Robin’s Newsletter #146

4 April 2021. Volume 4, Issue 14
The long-tail of ransomware recovery. PHP source code compromise. Exploiting 'safe' file formats. Risk margins and early risk management decisions.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Sepa, CompuCom ransomware attacks show the long tail of disruptive cyber-attacks

Interesting write-up of the impact of a ransomware attack on the Scottish Environment Protection Agency (Sepa) by BBC News. The environmental regulator was the victim of a double-extortion ransomware attack on Christmas Eve 2020. Their data was subsequently released online when they refused to pay the ransom.

“Over 70% of staff will be back online [by Easter]” according to Sepa chief exec Terry A’Hearn. That implies that 30% of staff are still not fully back online over three months later.

Freedom of information requests show that the incident has cost £790,000 so far, and includes £458,000 on ‘stabilising the IT platform’.

Sepa’s recovery is expected to continue through the rest of 2021.

Also this week, 8,000-employee CompuCom provided an update on its DarkSide ransomware attack from February.

The IT managed service provider expects a $5M-$8M in lost revenue and response and recovery costs to exceed $10 million in total.

The costs of establishing the extent of a systems breach and regain confidence in the security of the organisation’s network can often be significant. In conducting this exercise many other issues are likely to be highlighted as well, ultimately resulting in a more secure organisation, but taking years to fully resolve.,

Interesting stats

$10,000 per year paid by Chinese intelligence officials to a spy within NATO for marine secrets

1,200 double-extortion type attacks using 16 different ransomware strains conducted in 2020 with £30M median size of business targeted, in revenue terms, according to a new report from think-tank RUSI and BAE Systems

A proportional area chart showing the relative revenues of sectors targeted by ransomware gangs. Retail is the largest, followed closely by Industrial and Manufacturing, using data from RUSI and BAE (image credit

Image: FT, data: RUSI, BAE

30 Docker Hub images downloaded 20M times contained cryptocurrency mining software earning $200,000, according to Palo Alto (Not sure if 1c per download is a good rate of return, or if Docker Hub downloads mainly go unused?)

Other newsy bits

PHP Source code compromise

Two malicious changes to the source code of PHP were made this week that would have allowed an attacker to execute commands on a server running the popular web programming language. The changelog attributed the changes to two prominent developers, though the project released a statement indicating it was the underlying server itself they believe was compromised. Fortunately, the commits never made it to a shipped version of the programming language. The PHP project is now managed on Github and all accounts must have two-factor auth enabled.

Ransomware operator refunds victims

Law enforcement crackdowns on ransomware operators appear to be working: the operator of Ziggy ransomware is refunding victims and returning payments for fear of being ‘got’ by police. Though it’s also worth remembering that the price of Bitcoin has soared recently, still offering a tidy ‘profit’ from holding those funds.

TXT files are safe, right?

Great write up and interesting look at how ‘benign’ file formats, like plain text files, may be used to ultimately exfiltrate data from devices. In this example it’s MacOS, TextEdit and automount that can beacon out to the web. (The issue was fixed early in 2020.)

Risk margins

This is a great read from Andy Ellis on ‘risk margins’ and the process of making risk management decisions. I especially like the idea of committing to decisions up-front (almost analogous to pre-authorised incident response actions) that set the conditions needing to be met, rather than deciding in ‘real time’. That kind of preemptive risk decision is at odds with most risk analysis, which comes after the fact where acceptance on the residual risk is being requested.

In brief

Attacks, incidents & breaches

  • Employees of Shell used as leverage in double-extortion ransomware attack by Clop gang as they release personal data from visa applications
  • Harris Foundation, that runs 50 schools across London and Essex, hit by forth ransomware attack against UK education organisations in a month
  • Whistleblower says January breach at Ubiquiti (vol. 4, iss. 3) was much worse than the organisation painted with the ‘third party’ being compromised in fact being the company’s AWS infrastructure Ubiquiti are sticking to their previous statement, encouraging customers to change their passwords and enable multi-factor authentication ]
  • Akamai says European gambling company was hit by 800Gbps DDOS attack in February
  • Details of 533M Facebook users, apparently from 2018 breach, posted on dark web site

Threat intel

  • Nation state actors will benefit from work of network access brokers and wider cyber-criminal workforce, according to FS-ISAC analysis
  • BazarCall malware uses call centre to direct users to download an Excel ‘cancellation form’ to infect victims
  • XtremeRAT bundled with software to help video gamers cheat, warns Cisco, along with…
  • Activision confirming that malware was bundled with cheats for its popular Call of Duty: Warzone game, plus Chinese arrests, below
  • Google says Turkey-based ‘SecureElite’ pen testing firm is a front for North Korean threat actors
  • FBI and CISA warn of attacks against Fortinet VPN devices


  • Vulnerability in NPM’s net mask package treats octal IP address input incorrectly

Security engineering

  • PagerDuty’s guide to DevSecOps is a pretty good resource for non-security engineers looking to adopt more secure practices (h/t Stu)

Internet of Things

  • Panasonic and McAfee team up to build vehicle SOC to monitor connected vehicles


  • €475K penalty for for failing to notify Netherlands Data Protection Authority in a timely manner

Law enforcement

  • Building on the gaming cheat TI above… Chinese police bust operation believed to have netted $76M (£55M) in subscriptions
  • Kansas man indicted for compromise of local water system in 2019

And finally

UK Cyber Council domain snafu

It’s a good idea to own the domain name you talk about in your press releases. Here’s to you, UK Cyber Council!

Kidnapping US Strategic Command’s Twitter was child’s play

Excellent puns in this one from Graham Cluley after a cryptic message saying “;l;;gmlxzssaw” appeared in a tweet from U.S. Strategic Command. Fortunately it isn’t a launch code, or account compromise, rather a young child and pandemic remote working.


  Robin's Newsletter - Volume 4

  Scottish Environmental Protection Agency (Sepa) CompuCom Ransomware PHP Software supply chain attacks Risk margins UK Cyber Council