Robin’s Newsletter #162

25 July 2021. Volume 4, Issue 30
China called out for state-sponsored cyber campaigns. NSO Group in the spotlight (again) for spyware. Questionable QA on Google Chrome OS update.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

There are still places available for this summer’s CyberFirst Advanced Virtual Summer Course, certified by NCSC. It’s open to UK students in Year 12 and 13 and is taking place 16th-27th August. More info and registration at (H/T John M)

This week

“Oi, China, stop it,” says White House and allies

US, Nato, the EU, the UK, Australia, Canada, New Zealand and Japan made statements this week naming and shaming Chinese state-backed actors as being responsible for the ‘Hafnium’ group attacks on Microsoft Exchange servers that affected over 30,000 organisations (vol. 4, iss. 10). Other groups, such as APT31 (aka Judgement Panda or Zirconium) and APT 40 (aka Jumper or Leviathan) were also tied to the Ministry of State Security and contractors of the Chinese State respectively.

The coordinated press releases coincided with the US Department of Justice charging four Chinese nationals, operating from Hainan Province from a front company, with the Exchange attacks.

While some tactics, techniques and procedures were released by the Cybersecurity and Infrastructure Agency (CISA) the main thrust of this action is strategic diplomacy than tactical cyber defence for organisations.

The US Secretary of State, Antony Blinken, called out irresponsible collaboration with cybercriminals and contractors:

“Responsible states do not indiscriminately compromise global network security nor knowingly harbour cyber criminals — let alone sponsor or collaborate with them,” — Antony Blinken

Much with the NSO Group story this week (see below): Spies gonna spy. It’s the wholesale exploitation of thousands of organisations and turning of a blind eye to criminal activities on the side that is central to the allegations.

Promising action if China doesn’t curb its cyber activity, Dominic Raab, UK Foreign Secretary, said “the Chinese Government must end this systematic cyber sabotage and can expect to be held account if it does not.”

Chinese diplomats dismissed the allegations as “groundless” and a “malicious smear” and urging abandonment of “ideological prejudice”.

Many companies rely on Chinese manufacturing or trade and this can weaken an individual country’s diplomatic position. By making multilateral action it makes it harder for China to counter.,,,

Interesting stats

740 ransomware victims named in Q2 2021, a 47% increase over Q1, according to Digital Shadows

63% of Android apps have at least one vulnerability, and of the 3,137 unique vulnerabilities identified across 3,335 free and paid apps on the Google Play store in Q1 2021, with
73% of vulnerabilities were disclosed more than two years ago, according to data from Synopsys Cybersecurity Research Center analysed by Atlas VPN

2.3% of active Twitter accounts have enabled multi-factor authentication, according to Twitter If you’re a Twitterer you should turn it on:

$136,576 average ransomware payment in Q2 2021, according to Coveware

Other newsy bits

NSO Group’s Pegasus malware tied to attacks on ’50,000’ individuals, but it may not be that clear-cut

Amnesty International, French investigative-journalism outfit Forbidden Stories and 16 media partners made headlines this week with claims of widespread ‘cyber-surveillance weapon abuse’. The claims stem from an investigation into Israeli spyware company NSO Group and their ‘Pegasus’ malware that is sold to government actors around the world.

The reporting centres around three aspects of the investigation:

  1. A leak of 50,000 phone numbers that may have been targeted
  2. Details and analysis of infrastructure used to deliver Pegasus malware
  3. Forensic analysis of the malware obtained from over 30 infected iPhones

Details and confidence in the latter two are strong and independently reviewed however there are questions over the scale of those that may have been targeted. NSO Group has denied the scale, pointed to targeting safeguards and suggested the list is from ‘Home Location Register’ lookups (services from telcos to determine the network and country of registration for a given SIM card).

While that shouldn’t be taken solely at face value, the articles I’ve seen focus much more on the forensic analysis of the malware than on the source and provenance of the leaked phone numbers.

The Guardian reporting on the source of the phone numbers is brief, caveated with “believed to be” language and that they are “people of interest by clients of NSO”. It shouldn’t come as much surprise that NSO clients - primarily government intelligence agencies - would be interested in other world leaders, business executives, union officials, religious leaders and some journalists.

