Robin’s Newsletter #155

6 June 2021. Volume 4, Issue 23
The U.S. continues beef with Russian ransomware gangs. Colonial Pipeline was result of compromised creds. FireEye to divest name, products business.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Cydea is hiring! 🥳 We’re looking for someone with a couple of years of consulting experience to join us as a Cyber Risk Consultant. I’m biased, but think it’s a pretty sweet gig doing interesting things with some great clients. It pays £37K, you get six weeks holiday, plus extra for those odd days here or there you might need or want, 5% pension, bonus, pro-bono work for good causes, and some other stuff too. You can find out more about careers at Cydea, or apply on LinkedIn.

We’re also looking for more Virtual SMEs to join our associate network. If you work freelance and have a data, design or tech specialism you think is relevant to helping organisations identify, analyse and communicate their cyber risk, then register your interest.

Also, Dave Mareels and the SOC.OS team are looking for a Data Analyst. Connect with him on LinkedIn to request the job spec.

This week

Security mis-steak at meet processing firm JBS leaves door open for ransomware

Spare some thoughts for the IT and security teams at JBS this week who have been put through the grinder following an attempt to milk the company for a ransom payment.

JBS, the world’s largest meat processing company, temporarily suspended operations in America, Canada and Australia following the attack on 31st May, before ‘fully restoring’ operations on 4th June.

The company reported the quick response was in part due to backups being uncompromised during the attack. Notwithstanding, that’s an incredible effort to restore operations so quickly.

The shutdown prompted warnings about shortages of supply and the potential for price rises. JBS employs over 150,000 people worldwide and supplies the likes of McDonald’s. In the US, they produce more than 25% of beef and 20% of the nation’s pork.

The FBI has attributed the attack to the REvil (aka Sodinokibi) group while the White House added that President Biden will directly address the issue of Russian-based ransomware operators with Russian President Putin at a summit in Geneva on 16th June.

FBI Director Christopher Wray compared the 100 different types of ransomware they are investigating to the challenges following the September 11th terrorist attacks in 2001.

“There are a lot of parallels, there’s a lot of importance, and a lot of focus by us on disruption and prevention” — Christopher Wray, FBI

The U.K. National Cyber Security Centre (NCSC) has published guidance for board members, including ‘what they should be asking their technical experts’. (shuts operations), (restore operations), (attribution), (Biden), (‘9/11’ comparison), (board advice)

Interesting stats

79% of 1,320 respondents do not approve of companies profiting from their data, 46% thought they should be able to earn money instead of companies, according to Invisibly

$3.68M increase in interest cost of the average loan for companies that have experienced data breaches as banks and lenders price in information risk to terms of loans, Huang, Wang in The Accounting Review (PDF)

1.9x more fraud on Android than iOS devices, according to Feedzai

Other newsy bits

Mandiant says Colonial attack was result of leaked VPN password

The ransomware attack on Colonial Pipeline (vol. 4, iss. 19) stemmed from a compromised username and password, according to Mandiant who helped the company respond to the attack. The account, that was no longer in use, but remained active, was also not protected by multi-factor authentication.

Requiring multi-factor authentication on external services (such as Remote Desktop, VPN or other extranet access solutions) is a good control to help prevent credentials — that have been compromised in a phishing campaign or reused from another website that has been breached — from being successfully reused against your organisation in a tactic called credential stuffing.

Multi-factor authentication is only one layer though and applying it in all cases may not be feasible. In those cases, considering other measures such as lower thresholds for account lockouts and IP or time of day restrictions help to reduce frequency.

That the account was no longer in use and remained active points to a poor ‘joiners, movers, leavers’ (JML) process. Accounts should be created for named individuals and granted the permissions they need to carry out their role for as long as is required. If the user moves role, old permissions should be removed or if they leave the organisation the account should be disabled.

