Robin’s Newsletter #161

18 July 2021. Volume 4, Issue 29
ICO raids two properties in Hancock CCTV investigation. Another Windows printer vuln. REvil's sites offline. Identity verification isn't the answer to online abuse.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

ICO Raids two properties in Hancock CCTV leak

Two properties in Southern England were raided as part of an investigation into the leaked CCTV images of the former U.K. Health Secretary Matt Hancock. The images, published by tabloid newspaper The Sun, showed Hancock having an affair with an aide and breaking social distancing rules, prompting him to resign.

Many questioned at the time how CCTV images from within a government minister’s office came to be in position of the press, and perhaps more fundamentally why there was a need for such invasive surveillance in the first place.

The CCTV is operated by a company called Emcor, on behalf of the Department of Health and Social Care, and was installed prior to DHSC taking up residence in the building. Following the leak of the images, Emcor filed a breach notice with the Information Commissioner.

“In these circumstances, the ICO aims to react swiftly and effectively to investigate where there is a risk that other people may have unlawfully obtained personal data. We have an ongoing investigation into criminal matters and will not be commenting further until it is concluded,” said Steve Eckersley, Director of Investigations.

A spokesperson for prime minister Boris Johnson (who reportedly called Hancock ‘f**king hopeless’) said that the release of the footage was in the public interest.,,

Interesting stats

311,000 domains estimated to be blocked by the ‘Great Firewall’ of China, with 41,000 estimated to be swept up by mistake by over-zealous regular expressions

$92,531,490.24 ransomware payments (at the time of writing) according to a new tool, Ransomwhere, that aims to track cryptocurrency payments to ransomware crews

33% increase in online fraud in 2020, to more than 410,000 victims, losing
£2.3BN in cases reported to the police, according to Which?

Other newsy bits

It’s Groundhog Day! PrintNightmare continues as another vulnerability in print spooler discovered

Another privilege escalation bug in the Microsoft Windows print spooler subsystem was reported this week. Microsoft is ‘developing a security update.’ It’s a different one to the PrintNightmare (itself, confused with another print spooler vulnerability (vol. 4, iss. 27)). Glad we cleared that one up. Keep that print spooler service disabled if you don’t need it.

In related news… Microsoft Defender for Identity now detects PrintNightmare attacks. So keep an eye out for those if it’s included in your Microsoft licence.,,

REvil’s dark web sites are offline

REvil’s dark websites are offline with uncorroborated reports from competing gangs that the cybercrime group were subject to police subpoena, and REvil’s account on crime forums being banned (per policy for suspected accounts under police control). That could well just be trash-talking the competition and the group lying low following some high-profile attacks. Speculation circled online as U.S. president Biden has recently been in contact with Russia’s president Putin, urging action on groups operating from within the Russian Federation. The truth is, we just don’t know, and it could just be as simple as they wanted to take a break and go on vacation.,,

Long reads

Online anonymity and holding people accountable

The U.K. has a system where the public can submit petitions to the legislature. Over 10,000 signatures the government will respond, 100,000 and it will be considered for a wider debate in Parliament. This week, in the wake of racist abuse targeted at members of the England football team, a petition has been circulating demanding that identity verification be required for all social media. Obviously ‘holding people to account’ for crimes is important, though requiring real names doesn’t hold people to higher standards — check your Facebook feed — and the result would be to inflict actual harm for dubious benefit.

Paul Bernal, a lecturer from the University of East Anglia, has a good write-up on why real names are the wrong tool for the wrong problem.

“People imagine that trolls are ashamed of their trolling, so would no longer do it if they were forced to do it using their real names. For some trolls, this may be the case – but for others exactly the opposite is the case… [Often] they’re instigated not by anonymous trolls, but by exactly the opposite. By the big names, the ‘blue ticks’, the mainstream media, the mainstream politicians”

Stock markets and cyber security

A couple of new research papers linked to by Kelly Shortridge in this blog post. Her TL;DR: While “the infosec industry shills the harrowing narrative of how damaging data breaches are to businesses… There is no evidence to support this propaganda.”

Some of the stock price data I’ve seen did show a marginal underperformance to the market for companies that experienced data breaches, though what was interesting to me was that under-performance exists prior to the breach: perhaps the breach being an effect of poor governance rather than a consequence. That’s one for some further study though.

The allure of remote management tools to attackers

IT Administration tools — remote management and monitoring, and mobile device management — present an ‘alluring’ target to attackers. Get the keys to those and you can do anything an IT admin can. Andy Greenberg takes a look at this in Wired. It’s a vector I’ve been saying is overlooked for years now. So, if you run these tools, go check you’ve patched, are using unique admin accounts, and have enabled MFA. Go check now, we’ll wait for you!

