Robin’s Newsletter #157 — 3rd Birthday Edition 🥳

20 June 2021. Volume 4, Issue 25
Suspected Cl0p members arrested. Ransomware is an 'urgent' threat to U.K. Balancing cyber supply and demand. And, Dear Intern...
Join hundreds of subscribers who get this first, every Sunday. Subscribe

It’s the third birthday of Robin’s Newsletter!

To celebrate I’m looking to help you better protect yourselves online with help from F-Secure and Cydea who together are giving away over £15,000 of cyber security products and services!

The folks at F-Secure have given me 20 VIP codes for their F-Secure TOTAL suite that bundles protection against viruses and ransomware, safe online shopping, banking and advanced parental controls, a VPN to encrypt your communication and hide your IP address and a password manager with built-in breach notifications.

Cydea is chipping in 10 YubiKey 5C NFC security keys that can be used for hardware multi-factor authentication with password managers and popular websites and social networks.

And to help you better understand your organisation’s security posture, Cydea will also be offering up to five Cyber Scorecard assessments for just £1,200 (70% off!)

More details on how to enter will be sent out to subscribers next week!

Thank you so much for subscribing and reading my musings, weekly news, interesting stats and more every week. If there’s someone who you think would benefit from subscribing, then please share this with them.

— Robin

This week

Suspected members of Cl0p ransomware gang arrested in Ukraine

Law enforcement agents from the cyber division of the Ukraine National Police were joined by counterparts from South Korea in a series of 21 raids across Kyiv this week, with six individuals being arrested.

The operation was targeted at suspected members of the Cl0p ransomware gang. The group targeted larger enterprises for high-value demands, operating on a double-extortion basis: one ransom for unlocking files, the other for not releasing stolen files to the public.

Victims have included oil-giant Shell, security firm Qualys, and Stanford University. Many were due to a vulnerability in the Accellion file transfer appliance that was exploited by the gang to gain access to corporate networks.

As well as the arrests property including luxury Lexus, Mercedes and Tesla cars, and cash totalling 5m Ukrainian hryvnias (~$185,000) was seized. If convicted the suspects face eight years in prison.

In a statement, law enforcement said they had also “managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies.”

Lily Hay Newman over at Wired makes the point that, until Russia starts pursuing criminals within its borders, the threat from ransomware isn’t going away. Their report also links the arrests to the side of the operation involved with laundering and cashing out money from the criminal enterprise. The core operation is still operating within the Russian Federation, according to intelligence firm Intel 471.

Interesting stats

80% of organisations that paid up during a ransom attack go on to experience a second ransomware incident, sometimes within weeks, and 46% believe the second attack to be perpetrated by the same attackers, according to a survey of 1,263 security professionals by Cybereason

Estimated ransomware recovery costs (image credit: Baltimore County Public Schools)

$8,115,414 estimated ransomware costs from Baltimore County Public Schools following the attack by Ryuk last November,  <25% is recoverable from insurance

16.5% of authentication attempts during the first three months of 2021 were linked to credential stuffing attacks, with a  40% peak at the end of March, according to Auth0. Wow. The benefits of customers self-serving via online accounts are regularly sought by businesses while the costs associated with monitoring and protecting their accounts are often not considered. These data from Auth0 show that 1/6 of login attempts to your website may be fraudulent.

Other newsy bits

NCSC on ransomware threat at RUSI lecture

Hot off the heels of the G7, where ransomware was discussed by world leaders, The chief exec of the U.K’s National Cyber Security Centre (NCSC) gave a speech at the defence think-tank RUSI’s Annual Security Lecture. In it, Lindy Cameron reiterated the ongoing threat from hostile nations seeking political advantage by high-tech means, but also that the threat from ransomware gang was the most urgent faced by the U.K.

“For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cybercriminals,” — Lindy Cameron, CEO, NCSC

She concluded that a ‘whole-of-nation’ approach is needed, with efforts from government, academia, industry and cyber insurers, in particular, getting a callout.

Long reads

The actual cyber workforce challenge

Phil Venables reminds us that the ‘millions’ of open cyber vacancies is just one side of the cyber security resourcing problem. While we do need more folks, especially from a diverse background to bring in new experiences and perspectives, we can also reduce the gap by working hard on reducing the demand, as well as increasing supply. Fernando Montenegro’s quote is a great example: “it’s as if CFOs decided the needed ‘x million financial professionals’ to allow every business travel expense instead of having corporate travel cards+policies.” Work smart, not hard!