Long reads

Inside the DarkSide ransomware group

The New York Times has a write up looking at the DarkSide ransomware operation, having gained access to an internal portal. In its communications, DarkSide tried to be polite, and the group expected the same of the hackers using its services. The group, after all, “very much treasures our reputation,” DarkSide said in one internal communication. “Offending or being rude to targets for no reason is prohibited,” DarkSide said. “We aim to make money through normal and calm dialogue.”

Catfishing for PUBG cheats

Go down the rabbit hole with Lorenzo Franceschi-Bicchierai as he recounts the rise of Catfish’s cheats for popular game PUBG (PlayerUnknown’s Battlegrounds) that have netted them $77M from the Chinese market, the attentions of the game’s publisher Tencent, and the Chinese Police.

In brief

Attacks, incidents & breaches

  • New York Pizza, a Netherlands pizza chain, reveals data breach affecting 3.9 million users that is, staggeringly, over 1/5 of the population
  • U.K. Army promotions excel file circulating on WhatsApp could be used to identify members of special forces
  • Ticketing for Massachusettes ferries disrupted as Steamship Authority suffers ransomware attack
  • U.K. retailer Furniture Village suffers ransomware incident, apparently no data taken, systems offline for over 6 days
  • Accellion File Transfer Appliance breaches (vol. 4, iss. 9) may have been limited if email notification system had… notified users of patches being available, says KPMG
  • Ireland’s Health Service Executive still working to bring systems back online following Conti ransomware attack

Threat intel

  • Fake versions of Android antivirus, audiobook and VLC apps are infecting users with TeaBot malware
  • TeamTNT cryptomining operation has compromised 50,000 systems in the last three months, says Trend Micro, by infecting Docker and Kubernetes clusters with exposed admin APIs
  • Check Point Research uncover new Chinese-linked backdoor dubbed “VictoryDll_x86.dll”
  • Cluster25 researchers publish details on ‘SkinnyBoy’ malware used by APT28, Russian-linked actors
  • Myanmar president’s website compromised, used to push backdoor malware


  • Comment on the European Parliament’s objection to the E.U. recognising the adequacy of the U.K’s data protection regime, particularly when it comes to immigration and surveillance
  • TikTok updates privacy policy, gives itself permission to collect biometric information including ‘faceprints and voiceprints’

Public policy

  • U.S. Supreme Court rules the misuse of user account by an authorised user does not fall under the remit of the Computer Fraud and Abuse Act (CFAA)
  • Chinese influence in Africa and the plans behind ‘splinternet’ based on blockchain technology
  • Department of Justice orders U.S. prosecutors to track ransomware investigations, and notify of new cases and plea deals

Law enforcement

  • Brazil revises cybercrime legislation, introduces new tougher measures and up to eight years in prison
  • Russian hacker, Pavel Sitnikov, arrested in Eastern Russia for sharing source code for Anubis banking trojan, his wife claims it is for spreading leak of Russian health data
  • Two members of the Carbanak crime gang sentenced to eight years in Kazakhstan prison for part in stealing $4.6M from Kazakhstan banks

Mergers, acquisitions and investments

  • FireEye to sell its network and email security products business to Symphony Technology Group (STG; who also own McAfee) in $1.2B cash deal, will retain ‘unlocked’ and ‘high-growth’ Mandiant incident response business
  • Exabeam raises $200M, valuing the company at $2.4B, and will replace CEO Nir Polak (who will stay on as Chairman) with Forescout chief exec Michael DeCesare
  • SOAR company [redacted] closes $35M series B round, to expand capabilities including private investigations
  • Microsoft acquires ReFirm Labs, authors of Binwalk firmware security tool, in second deal to bolster IoT security offering
  • SentinelOne eyes initial public offering on the NYSE

And finally

Antivirus mining cryptocurrency

Literally nobody:

NortonLifeLock: “As the crypto economy continues to become a more important part of our customers’ lives, we want to empower them to mine cryptocurrency with Norton, a brand they trust”


  Robin's Newsletter - Volume 4

  Ransomware JBS REvil / Sodinokibi Colonial Pipeline FireEye Mandiant DarkSide Games cheats Economics Credit risk Breach costs