays catch-up, and applies historical norms, to the rapid technological developments brought by the Internet.

For organisations doing business in, or with, Hong Kong entities it’s likely that cyber risk is increasing as the opportunity and frequency of security events increases.

bbc.co.uk, technologyreview.com, ft.com, wired.com, techcrunch.com

Interesting stats

£12 average price for user credentials, £56 average (up to £395 for ‘quality’) price for bank account credentials, £2,487 average price for domain admin account credentials (£395-£95,000(!)), according to research by Digital Shadows theregister.com

51% rise globally in the use of ‘stalkerware’ apps since lockdown, 83% rise in the UK, according to Avast ft.com. (Google announced it ill ban ads for spyware and stalkerware from August bleepingcomputer.com.)

Other newsy bits

Art heists: hack the money, leave the painting

The write-up of a £3 million ‘business email compromise’ (BEC) scam against a museum in the Netherlands is really accessible. Lawyers, solicitors and conveyancers are being targeted by cybercriminals because of their access to high-value transactions. The scams involve changing the recipient’s bank details at the last minute to redirect, and make off with, the funds. As the Bloomberg story points out, this can lead to arguments over blame and property ownership where the buyer has paid the money, but to the wrong place because the seller was compromised. bloomberg.com

Cosmic Lynx is a synergistic value accelerative opportunity: Russian gang gets in on BEC

Sticking with BEC, researchers at Agari published a report this week looking at a Russian criminal gang they have dubbed Cosmic Lynx. The cyber-criminals have allegedly targeted ‘Fortune 500’ type companies in 46 countries since mid-2019.

The group spoof the email addresses of CEOs and top management while asking the employee to work with ‘outside legal counsel’ on a merger or acquisition. The gang control the spoofed messages and those of the ‘lawyer.’

Setting this group apart is the language used: gone are dodgy spelling or grammar; in is a penchant for exuberant buzzwords. One example talks of “value accretive opportunities,” acquiring “synergistic assets” and “pounc[ing] on the economic rebound.”

Organisations can protect themselves by configuring ‘DMARC’ settings to prevent spoofing. Domain-based Message Authentication, Reporting and Conformance allows administrators to specify where legitimate emails may originate from and what to do with them (e.g. quarantine, block) if they fail checks. Agari says only 15% of the Fortune 500 have implemented such protections. tripwire.com

In brief

Threat intel

  • Cyber-criminals are creating apps that request OAuth permissions to access their mark’s inbox and files arstechnica.com


  • Floors remain in EMV payment cards, allowing them to be cloned as older the ‘magstripe’ type (presumably the economics aren’t worth banks fixing them?) zdnet.com
  • Hard-coded creds and Internet-facing legacy Telnet servers found in ‘fibre-to-the-home’ kit manufactured and white-labelled by C-Data zdnet.com

Security engineering


  • It didn’t take very long for examples of pub employees potentially mis-using contact tracing data to appear @roselyddon
  • Privacy-for-profit: services emerge that unsubscribe you and keep an eye out for class-action lawsuits wired.com

Public policy

  • ‘Violating software terms of service does not violate the law:’ EFF to U.S. Supreme Court ahead of upcoming review of Computer Fraud and Abuse Act (CFAA) eff.org

Law enforcement

  • SpyCloud is selling access to breach data to police forces, allowing them to find leads, such as username + IP address connections, that would usually require a warrant vice.com
  • Nigerian scammer with 2.6M Instagram followers picked up by FBI arstechnica.com BONUS: cyber-criminals with poor OSINT showing off their proceeds of crime @jeffstone500
  • Yevgeni Nikulin found guilty for LinkedIn and Formspring breaches cyberscoop.com

Mergers, acquisitions and investments

  • 17 companies in LORCA’s fifth cohort named lorca.co.uk

And finally

TrickBot malware accidentally warns victims that they have been infected

An update to a module in the TrickBot malware has alerted victims that they have been compromised. The new version of a password ‘grabber’ module, part of the TrickBot malware-as-a-service platform, interrupted web browsing and advised them “it is the time to start be [sic] worrying” and to contact their ‘system administrator.’ Presumably, the warning was not removed following development by the malware developers. Such misfortune! bleepingcomputer.com, f-secure.com (What is TrickBot?)