In a recent ‘transparency’ report, NSO Group has claimed to have 45 Pegasus customers and that each targets an average of 112 targets annually. That would put the number at roughly 10% of the ‘bombshell’ 50,000 number that is driving a lot of headlines.

The vast majority of people need not worry: these tools require huge amounts of resources to develop, are expensive to purchase and are unlikely to be used against you except if you’re of interest to international actors or high-level law enforcement agencies.

That’s important context though shouldn’t diminish from the worthwhile discussion about oversight and export control of for-profit spyware.,,,

Mastercard banned from taking on new customers in India

In 2018 India introduced a rule barring payments companies from transferring customer data overseas. Now the central bank the Reserve Bank of India has barred Mastercard from adding new customers.

Data sovereignty rules are becoming increasingly popular, often introduced alongside other data protection legislation and regulation. That’s creating a growing compliance headache for international businesses and especially online/tech businesses: some apply ‘extraterritorially’ meaning the rights are afforded regardless of the business’ established jurisdiction.

Often badged as ‘privacy’ regulations businesses operating internationally may wish to carefully consider the risk scenarios associated with hosting data in different jurisdictions.

Google bricked a load of Chrome OS devices because of a typo in update

Google bricked some Chrome OS devices after pushing out an update with a single-character typo that broke password validation. A simple unit test should have caught the error, plus updates are meant to go through three test channels’ before being considered for prime-time. That they didn’t detect this suggests Google’s code review, quality assurance and release processes are, well, perhaps not consistently up to scratch. Mountain View suggests users ‘not reboot’ their devices. Wonderful.

Respect In Security initiative launches to stamp about harassment and abuse in the cyber industry

Out of a Cyber House Party panel discussion has some a movement to stamp out abuse and harassment in the cyber security profession. A survey of 302 cyber pros has revealed that 32% of them have experienced harassment online, rising to 35% in-person. The Respect In Security initiative stands against harassment both online and in the workplace.,

Long reads

Showing effective risk management adds value

Avoiding the negative consequences of risk events can be something difficult to prove the benefit of. All being well you will have spent the capital and nothing bad will have happened. Would it have not happened without investing the resources: we’ll never know.

However, there is evidence that higher-performing organisations have more mature risk management processes. What’s more, data of large publicly traded companies that suffered data breaches and went on to ‘underperform the market’ (vol. 1, iss. 13) typically were under-performing before their breach. Correlation does not equal causation, though it seems logical that poor governance and risk management may lead to an increased probability of consequential cyber security incidents.

Risk consultancy Broadleaf collated a good summary of the empirical evidence of good enterprise risk management (cyber risk being a component of that) back in 2019. It’s a good read that concludes…

“There is clear evidence that companies with risk management processes generate better financial and business outcomes than those without. There is also clear evidence that companies with higher levels of risk management maturity perform better than those with lower levels of maturity.” (H/T Phil H)

Hiding malware in machine learning models

This is some cool research: it’s possible to hide malware inside machine learning models, while still having them perform their intended task, suggesting they wouldn’t be detected. The study — EvilModel: Hiding Malware Inside of Neural Network Models — by Zhi Wang, Chaoge Liu, Xiang Cui shows that 36.9MB of malware can be embedded into a 178MB-AlexNet model within 1% accuracy loss. It’s not something to run out and start worrying about but an interesting example of steganography.

In brief

Attacks, incidents & breaches

  • DNS outage at content delivery network Akamai takes down a large chunk of the internet
  • Attackers claim to have 1TB of oil-company Saudi Aramco’s company data, obtained through a contractor and are demanding $50M ransom to delete the stolen data,
  • Swiss price comparison website Comparis suffers a data breach, then customer’s start receiving scam calls on ‘how to deal with the breach’
  • U.K. firearms website breached and 110,000 users’ data published online
  • Law firm Campbell Conroy & O’Neil, who provide services to large companies like Ford, Boeing, and Dow Chemical, suffered a breach in February and is now fessing up to it
  • Florida headquartered cloud services provider Cloudstar hit by ransomware attack
  • UK rail operator Northern Rail’s ticket machines, provided by Flowbird, taken offline following ransomware outbreak
  • Kaseya obtains master decryptor to help affected partners restore their operations