Inside the market for cookies…

Joseph Cox from Vice Motherboard has a look at the invite-only Genesis Marketplace where cybercriminals are trading cookies and browser fingerprints to steal access and avoid multi-factor authentication.

In brief

Attacks, incidents & breaches

  • U.K. plc Eggfree Cake Box suffered a MageCart attack over a year ago, finally decides to come clean to customers
  • REvil launches ransomware strike against U.S. nuclear weapons contractor Sol Oriens
  • AmeriGas, a large U.S. propane distributor, suffers an “8-second breach” of 123 employee’s data at subcontractor (It looks like their MSSP notified them and must have a SOAR platform that reset user and MFA creds.)
  • One billion data points scraped from Alibaba’s Chinese shopping site Taobao by an affiliate marketer over eight months
  • CCTV vendor’s windows software backdoor by Darkside ransomware gang affiliate

Threat intel

  • Source code for ‘entry-level’ ransomware-as-a-service, Paradise, used to target consumers and small businesses leaked online
  • A ransomware gang has turned to revenge porn (presumably found in data exfiltrated from victims) to amp up pressure to pay
  • NFT creators targeted with malware-laden ‘commissions’ for them to consider that steal cryptocurrency wallet info
  • Malware being distributed on pirated software sites blocks access to these sites, like The Pirate Bay, and phones home to tell the malware’s author your IP address and software that was downloaded


  • iOS 12.5.4 released to older, out-of-support iPhone and iPad devices to fix two vulnerabilities in the web browser engine, WebKit, used by Safari and other apps to Redner web pages

Security engineering

  • Google adding self-managed, client-side encryption of documents to Workspace (formerly G Suite)
  • Also Google announced a framework dubbed Supply chain Levels for Software Artifacts, os SLSA (pronounced “salsa”) setting out security control levels expected to secure software development
  • And even more from Mountain View, Google has open-sourced a fully homomorphic encryption (FHE) toolkit. Homomorphic encryption allows for computations to be performed on data without decrypting it first. (IBM released a similar toolkit last year (vol. 3, iss. 23))
  • Microsoft Defender APT will now report if iOS devices have been jailbroken

Internet of Things

  • Security expectations of high-end devices are high: Peloton Bike+ vulnerability allows remote access to the microphone and camera, after flashing via a USB port (more of a consideration for public/shared devices)


  • Mobile health apps are a minefield. Research shows that 88% of free apps on the Google Play store, for tracking conditions, menstrual cycles, counting calories, etc can access and potential share personal data

Public policy

  • President Biden says he is ‘open to exchange’ of cybercriminals with President Putin
  • U.S. Senate considering draft legislation requiring critical infrastructure providers to notify Homeland Security within 24 hours of cyber-attack
  • Roskomnadzor, Russia’s telco regulator, has classified Opera VPN and VyprVPN as ‘threats’ and banned their use within the Russian Federation


  • SEC settles First American leak of 800M document images (including social security and banking info) for a ‘farcical’ penalty of $487,616. The fine was, in part, due to inadequate management reporting from the infosec team to senior management, leaving them “completely unaware of this vulnerability and the company’s failure to remediate it,” said the SEC cyber enforcement unit’s Kristina Littman
  • Papa John’s customers in the U.K. that phoned-in to place orders were not given the opportunity to opt-out of marketing messages, resulting in a £10K penalty this week under Privacy and Electronic Communications (PECR) regulations

Mergers, acquisitions and investments

  • Congrats James Hadley & Co!: U.K. headquartered training firm Immersive Labs closed $75M series C: human intelligence deserves to reclaim its place alongside Artificial Intelligence in cybersecurity,” said Hadley
  • Aussie identity verification startup OCR Labs raises $15M Series A for European expansion
  • Second time in as many weeks… Deloitte has acquired Terbium Labs and will integrate digital risk protection capabilities into the firms Detect & Respond offering

And finally

Dear Intern…

Props to HBO Max for sticking by their intern this week, after they accidentally sent an ‘integration test’ email to a portion of their customer mailing list. These sorts of incidents often highlight incorrect assumptions in a process or controls and should be used as an opportunity to fix the underlying issue. It’s sparked loads of ‘Dear Intern’ responses on Twitter, where folks admit to their previous snafus. Mashable has a collection of some of them within which perhaps Monica Lewinsky wins with her reply: “dear intern: it gets better ♥️”.


  Robin's Newsletter - Volume 4

  Cl0p Cybercrime Ransomware Ukraine South Korea Law enforcement National Cyber Security Centre (NCSC)