Robin’s Newsletter #108

12 July 2020. Volume 3, Issue 28
Hong Kong's new national security law causes headaches for citizens, tech and finance companies. Steal the cash, not the painting. Cosmic Lynx and Russian cyber-criminals' 'synergistic value accelerative opportunity'
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Hong Kong national security law increases security risk for region

China opened a national security office in Hong Kong as part of new legislation for the special administrative region (BBC). It changes the web dramatically for Hong Kong’s citizens and essentially brings them inside the ‘Great Firewall.’ Hong Kong police can now censor content, track citizens online and require sites to take content down.

On Monday Facebook, Twitter, Google, Microsoft, Zoom, and WhatsApp all pledged to refuse requests coming from Hong Kong authorities.

It will prove troublesome for the tech companies though as they can be fined and their employees arrested and jailed for failing to hand over data to Chinese authorities.

Wholesale Internet surveillance hasn’t been something widely reported on, with more immediate concerns focus on Hong Kong citizens, however, Hong Kong is also a major internet point of presence, with many trans-pacific, and pacific rim subsea cables landing in the region.

The law is potentially also a big headache for financial services firms based in the Asian banking hub. The security law imposed by China on Hong Kong last week, combined with expected US sanctions, could force organisations to choose between doing business with the US, or China: Hong Kong’s national security law now makes it illegal to comply with US sanctions against Hong Kong and China (FT).

The results are part of a macro-trend of ‘Internet Balkanisation’ as the world plays catch-up, and applies historical norms, to the rapid technological developments brought by the Internet.

For organisations doing business in, or with, Hong Kong entities it’s likely that cyber risk is increasing as the opportunity and frequency of security events increases.,,,,

Interesting stats

£12 average price for user credentials, £56 average (up to £395 for ‘quality’) price for bank account credentials, £2,487 average price for domain admin account credentials (£395-£95,000(!)), according to research by Digital Shadows

51% rise globally in the use of ‘stalkerware’ apps since lockdown, 83% rise in the UK, according to Avast (Google announced it ill ban ads for spyware and stalkerware from August

Other newsy bits

Art heists: hack the money, leave the painting

The write-up of a £3 million ‘business email compromise’ (BEC) scam against a museum in the Netherlands is really accessible. Lawyers, solicitors and conveyancers are being targeted by cybercriminals because of their access to high-value transactions. The scams involve changing the recipient’s bank details at the last minute to redirect, and make off with, the funds. As the Bloomberg story points out, this can lead to arguments over blame and property ownership where the buyer has paid the money, but to the wrong place because the seller was compromised.

Cosmic Lynx is a synergistic value accelerative opportunity: Russian gang gets in on BEC

Sticking with BEC, researchers at Agari published a report this week looking at a Russian criminal gang they have dubbed Cosmic Lynx. The cyber-criminals have allegedly targeted ‘Fortune 500’ type companies in 46 countries since mid-2019.

The group spoof the email addresses of CEOs and top management while asking the employee to work with ‘outside legal counsel’ on a merger or acquisition. The gang control the spoofed messages and those of the ‘lawyer.’

Setting this group apart is the language used: gone are dodgy spelling or grammar; in is a penchant for exuberant buzzwords. One example talks of “value accretive opportunities,” acquiring “synergistic assets” and “pounc[ing] on the economic rebound.”

Organisations can protect themselves by configuring ‘DMARC’ settings to prevent spoofing. Domain-based Message Authentication, Reporting and Conformance allows administrators to specify where legitimate emails may originate from and what to do with them (e.g. quarantine, block) if they fail checks. Agari says only 15% of the Fortune 500 have implemented such protections.

In brief

Threat intel

  • Cyber-criminals are creating apps that request OAuth permissions to access their mark’s inbox and files


  • Floors remain in EMV payment cards, allowing them to be cloned as older the ‘magstripe’ type (presumably the economics aren’t worth banks fixing them?)
  • Hard-coded creds and Internet-facing legacy Telnet servers found in ‘fibre-to-the-home’ kit manufactured and white-labelled by C-Data

Security engineering


  • It didn’t take very long for examples of pub employees potentially mis-using contact tracing data to appear @roselyddon
  • Privacy-for-profit: services emerge that unsubscribe you and keep an eye out for class-action lawsuits

Public policy

  • ‘Violating software terms of service does not violate the law:’ EFF to U.S. Supreme Court ahead of upcoming review of Computer Fraud and Abuse Act (CFAA)

Law enforcement

  • SpyCloud is selling access to breach data to police forces, allowing them to find leads, such as username + IP address connections, that would usually require a warrant
  • Nigerian scammer with 2.6M Instagram followers picked up by FBI BONUS: cyber-criminals with poor OSINT showing off their proceeds of crime @jeffstone500
  • Yevgeni Nikulin found guilty for LinkedIn and Formspring breaches

Mergers, acquisitions and investments

  • 17 companies in LORCA’s fifth cohort named

And finally

TrickBot malware accidentally warns victims that they have been infected

An update to a module in the TrickBot malware has alerted victims that they have been compromised. The new version of a password ‘grabber’ module, part of the TrickBot malware-as-a-service platform, interrupted web browsing and advised them “it is the time to start be [sic] worrying” and to contact their ‘system administrator.’ Presumably, the warning was not removed following development by the malware developers. Such misfortune!, (What is TrickBot?)


  Robin's Newsletter - Volume 3

  Hong Kong China Hong Kong national security law Cyber-espionage Surveillance Great Firewall Internet Balkanisation Art Business Email Compromise Cosmic Lynx Russia OAuth TrickBot Computer Fraud and Abuse Act (CFAA)