Robin’s Newsletter #137

31 January 2021. Volume 4, Issue 5
Law enforcement's Emotet takedown and NetWalker leak site seized. Got root? Sudo vuln will get you there. North Korea goes after security researchers for 0-day.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

First up, a heads up for UK readers: There is an active phishing campaign pretending to be from the NHS and asking you to ‘accept or decline’ your invitation to receive a vaccination. The email links to a website to steal personal information. Please keep an eye out, and check in on elderly friends relatives and neighbours, to make sure they are not unwittingly falling for it. Example screenshots here

The NHS will never ask you for your bank or payment card details (the COVID-19 vaccine is free of charge on the NHS). Nor do you need to provide copies of passport, drivers licence, bills or payslips. More info on the office NHS website:

This week

The ‘distracted boyfriend’ meme, where a man in a blue shirt, labelled “Infosec” is distracted by a woman in a red dress labelled “Gamestop” while his partner scowls at him, labelled “sudo, emotet, Netwalker, DPRK”

Try and stop refreshing the Gamestop stock price for a moment!

Law enforcement takedown notorious Emotet botnet

“We are very satisfied” Fernando Ruiz, Europol’s European Cybercrime Centre (EC3) head of operations told ZDNet. He’s right to feel chuffed. Operation Ladybird is the culmination of a two-year investigation involving European police forces, the U.S. FBI and U.K. National Crime Agency has resulted in law enforcement taking control of the infrastructure running the Emotet botnet.

The Emotet malware started life in mid-2014 as a banking trojan that infects victim’s computers and then waits to capture their online banking details. Over the following six-and-a-half years it would evolve into a ‘dropper’ - malware used to infect devices and then ‘drop’ other strains of malicious software - used by cybercriminals to mount other cyberattacks against individuals and companies alike.

Cybercrime and botnets can seem nebulous. To put this operation into context: Europol estimates that Emotet is estimated to be involved in 30% of malware attacks. Ukrainian police, also involved in the operation, put the damages of Emotet activities at $2.5 billion (they also posted a video of their raid on Youtube, see below). Cyberspace is a safer place than it was last week.

Operation Ladybird involved identifying and gaining access to every ‘command and control’ (C2) server used by the malware to receive its instructions. Dutch police said two of three primary servers were located in the Netherlands, while seventeen were seized in Germany.

After simultaneously seizing all the C2 servers they were updated to issue an update that will uninstall the malware on 25th April and to no longer communicate with the botnet, essentially rendering them inert.

This gives security teams a short window with which to identify any infected machines on their networks, which may also have been infected with other malware.

Operational Ladybird was a joint operation between Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.,,,

Interesting stats

30% Solorigate victims didn’t run SolarWinds software: password spraying and privilege escalation techniques used instead

25 bitcoin addresses received over… 46% of all Bitcoin payments made by accounts associated with ransomware gangs, pointing to a fewer culprits than you might expect,

$2.275M settlement by Citrix with employees over May 2019 data breach, however there are 24,300 claimants in the class-action, equating to… $93.62 per claimant, that can be used for identity protection services, or damages up to $15,000

8,000,000,000,000 (8 trillion) signals ingested by Microsoft’s security services every 24 hours, as Redmond’s cyber revenues surpassed $10 billion in the last 12 months (a 40% year-on-year growth)

Other newsy bits

NetWalker leak site seized

Sticking with law enforcement action… This week U.S. and Bulgarian authorities took action against the NetWalker ransomware group, seizing the associated ‘leak site’ (used to dump stolen data and pressure victims into paying). NetWalker operates an as-a-Service model where ‘affiliates’ focus on finding and infect victims while the operator maintains the malware and runs platforms to interact with victims and take payments. Blockchain monitoring company Chainalysis has traced over $46 million in cryptocurrency transactions to the NetWalker group since August 2019.,

Decade-old vulnerability in Linux ‘sudo’ app

Details of a buffer overflow in the Linux system utility Sudo used to temporarily grant administrator privileges to normal users, were published this week. The vulnerability, introduced in July 2011, means that any local user could elevate their privileges and run commands as if they were the root user. The issue, which appears to affect all Linux distributions, is tracked as CVE-2021-3156 and is fixed in Sudo version 1.9.5p2.,

North Korea targeting security researchers (is broadly nothing new)

Security researchers being targeted by suspected DPRK to ‘collaborate on vulnerability research’. The notorious nation-state has been using fake/puppet social media accounts and fake research blogs as a way of conducting vulnerability research on the cheap. The blog websites also contain malware as a way of gaining access to researchers devices. The story has got quite a lot of pick up and ‘be careful’ posts within infosec circles, though this isn’t really anything new: FIN7 and other cybercrime groups is reported to have been commissioning ‘penetration tests’ of their victims as a way of scaling their operations. So do be careful, but do so because you realise that you are not invulnerable to manipulation.,,

Intel ‘hacked’ earnings were on guessable URL

Intel has confirmed the ‘hacked’ earnings, which forced an early publication of their financial results (vol. 4, iss. 4), were as the result of someone guessing the URL of the files on their website. While the files themselves had not been linked to from the publicly visible website, the files were present (or ‘staged’) on the webserver and used the same format for the file name each quarter (e.g. “financial_report_2021_Q1/Q2/Q3/etc”). It’s a pretty rookie error, but props for coming clean on how it happened.

In brief

Attacks, incidents & breaches

  • Australian financial regulator’s file transfer server breached
  • Tesla employee transferred ‘thousands’ of company files to personal dropbox within three days of starting employment
  • Two Dutch contact tracers arrested for selling info on Dutch COVID-19 patient data online after posting screenshots of data social media

Threat intel

  • Mimecast, Palo Alto Networks, Qualys and Fidelis have all confirmed that they were targeted, alongside SolarWinds, in the supply chain attack against prominent U.S. federal and state agencies
  • DreamBus targets enterprise Linux servers to add to crypto-currency mining botnet
  • New phishing toolkit LogoKit builds phishing pages in real-time


  • Apple releases iOS 14.4, addresses three ‘actively exploited’ vulnerabilities (patch now!)


  • Norwegian data protection regulator proposes €10M (£8.6M; $12M) fine for Grindr after ‘improper sharing’ of user’s data to third-parties
  • Apple and Facebook continue to spar over upcoming iOS ‘do not track’ changes coming “early in Spring”

Public policy

  • Insurers ‘funding organised crime’ by paying ransomware claims - interview with Ciaran Martin… The Association of British Insurers (ABI) have defended cover for ransom payments

Mergers, acquisitions and investments

  • SpiderSilk - firm behind scanner that discovered ClearView.AI and other breaches - raises $2.25M pre-Series A round

And finally

Railways and tax returns: flash just won’t die

Adobe Flash, which went ‘end of life’ on 31st December 2020 and was officially disabled earlier this month, has cropped up in a few interesting places. Organisations have built enterprise apps on the technology, notorious for video and security bugs, and seemingly have not been on top of their migration plans. The end of life was announced by Adobe in July 2017.

The South African Revenue Service (SARS; no, not the respiratory disease) has released their own custom web browser, locked to the SARS website, for people to file their tax returns.

Meanwhile, in China, the railroad system in Dalian was affected for over 20 hours when operators couldn’t define schedules and shunting plans. Services were resumed after… checks notes a pirated version of Flash was installed at 4:30am.

H/T Doc and Rob K!,


  Robin's Newsletter - Volume 4

  Emotet NetWalker Sudo North Korea Solorigate Abode Flash