Robin’s Newsletter #115

30 August 2020. Volume 3, Issue 35
Attempted $1M bribe of Tesla employee in ransomware campaign. NZX trading suspended for four days due to DDOS. Supply and demand in security budgets.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Ransomware gang allegedly offered $1M to employee to install malware

Increasingly ‘professional’ operations are targeting Remote Desktop and VPN servers with weak or compromised passwords to gain access to the networks of large organisations. Increasingly they are also taking copies of the data they encrypt, demanding two ransoms: one to unlock computer systems, the other to not leak the data they have stolen.

The advice continues to be ‘not to pay’ and that capitulating to demands does not guarantee the return of your systems or data. However, over a quarter of organisations pay some amount (vol. 3, iss. 20), despite it doubling response costs, with insurance policies footing the bill.

Ransomware is big business. One group is estimated to be making an average of $5 million per month by McAffee and (vol. 3, iss. 32)

With those sorts of resources are their disposal, in hindsight, it should not come as a surprise that some actors may be trying ’sneakernet’ approaches to getting their malware into organisations.

That’s allegedly what led to the recent arrest of a Russian national who was trying to convince a Tesla employee to install malware on the company’s network, bypassing the need to compromise the network defences, in return for $1 million.

The unsealed court documents indicate that the defendant, Egor Kriuchkov, claimed to have been organising these ‘special projects’ for ‘years’ and that in one case the victim paid ransom demands of over $4 million.

Fortunately for Tesla, the employee demonstrated substantial integrity, refusing the offer and co-operating with the FBI to gather evidence and catch the perpetrator.

It’s an interesting, headline-catching story and something I doubt is considered in many organisations threat models. Especially where organisations have staff in areas of the world with lower wages it may require less than you think to buy access or insider information. When researching the future of cyber threats to financial services at BAE Systems we found offers on dark web forums to modify account details for as little as $3,000.

October is cyber security awareness month. You may want to consider how you’re going to focus on a culture where employees turn down $1M bribes to protect your business! ;-),

Interesting stats

39% of of businesses have dismissed an employee for a cyber security policy breach since COVID-19 lockdown began, according to a poll 200 UK business decision-makers conducted for Centrify

15% increase (2019: 30%; 2020: 45%) in the ‘neutral middle ground’ of trust and confidence in organisations that hold personal information, while
46% of people think that custodial sentences in the ‘top 3’ things that would increase their trust and confidence in how companies use their personal information (after bans on sharing without permissions and legal breach notification requirements), according to a survey of 2150 adults representative of the UK’s population for the ICO (PDF)

1/4 of the top 10,000 websites use ‘browser fingerprinting’ scripts to identify and track users

Other newsy bits

New Zealand’s stock exchange offline for four days

New Zealand’s stock exchange was prevented trading for four days this week by a repeated distributed denial of service (DDOS) attack. The attackers, who demanded a ransom in bitcoin to prevent further disruption, targeted the market disclosures platform rather than core trading systems. However, without the ability to distribute market and company information trading was suspended so that buyers and sellers were not disadvantaged. Such attacks are not new, often targeting businesses during time-critical moments, such as gambling sites during high-profile sporting events. The Government Communication Security Bureaux (GCSB) intelligence agency has been tasked with helping to prevent further disruption from the attacks, which originate ‘offshore.’,

2.4 Million reasons to check your ‘JML’ process

Cisco’s joiners-movers-leavers process left an ex-employee’s account active over five months after leaving the company. Sudhish Ramesh has taken a plea agreement for the $2.4 million costs incurred by Cisco following his decision to log back in and delete 456 virtual machines, disrupting 16,000 Webex Teams accounts for two weeks, back in 2018. The $2.4 million was split between additional employee time rectifying the damage ($1.4M) and refunds to affected customers ($1M). Conducting regular checks that staff have the correct privileges (the ‘least privilege’ principle) and disabling accounts when they leave the company, are some of the hygiene measures organisations can take that regularly get forgotten.

Applying supply and demand to security budgets

An interesting read from Phil Venables on applying supply and demand principles to security budgeting. It’s a neat way of approaching discussions that cyber security managers and CISOs may be negotiating the funding of programmes and how to consider framing requests (and trade-offs!) I especially liked the thinking around ‘accumulated liabilities’ (aka security debt) and need to pay that down at some point. It rings true with a number of clients that I have worked with on reducing their security, and tech, debt to improve their cyber risk posture.

In brief

Attacks, incidents & breaches

  • Southern Water customer portal allowed access to other customer’s data by changing URL parameters

Threat intel

  • Conti (aka Ryuk) ransomware operation becomes latest to move to ‘leak site’ model of stealing data before ransoming victims
  • RDP servers remains primary mechanisms by which ransomware gangs gain access to organisations
  • New peer-to-peer botnet, dubbed ‘FritzFrog’ by researchers, targets servers with weak SSH passwords
  • Crypto-mining worm now also steals AWS credentials (potentially to infect and use these resources at a later date)
  • ‘Hackers-for-hire’ deployed Autodesk malware in corporate espionage campaign against real estate developer bidding on billion-dollar projects. Large financial value transactions will likely raise the cyber risk profile of an organisation for this type of targeted espionage or IP theft


  • Vulnerability in Visa’s EMV standard allows researchers to bypass need for PIN during transactions
  • Another remote-code execution vulnerability in Pulse Secure VPN server (patch now!)
  • Bug in iOS web share API allows for attachment of local files to mail messages

Security engineering

  • US military study finds ‘breadth-first’ fuzzing for vulnerabilities in lots of software packages to focus more technical analysis more efficient than ‘depth-first’ efforts with teams focussed on more comprehensive reviews of packages before moving on


  • Court document shows Google’s engineers don’t understand their own privacy controls
  • Protests app Bridgefy, that uses peer-to-peer networks to allow messaging while mobile networks are down, is a ‘privacy disaster’ and potentially exposes protestors

Law enforcement

  • US Department of Justice is seeking control of 280 cryptocurrency wallets it says contains proceeds of cyber-attacks conducted by North Korea’s Lazarus group. F-Secure have technical details of a campaign they tie to Lazarus the targeted crypto-currency exchanges, (PDF)

Mergers, acquisitions and investments

  • Palo Alto acquires digital forensics and incident response firm The Crypsis Group for $265M to bolster breach response services with 150 consultants handling 1,300 incidents/year
  • Fastly to acquire app security outfit Signal Sciences for $775M
  • Berbix raise $9M for online identity verification service

And finally

Profile of an ‘identity theft kingpin’

Brian Krebs has an interesting, two-part read on Hieu Minh Ngo who has recently been deported to Vietnam after serving seven years in prison for identity theft. Nog’s activities were earning him over $125,000 a month before he was arrested. Sometimes he compromised organisations, other times he fraudulently gained access to credit agencies. part 1, part 2


  Robin's Newsletter - Volume 3

  Tesla Ransomware Insider Threat FBI (Federal Bureaux of Investigation) NZX (New Zealand Stock Exchange) DDOS (Distributed Denial of Service) JML (Joiners-Movers-Leavers) Cisco Webex Security budgeting