Robin’s Newsletter #136

24 January 2021. Volume 4, Issue 4
Malwarebytes compromised in Solorigate; German company fined for video surveillance of staff; Intel publish financial results early due to leaked info
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Continuing Solorigate fallout: Microsoft deep-dive into second stage implant; MalwareBytes also compromised

Microsoft takes a deep-dive this week into the steps taken by the Solorigate attackers to segregate their initial access (via the compromises SolarWinds component) and the persistence they achieved using repackaged Combat Strike tooling.

The blog post has a timeline (see below) showing how the attack unfolding over many months. In February 2020 the SolarWinds component was altered, and then subsequently removed four months later in June, presumably after achieving access to their intended targets. Microsoft estimates that ‘hands on keyboard’ attacks against targets began during May 2020.

Timeline of Solorigate attack, by Microsoft

Source: Figure 1. Timeline of the protracted Solorigate attack, Microsoft

Meanwhile, ArsTechnica reports that MalwareBytes was also compromised by the same group, joining FireEye, Microsoft and attempts against Crowd Strike, as the attackers tried to gain access to security companies. (Malwarebytes says it has reviewed and concluded their products are not affected.) It’s clear this nation-state backed actor has an attraction to cyber vendors as others and cyber-criminals do to IT and network outsourcers.

Cyber security vendors often prize their proprietary threat intelligence, however, there may be only 2.5%-4.0% overlap in indicators of compromise (vol. 3, iss. 34) and their internal teams feel under-resourced, just like their customers. It’s clear that the information and access held by cyber security providers are especially attractive to the sophisticated attackers that they claim to track and protect against.

As if oft-recommended: collaboration and intelligence sharing are needed. The challenge ahead for the industry is how to balance commercial advantage against the greater good and prevention of wider harm.,

Interesting stats

113 U.S. state, federal and municipal organisations suffered ransomware attacks in 2020… 0% change from 2019, when there were also 113 ransomware attacks, however while… 1/60 H1 incidents involved the theft and release of data, that increased to… 23/53 in H2 incidents, according to Emsisoft

Other newsy bits

German laptop retailer fined for ‘intensive’ video surveillance

A German company has been fined €10.4 million (£9.3M; $12.5M) under GDPR for failing to provide a legal basis under which it kept staff under video surveillance. (NBB) installed CCTV in warehouses, salesrooms and other workspaces to prevent and investigate thefts. One aspect that the regulator took issue with jumped out to me: the company had not taken any preventative steps, such as random bag checks, before opting for “intensive video surveillance” that “[violates] the rights of their employees”. The continuous CCTV monitoring of behaviours was not considered warranted - and more impactful - because other, simpler, less invasive steps had not been taken. Prevention before detection. Meanwhile, in the UK, the Labour Party has urged the ICO to review its employment practices guidance on workplace surveillance (The Register).,

6,000 faces of individuals from Capitol Hill riots published using video data downloaded from Parler

A design flaw in the right-wing social media website Parler allowed all of the public messages, photos and videos to be downloaded by activists before the site was taken offline by Amazon last week. Now open-source facial recognition software has been put to work to identify 6,000 unique faces from the Capitol Hill riots and published on a site called ‘Faces of the Riot’. Vigilantism is decried by a banner at the top of the site, for example, faces may be of police officers, and users encouraged to submit tips to the FBI. While there has been widespread condemnation of the attack on the Capitol, it shows how relatively easy it is to quickly parse and analyse significant volumes of publicly available information, that could as evilly be put to work or more unscrupulous purposes.

No, Biden’s Peloton bike probably isn’t really a security issue

In fact, as noted by The Guardian in their article, apparently Michelle Obama has one, with the camera and microphone removed. It’s probably pretty safe to assume that the bike won’t be in the Oval Office or White House Situation Room. This cyber risk is easy to manage. Perhaps more interesting is the potential insight that companies like Peloton have into the health of high profile individuals.

In brief

Attacks, incidents & breaches

  • Some laptops sent to schools by the U.K. Department for Education arrived infected with the Gamarue remote access worm, putting children, and other devices on their home networks, at risk
  • Scottish Environmental Protection Agency (SEPA) victim of Christmas Eve ransomware attack, 1.2GB of data stolen and allegedly being leaked by the Conti group
  • ShinyHunters posts details of 1.9 million accounts for free, web-based image editing software Pixlr, claims they were stolen from a company S3 bucket
  • ShintHunters also have released extensive profile information and personal data of 2.28 million users of the MeetMindful dating site
  • Intel was forced to publish earnings statements early after financial info was leaked from PR website,

Threat intel

  • FBI issues warning of vishing (voice phishing) where criminals call and impersonate IT teams to trick users into giving up credentials
  • FreakOut botnet targets Linux systems running unpatch apps built using the Zend PHP Framework
  • Symantec tie fourth piece of malware, dubbed ‘Raindrop’, to SolarWinds attackers who used it on target’s management systems
  • Underreported tactic of SolarWinds attackers - SAML token manipulation - likely to be copied by other groups in months and years to come plus FireEye release a tool for spotting and auditing unusual behaviour in Azure AD
  • Phishing campaign targeting energy and construction sectors discovered after it left stolen credentials on Google-indexed pages


  • Cisco SD-WAN products have multiple very high severity code injection vulnerabilities
  • DNSMasq vulnerabilities allow cache poisoning, remote code execution
  • SonicWall compromised by attackers using zero-day vulnerabilities in its own NetExtender VPN and Secure Mobile Access (SMA) products
  • New site MalVuln cataloguing vulnerabilities in malware

Security engineering

  • Microsoft Defender for Endpoint to shift to ‘full automation’ by default for containment or removal of malicious entities, starting next month
  • NCSC have published guidance on vulnerability scanning tools and services. I’d caveat that I think this is more useful for larger businesses with in-house IT teams: SMBs start by turning on (and selecting software that supports) auto-updates!


  • New York health insurance company Excellus to pay $5.1 million (£3.7M) penalty for HIPAA-violating data breach exposed 9 million people’s sensitive information from 2013 through mid-2015


  • ‘Strong oversight’ of third-party service providers by senior management one part of new, tougher guidelines set out for Singapore’s financial institutions, (PDF)

Law enforcement

  • Telesforo Aviles, a former employee of ADT, has plead guilty to adding his personal account to customer’s CCTV installs so he could spy on them (vol. 3, iss. 21),

And finally

Is it possible for a computer to get in touch with my computer in the middle of the night?

This old video clip made me chuckle. It is, of course, well out of context nowadays (computers off? modems unplugged? lines closed? data on cassettes?) Though the critical thinking and risk management on display is equally applicable today. @RTO


  Robin's Newsletter - Volume 4

  Solorigate / SUNBURST Microsoft Malwarebytes CCTV Video surveillance Peloton