Robin’s Newsletter #130

13 December 2020. Volume 3, Issue 50
FireEye breached by sophisticated actor; $1TN reportedly lost to cybercrime in 2020; Zodiac killer cipher cracker after 51 years.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

FireEye discloses security breach

The infosec community has been abuzz this week with news that industry giant FireEye, usually called in to help other government departments and large organisations unpick cyber attacks, had themselves been breached.

In a blogpost CEO Kevin Mandia concluded, in the present-tense, that the firm is “witnessing an attack by a nation with top-tier offensive capabilities”. Microsoft and the FBI have been helping investigate the breach.

The company’s ‘red team’ (penetration testing) tools were stolen by the attackers during their intrusion, though the primary objective is believed to be information relating to the cyber security of government customer networks. (Worth remembering that doesn’t automatically equate to the U.S. government!)

Such information would be valuable to those engaged in cyber-espionage and provide a ready-made report on the strengths and weaknesses of their targets. In addition to the reconnaissance, the privileged access to customer networks is an attractive target for attackers via FireEye’s endpoint detection and response platform.

Lots of focus has been given to the theft of the FireEye tools that the company was quick to confirm did not contain any ‘zero-day’ exploits. While the FireEye toolset presents a way to short-cut development time for offensive tooling, a lot were based on open-source projects, and their general use would requiring training of any operatives in their use.

For me, it’s hard to imagine that an advanced adversary wouldn’t relish the opportunity of camouflaging their operations using the very same tooling employed and making attribution murky. FireEye has released 300 countermeasures and detection content to help identify the use of the tools.

On that front, it’s also interesting that FireEye’s own products have been updated to detect these tools. On the surface an obvious and excellent choice, but this obscures that, before the breach, the companies detection capabilities were not benefitting from the attack tools and techniques that they were developing. You could buy FireEye solutions to defend your business that they would also potentially be able to trivially defeat.

That’s not to say that shade should be cast over FireEye. They are not our collective ‘enemy’. FireEye should be commended on a rapid response. (A significant PR risk for any incident response firm.) While details on the response on extensive, we will have to wait for further details on the intrusion itself: including basics on when it was discovered.,,

Interesting stats

49% of CrowdStrike’s incident response engagements originated from outside legal counsel, rather than directly from end clients, signalling a shift to conducting IR under legal privilege

$1 trillion has been lost to cybercrime in 2020, according to the Center for Strategic and International Studies, a figure that would equate to just over 1% of global gross domestic product

Other newsy bits

… this week is just …

In brief

Attacks, incidents & breaches

  • Pfizer/BioNTech vaccine data ‘unlawfully accessed’ during attack on European Medicines Agency
  • Brazilian aerospace company Embraer has files leaked following ransomware attack
  • Foxconn confirm ransomware, data breach at Mexican facility over Thanksgiving weekend, apparently the work of DoppelPaymer group demanding ~$34M
  • Attacker opens over 2,700 package delivery lockers across Moscow
  • Subway U.K. email marketing platform popped, used to send messages to customers leading them to TrickBot malware

Threat intel

  • Kazakhstan government mandating the installation of root certificates for a ‘cyber exercise’ that will allow agencies to intercept encrypted HTTPS communications
  • NSA warning over VMWare vulnerabilities being actively exploited,,
  • Norwegian police attribute attack on parliament in August to Russia’s Fancy Bear group, claims access result of brute force attack on email server
  • MageCart card skimming starting to be hidden inside CSS files
  • Qbot updates persistence mechanism, adds itself to outrun on shutdown, then removes on boot-up
  • In an unusual move, Facebook outs Vietnamese IT company CyberOne Group as a front for APT32 aka OceanLotus


  • Kubernetes vulnerability allows users with existing permissions in multi-tenants setups to intercept, alter commands for other tenants
  • Radiology devices manufactured by GE Healthcare vulnerable due to hardcoded maintenance passwords
  • Second time lucky for Cisco patching wormable remote code execution bug in Windows Jabber client

Security engineering

  • Privacy-friendly ‘Oblivious DNS-over-HTTPS’ protocol, backed by Cloudflare and Apple, introduces a proxy to separate the source, and request of a domain name
  • Adobe Flash Player will stop working on 12th January 2021

Internet of Things

  • Patch available for QNAP network attached storage (NAS) devices to prevent remote takeover
  • Forescout to publish details of 33 vulnerabilities in open source TCP/IP stacks used in many IoT and OT devices,


  • Aussie information commissioner finds Flight Centre breached privacy of ~7,000 customers when sharing data that hadn’t been properly anonymised at hackathon in 2017

Public policy

  • A report finds that, rather than ‘going dark,’ mobile device forensic tools are providing ready access to info on encrypted handsets, questioning law enforcement’s need for encryption backdoors
  • National Defense Authorisation Act moves a step closer, acts on 4/5 recommendations made by the Cyberspace Solarium Commission (vol. 3, iss. 11), strengthens Cybersecurity and Infrastructure Security Agency (CISA), creates White House national cyber director position, amongst wide-reaching U.S. legislative changes
  • The U.K. Ministry of Defence has launched a bug bounty programme for “benign, non-destructive, proof of concepts”

Law enforcement

  • Cryptocurrency founder sentenced to five years for role in laundering funds from ransomware campaigns, faces on-going extradition requests from U.S. and Russia

Mergers, acquisitions and investments

  • NortonLifeLock to acquire Avira, boosting European customer base, for $360M
  • Industrial security outfit Dragos raises $110M in series C funding round led by customers
  • Orca Security raises $55M series B to expand go to market for cloud security platform

And finally

Final Zodiac killer cipher solved

51 years after the Zodiac killer sent the ‘340 Cipher’ to the San Francisco Chronicle the paper has published the solution, found by a trio of cryptographers from the U.S., Australia and Belgium. The Zodiac murdered five people in the San Francisco Bay Area in the late sixties. No one has ever been charged. The plaintext does not give away a piece of identifying information and instead taunts police and claims an ‘easy life’ in “paradice death”.

USB ports and heroin: must be Giuliani’s latest nonsense voter fraud claims

‘Cybersecurity expert’ Rudy Giuliani accused Democrats of “surreptitiously passing around USB ports as if they are vials of heroin or cocaine” in a Zoom call with Georgia legislators. He went on to suggest that prosecutors search poll workers homes for “evidence of USB ports” that would be a surefire sign that they were engaged in voter fraud.


  Robin's Newsletter - Volume 3

  FireEye Security breach Cybercrime costs Zodiac killer 340 Cipher Giuliani Coronavirus (COVID-19) Encryption backdoors Lawful access