Robin’s Newsletter #148

18 April 2021. Volume 4, Issue 16
FBI gets a warrant to fix Hafnium web shells, becomes an MSSP. Sanctions for Russia over SolarWinds. Plus you cheddar believe there are some cheese puns.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

FBI gets warrant, modifies victims Exchange servers to remove web shells, becomes MSSP

This week the United States Federal Bureau of Investigation (FBI) cleaned up ‘hundreds’ of Microsoft Exchange servers that had been compromised by attackers exploiting the Hafnium vulnerabilities (vol. 4, iss. 10).

The FBI had obtained a court order allowing them to do so and only removed the attacker’s web shells (the servers will still be unpatched). Evidence was collected as part of the operation. 
 It’s not what you typically think of when you think of a warrant.
 The action was taken without prior notification to the affected organisations, though the FBI is in the process of attempting to notify the victims.

It creates an interesting point around liability - with some arguing (rather facetiously) that it discourages organisations from taking cyber security seriously. In undertaking this action I am sure that they will have to have been extremely confident in both the fix and also the harm that is being avoided as a result.
 Follow up (or indeed prior) notification to victims needs to be similarly robust so that the underlying issues can be addressed and avoid attackers simply re-exploiting the same issues.

However, I suspect the focus on ‘victim support’ and proactive measures that law enforcement is starting to take to help the victims of cybercrime will be widely well-received by many organisations. Though the legal implications of such action, if it is to become commonplace, will need to be carefully weighed. On the surface, unauthorised access to systems breaks many computer misuse laws and IP geolocation can be notoriously unreliable (ask these farmers in Kansas).

Either way, with their unparalleled ability to execute and strong vision, the FBI has just clinched themselves a spot at the top of my 2021 Enchanted Boxywoxy of Managed Security Service Providers:

Enchanted Boxywoxy, a two-by-two matrix showing a series of dots against ‘vision’ and ‘execution’ with the FBI in the top-right, as favoured by many IT analysts

Enchanted Boxywoxy may or may not help your decision to run your MS Exchange server behind an American VPN provider,

Interesting stats

Ignorance is bliss, as 74% of respondents that failed every question in security survey reported ‘feeling safe’, overall 61% failed basic security questions, with 18-24 year olds fairing worst, and 25-34 tying with those aged 55+ in a survey by TalentLMS with input from KennerSecurity

24 days average time for organisations to detect security incidents in 2020, a 57% decrease on 2019 (56 days), largely because the nature of attacks has changed: ransomware needs to be disruptive to be effective, and a huge decrease from 416 days in 2011, according to FireEye

Other newsy bits

Solarwinds attack was Russia, says US, UK, sanctions to follow

In a joint statement this week the U.S. and U.K. formally pointed the finger at Russia for the SolarWinds attack (vol. 3, iss. 51). 

The announcement came with the news that the Biden administration is to expel 10 Russian diplomats and introduce sanctions in response to the SolarWinds attack and disinformation campaigns. The sanctions will be against 32 individuals, as well as six Russian cyber security companies.

Of the cyber incidents cited, the sanctions themselves are not just for the SolarWinds incident though, with NotPetya and OlympicDestroyer also being referenced. In doing so, it may make it difficult to make a distinction between careful espionage - that the U.S. is equally engaged in - and more disruptive attacks.
 At the end of the day that comes down to an assessment against the scale and audacity of the SolarWinds campaign: at what point does run-of-the-mill cyber-espionage stop being acceptable?,,

Top 5 vulnerabilities used by SVR in nation state attacks

As well as naming-and-shaming Russia’s SVR for SolarWinds, the U.S. went on to disclose the primary vulnerabilities the intelligence agency uses in their campaigns. They include a lot of boundary devices, as you might expect, including Fortinet and PulseSecure VPN devices and Citrix remote access gateway. Regularly applying patches, disabling unused functionality and external remote administration is amongst the recommended protective measures to take.

In brief

Attacks, incidents & breaches

  • It’s always DNS unless it’s an expired certificate: American Express cards unlinked from Google Pay accounts
  • Developer tool Codecov backdoored and may have been exfiltrating the keys and secrets needed to access organisation’s cloud environments and source code repositories for three months
  • 500,000 Huawei devices downloaded apps infected with Joker malware from the official AppGallery store
  • ParkMobile compromised, licence/number plate data, email and bcrypt’d password hashes up for sale
  • GRC startup LogicGate discloses data breach to AWS platform that hosts its Risk Cloud solution
  • Gay dating site Manhunt was breached in February, reset some passwords in March but kept quiet about the incident
  • Book prize paid to scammers in BEC-style attack
  • Lessons learned: Capcom says 2020 ransomware incident started with exploitation of old VPN device

Threat intel

  • Threat actors are using ‘contact us’ forms on company websites to bypass email filtering, using links to Google Sites to appear legitimate and capture info or distribute malware
  • Ryuk ransomware operator using ‘KeeThief’ to steal passwords from KeePass password managers on compromised systems
  • Over 600 U.K. organisations running Fortinet VPN solutions have not patched against critical 2019 vulnerability, NCSC says you now must assume you have been compromised
  • Yep, cracked software may include more than you bargained for: hooky Office, Photoshop downloads bundled with malware to steal session cookies and mine cryptocurrency


  • NSA has been looking at Exchange, finds and discloses more critical vulnerabilities that are patched in the latest Microsoft update
  • Remote code execution vulnerability in Valve’s Source game engine still not properly addressed, two years after notification through company bug-bounty programme, can ‘take over a PC with a game invite

Security engineering

  • Microsoft Defender for Endpoint gains unmanaged device discovery capability in latest preview
  • Interesting angle to bug bounty / vulnerability disclosure programmes: ‘Prisoner’s dilemma’ may force less scrupulous researchers to provide details of issues faster

Internet of Things

  • One-in-four of the 1,500 electricity utilities supplying the grid and regulated by the North American Electric Reliability Corp (NERC) have reported that they use and installed SolarWinds update in the Solorigate espionage campaign.
  • Iran inaugurates new uranium enrichment plant… goes offline a day later due to “accident” with its electricity distribution network, theories spread of ’Sibling of Student’ attack
  • Over 100M IoT devices running TCP/IP stacks with ‘Name:Wreck’ flaws, vendors may be unable or willing to patch


  • Australian Competition & Consumer Commission (ACCC) verdict says Google misled users over location data, shows the importance of reducing complexity and labelling of privacy controls


  • Insurance companies offering cyber cover and registered with New York Dept. Financial Services (NYDFS) need to follow cyber insurance risk framework, includes requirements to measure risk and systemic exposure, educate and require insured to notify law enforcement

Law enforcement

  • FIN7 ‘tech guru’ given 10-year prison sentence ordered to pay $2.5M restitution to victims

Mergers, acquisitions and investments

  • 1Password acquires SecretsHub to help manage API keys and certificates of developers of enterprise apps
  • Cloud forensics startup Cado Security announced $10M funding

And finally

Dutch cheese lovers feeling blue

Gouda heavens Gromit! A ransomware gang has caerphilly executed a cyber-attack against Bakker Logistiek, a refrigerated warehousing business. Customers are making a raclette because the firm can “no longer receive orders” and consumers camembert the lack of fromage on supermarket shelves.

PS, In queso emergency, you will need a cyber incident response plan. You can get a free, open source one from that makes getting started a brie-z!


  Robin's Newsletter - Volume 4

  Federal Bureau of Investigation (FBI) Hafnium Microsoft Exchange Cyber-norms Sanctions Russia Solorigate / SUNBURST Ransomware Cheese