Threat intel

  • Huawei’s 2018 promise to spend $2BN on improvements has fixed some historic problems while new issues have been uncovered, resulting in “no overall improvement” in software quality and cyber security over the last three years, according to the latest report from the UK Huawei Cyber Security Evaluation Centre (HCSEC), staffed by NCSC and Huawei
  • Bank of England urged to ‘get a grip’ on the concentration of U.K. financial services now dependent on the cloud services of just AWS, Microsoft and Google
  • New group using ads on search engines to drive victims to download malware
  • Password stealing malware Formbook has been ported to macOS, called XLoader
  • Misconfigured Argo Workflows provide an attack vector for crypto-mining malware against Kubernetes clusters


  • Patch or workaround available for remote code vulnerability in Fortinet’s FortiManager and FortiAnalyzer
  • (Now fixed) vulnerability in Windows Hello (face recognition) allowed bypass of authentication using a special printed image of user’s face because IR webcam inputs were subject to less rigorous validation than RGB counterparts
  • iOS wifi bug that bricked devices could also be used for code execution
  • Bug in Linux’s systemd allows unprivileged users to cause a kernel panic and denial of service
  • Local privilege escalation found in Linux filesystem affecting Ubuntu, Debian, Fedora and other distributions (CVE-2021-33909; though Qualys would like you to call it Sequoia), and, in similar news…
  • Windows ‘SAM’ files can be read through shadow volume copies, allowing access to the NTLM hashes of privileged users to evaluate privileges (CVE-2021-36934 / SeriousSAM / HiveNightmare). Temporary mitigation available from Microsoft,
  • Critical remote code execution vulnerability in Atlassian’s Jira Data Center and Jira Service Management Data Center products

Security engineering

Internet of Things

  • DHS / TSA announcing new mandatory measures for owners and operators of critical U.S. pipelines
  • MITRE ATT&CK evaluations of five industrial control system detection solutions against the Triton malware


  • Catholic priest quits after commercially available app signals data was deanonymized and used to allege his use of Grindr. You need a lot less data than you think to do this: in this case, location data and knowledge of his residence, workplace and holiday home had all been matched to the same ‘anonymous’ identifier.
  • DuckDuckGo trialling email privacy service that will scrub incoming emails of tracking pixels before forwarding to your existing email address
  • Australian Privacy Commissioner orders Uber to comply with local regulations following covered-up 2016 data breach that affected 1.2 million Aussies

Public policy

  • Five new bills have been approved by U.S. Congress to strengthen the Cybersecurity and Infrastructure Agency’s role across national response, industrial control systems, state and federal cyber security and supply chain. The Record have a list of the bills.
  • European Union announced plans to extend regulation to cover digital currencies, a move that would ban anonymous cryptocurrency wallets

Law enforcement

  • Microsoft Digital Crimes Unit awarded control over 17 domains used by West African business email compromise gang. BEC still dwarfs ransomware for financial consequences.

Mergers, acquisitions and investments

  • Rapid7 to acquire deep web threat intel company IntSights for £335M
  • Microsoft acquires privileged access management (PAM) vendor CloudKnox Security to further zero trust strategy
  • Passwordless startup Magic raises $25M Series A for ‘plug and play’ authentication
  • BT invests in US-based Safe Security to improve cyber risk management capabilities of the firms managed security services

And finally

Forums of Babuk ransomware gang spammed with porn GIFs

Someone is spamming the forums of the Babuk ransomware group with gay porn GIFs and demanding the group pay a $5,000 ransom. The cybercrime group has dug its heels in and refused to pay, with The Record reporting they have also had to reset their forums at least twice. Get your tiny violins out.


  Robin's Newsletter - Volume 4

  Cyber-norms China Hafnium APT 31 APT 40 NSO Group Data sovereignty Risk management Machine learning (ML)