In brief

Attacks, incidents & breaches

  • U.S. Insurance technology provider BackNine left 711,000 files, dating back to 2015, in an unsecured AWS bucket providing full details of life and disability insurance cover
  • Ecuadorian state-run telco, CNT, has become the victim of a ransomware attack affecting website and online payments
  • Fashion retailer Guess suffered a data breach back in February, is notifying victims, will only confirm that ‘no customer payment details’ were compromised, while breach letters suggest Social Security numbers, driver’s license numbers, passport numbers, and financial account numbers were obtained by criminals. It sounds like employee, rather than customer, data to me
  • Attackers begin releasing Electronic Arts intellectual property as they try to amp up the pressure for the games company to pay up

Threat intel

  • SonicWall warns customers of ‘imminent ransomware campaign using stolen credentials’ targeting the firms Secure Mobile Access (SMA) and Secure Remote Access (SRA) product lines running the end-of-life 8.x firmware
  • New version of VNC coming to TrickBot malware, according to BitDefender
  • Linux variant of HelloKitty ransomware is targeting VMware ESXi instances
  • iOS zero-day used by SolarWinds attackers, delivered via LinkedIn messages (the vulnerability was patched in March)
  • More than 100 individuals were targeted with spyware from Israeli vendor Candiru, according to Citizen Lab and Microsoft


  • Pre-auth remote code execution vulnerability in ForgeRock’s OpenAM platform is being exploited in the wild, according to Australian Cyber Security Centre (ACSC)
  • Remote code execution in SolarWinds Serv-U file transfer application
  • SQL injection vulnerability in Automattic’s WooCommerce plugin for Wordpress, used on 5 million websites

Security engineering

  • One for the graphers amongst you: Deciduous lets you generate security decision trees
  • Google adds support for ‘BIMI’ to Gmail: organisations with DMARC, DKIM and SPF on their domains can enable verified logos for their email addresses. That means you can have your company logo appear on the circle next to a message, rather than initials. It would be great if more organisations did some of these email basics, so perhaps this will give folks the nudge they need.

Internet of Things

  • Remote code execution (a lot of those, this week!) in Schneider Electric’s Modicon programmable logic controller (PLC). You need to be on the same network to exploit, though industrial control networks, such as those building management systems where these PLCs are often used, are rarely as segregated as staff might believe
  • Ring has rolled out multi-factor authentication and end-to-end encrypted video… but it’s opt-in for all users. That they are not secure defaults flies in the face of their CTO’s blog post saying “our customers should control who sees their videos”
  • U.S. Cybersecurity and Infrastructure Agency (CISA) and ISA Global Cybersecurity Alliance announce ‘first responder’ credentialing programme for industrial control incident response


  • Amnesty International is suing the New York Police Department (NYPD) for refusing to disclose records over facial recognition

Public policy

  • ACSC updates ‘Essential Eight’ guidance, now all mandatory
  • China has mandated all network hardware and software vendors notify Bejing of vulnerabilities in their products within 2 days and keep public details under wraps until a patch is developed (in a ‘timely manner’)

Law enforcement

  • Interpol chief Jürgen Stock says ransomware “demands united global action” while calling for a new strategy and international collaboration

Mergers, acquisitions and investments

AKA, the TechCrunch section, this week:

  • Microsoft is buying RiskIQ for a reported $500M, according to Bloomberg
  • Financial crime investigations firm Quantexa raises $153M Series D to build out AI investigations tooling
  • MDR provider Arctic Wolf closes $150M Series F, claims 3,000 customers and has hired over 400 staff in the last 12 months, while…
  • Cybereason closes $275M Series F, adds Steve Mnuchin to the board, in bid to fuel “hypergrowth driven by strong market demand”
  • AttackIQ close $44M Series C to fuel expansion of attack simulation platform
  • Avast and NortonLifeLock are in ‘advanced discussions’ over a potential merger

And finally

Security Checkup feature coming to Instagram

Facebook’s Security Checkup feature is finally making its way to Instagram in a bid to help user’s secure their (compromised) accounts. Instagram accounts have been targeted by attackers seeking to extort influencers and content creators or to sell ‘OG’ usernames and so this will be welcome to many.


  Robin's Newsletter - Volume 4

  Information Comissioner's Office (ICO) CCTV Leaks Great Firewall of China PrintNightmare Windows Print Spooler REvil Online anonymity