Robin’s Newsletter #151

9 May 2021. Volume 4, Issue 19
Responsible cyber power. Colonial Pipline shut down due to ransomware. Injecting malware C2 into legitimate traffic. Authentication using a severed thumb.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

On being a responsible cyber power

Top spot this week to a really interesting panel discussion on geopolitical cyber security and diversity, organised by the think tank RUSI.

It’s a stellar lineup from government agencies and the defence sector that know their stuff: the Head of the Australian Cyber Security Centre, the CEO of U.K. National Cyber Security Centre, an executive director from the National Security Agency, chief of Canada’s Communications Security Establishment, CISO of the U.K. Ministry of Defence, chaired by BAE Systems’ CISO. All of whom are women ✊

There’s a discussion of the cyber threat and national perspectives on that, the role of government in helping to safeguard society, as well as fostering a diverse range of cyber security talent.

You can read a summary blog from Mary Haigh (BAE’s CISO) on the RUSI website, and check out the full conversation between Shelly Bruce, Christine Maxwell, Lindy Cameron, Wendy Noble, and Abigail Bradshaw, hosted by Mary, on Youtube.,

Interesting stats

96% of users opt-out of app tracking following prompt introducing in iOS 14.5

36 days median time taken to conduct forensic investigation of a security incident, costing $55,960 on average, according to Baker Hostetler, whose clients faced litigation 3.7% of the time following notice (20/543 times)

Other newsy bits

Colonial Pipeline, supplying 45% of fuel along the U.S. East Coast, shutdown due to ransomware

Good write up and commentary in the Washington Post on this developing story: On Friday, Colonial Pipeline became victim to a ransomware attack, believed to be perpetrated by the DarkSide gang. The attack was against the company’s business IT and the pipeline was shut down safely as a precautionary measure and to help limit exposure. The Colonial Pipeline runs for 5,500 miles connecting Texas to New Jersey and supplies 45% of petrol, diesel and jet fuel along the U.S. East Coast.

Anecdotally, incidents at critical infrastructure may be more common than you think, and often don’t get reported to regulators or picked up in the media. Regulation of critical infrastructure varies by sector, scale and geography. Reporting requirements can differ (or be nonexistent), incident reporting thresholds may vary or the infrastructure operator may not realise the full scale or consequences of an incident.

Lots of emphases have been placed on nation-state actors interests in energy networks in recent years. This shows that cybercriminals, motivated by financial gain, are equally interested in the sector.

Critical infrastructure is, by its nature, heavily relied on and therefore more susceptible to disruption. In theory that makes it more attractive if you’re in the business of disrupting business operations and extorting the victims. However, by the same criteria, that critical infrastructure is more likely to invite government intervention and draw greater investigation from law enforcement.

For example, President Biden has been briefed on the Colonial Pipeline attack and it will surely feature in upcoming discussions at the United Nations about cyber norms.,,

Ghost in the network: hiding C2 in legitimate traffic

This stood out to me this week: the Moriya malware, part of a campaign dubbed TunnelSnake, looks for commands injected into legitimate network traffic. Many strains of malware are multi-purpose and able to download different modules for criminal activity: encrypting files, or steal payment or banking information. In the world of espionage, sophisticated malware may have multiple ‘stages’ to download and install that may then lie dormant, waiting for a command, or provide remote control to human operators. All of this is relayed backwards and forwards between the operators and the victim via command and control (C2) servers.

Detecting and disrupting those communications are the backbone of a lot of threat intelligence and security operations. Indicators of compromise (IOCs) provide details of domain names, IP address and ports that are known to be bad. In the case of WannaCry, it was Marcus Hutchin’s act of registering a failsafe domain name that stopped the malware from encrypting many more machines.

In the Moriya case, it appears that the C2 is handled by injecting the commands into legitimate network traffic. That means the instructions could be embedded in any network traffic destined for the infected computer: web pages, emails, even background processes such as time synchronisation or software updates. You accessing the BBC News website, or computer checking Windows Update, could be used to hide information that is picked up by malware using this technique. Security teams would only be able to detect it if you were conducting much more invasive and costly ‘deep packet inspection technology, rather than simply looking at where the data had come from or was going to.

That’s likely the work of a sophisticated, nation-state, threat actor with access to telecommunications networks. The ‘great firewalls’ that some nations use to regulate what websites and services can be accessed by citizens also provide an opportunity to siphon off and alter seemingly normal network traffic in this manner. It may also work in reverse, where users outside the country make a network connection to a server hosted within the country.

It comes the same week as Human Rights Watch raised concerns that the new United Nations proposal from Russia and China to tackle cybercrime “risks legitimising” censorship and maybe more about restricting content than preventing cybercrime.,

In brief

Attacks, incidents & breaches

  • Peloton’s API was open to world + dog to request private profile info and details of workouts

Threat intel

  • No links, no malware-laden attachments, just bogus invoices with boobytrapped websites or scam phone lines in latest attempts to avoid spam filters
  • Magecart groups targeting third-party online ordering services used by restaurants as pandemic drives food takeaway and delivery
  • ‘Pingback’ malware uses ICMP for command and control to avoid detection
  • Malicious O365 and GSuite apps request permissions to emails, contacts, files and retain access across password resets until the app is uninstalled
  • VC money seemingly used to buy access to employee accounts and company information under guise of ‘salary benchmarking’ services to workers


  • Pulse Secure’s Pulse Connect Secure (PCS) VPN gateway gets fix for actively exploited zero-day
  • Patches for Cisco SD-WAN vManage Software and HyperFlex HX released to address issues that could let “unauthenticated, remote attacker to execute arbitrary code or gain access to sensitive information”
  • Apple releases iOS 14.5.1 to fix vulnerabilities in Webkit that ‘may have been actively exploited’
  • Privilege escalation bug in Dell firmware utility shipped with all the company’s devices since 2009
  • New Spectre style vulnerability in Intel, AMD chips exploits caching of ‘micro-ops’ but appears to be difficult to exploit

Security engineering

  • Choose Your Own Adventure security awareness training is a (well licensed! and) neat idea
  • What is XDR …and how does it relate to SIEM?
  • Microsoft, Google and IBM team up on Cloud Security Notification Framework (CSNF) working group to develop standard way for sharing security events and automating cloud governance
  • Google will start automatically enrolling all users who can into multi-factor authentication (presumably all those with the Gmail app installed)

Internet of Things

  • This was patched last year, but vulnerabilities in ConnMan component allowed attackers to access the infotainment system of a Tesla (and therefore unlock doors, changing AC, acceleration settings, etc) over wifi… from a drone
  • U.K. NCSC principles for set outage need to understand, design and manage security of smart cities


  • If you’re not paying for it, you’re the product reminder: many free fertility and pregnancy tracking apps aren’t GDPR compliant and perhaps should be categorised as ‘medical’ instead of ‘health’ apps
  • Google Play Store to get privacy notifications two-years after Apple’s AppStore

Public policy

  • U.S. CISA uses new subpoena power to request contact details and notify vulnerable customers from ISPs
  • U.S. and U.K. keep up pressure on Russian cyber operations with third post on evolving tactics for the third time in a month

Law enforcement

  • Two Russian, one Lithuanian, one Estonian nationals plead guilty to operating ‘bulletproof hosting’ operation for cybercriminals, each face up to 20 years in prison

And finally

Can you use a severed finger to unlock your phone?

As fingerprint readers were taking off as authentication methods for smartphones there were jokes about attackers chopping off your hand to gain access to devices or systems. (Foreshadowed by a headline in Back to the Future 2 about the antics of ‘thumb bandits’!) Now, following an accident with a crane, one read of The Register has answered the question: can a severed finger be used to gain access to a Samsung phone? TL;DR: Yes, yes it can. More details, and slightly gory images, at the link below.

I’m currently suffering the opposite problem: after a week of DIY and home improvements, I can confirm that you can absolutely sand your fingerprints off such that Apple devices no longer recognise your digits!


  Robin's Newsletter - Volume 4

  Cyber-norms Royal United Services Institute (RUSI) BAE Systems Cyber power Colonial Pipeline Ransomware Critical infrastructure Energy networks DarkSide Moriya Command and Control (C2) Biometrics