Robin’s Newsletter #163

1 August 2021. Volume 4, Issue 31
Biden's 'real shooting war' comments. Amazon's €746M GDPR fine. Iran's fake social media profiles. Phantom flotillas.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

President Biden: cyber-attacks can lead to ‘real shooting war’

Comments from a speech given by President Biden at the Office for the Director of National Intelligence this week made for a raft of coverage.

“If we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach,” — President Biden

They shouldn’t come as much of a surprise: it would be incredibly unlikely for any leader to rule out retaliatory action and strategically limit their response options, especially when not knowing the nature of an attack. (Therein lies the premise of a nuclear deterrent, too.)

Meanwhile, the US Department of Justice announced the Russian Solarwinds attackers gained access to 27 atones offices, including 80% of the email accounts at the four districts of New York that investigate financial and white-collar crimes, including those of former President Trump.

And RiskIQ released details of 30 servers they say are being used by APT29, believed to be Russia’s SVR foreign intelligence agency. Used in the command and control of the WellMess malware, previously used to steal intellectual property, including COVID-19 research.
 Closer to home, President Biden issued a memo requiring CISA and NIST to develop cyber security performance measures and goals for critical infrastructure owners and operators.

Interesting stats

287 days to detect and contain a data breach in 2021, +7 days on 2020, according to IBM in a new report that estimates  $4.24 million average cost of a data breach, based on reports from 500 organisations analysed by Ponemon Institute

43% of phishing and social engineering attacks impersonate Microsoft, and there are 57 targeted attacks against the average CEO each year, according to Barracuda

Are ransomware gangs losing interest in ‘double extortion’ data leak sites?

521 victims posts to leak sites in December 2020, down to  129 in June 2021 following a steady decline, according to Recorded Future

Bar chart showing the number of victims advertised on ransomware leak sites (source: The Record)

Other newsy bits

Amazon hit with €746 million GDPR penalty

Quietly disclosed in a Security and Exchange Commission (SEC) filing on Friday came the news that Luxembourg’s data protection commissioner has proposed a €746M ($887M) penalty for misusing customer data for targeted advertising.

Luxembourg’s National Commission for Data Protection (CNPD) is involved because, under GDPR, it is the regulator in the country where the entity is headquartered that performs an investigation.

The penalty comes from a complaint made by a French privacy rights group representing 10,000 European citizens that also targets Apple, Facebook, Google and LinkedIn. The complaint alleges Amazon manipulates its customers for commercial means.

That sounds quite a lot like, well, “advertising” (though I confess to not having read the full complaint as it’s in French.)

Amazon disagrees with the fine and has said it will “vigorously” defend itself through the appeals process.

Defence workers targeted by fake fitness persona

This is a great example of the lengths that state-sponsored attackers will go to conducting intelligence operations in cyberspace. What is believed to be an Iranian group, operating a fake fitness instructor account on social media targeted military and defence staff over 18 months. “Marcella Flores” profile said that they lived in Liverpool, UK, and ultimately would share a link to malware that would steal usernames and passwords for onwards attacks against the target’s organisations. (H/T Tim O)

Google is updating how shared links for documents and files work, adding a ‘resource key’ so that you can’t just guess the URL of a shared file. That means previously generated links, such as those which you may have made public, will cease to work after 13th September 2021. 

The wording of the update to users is really poor and fails to articulate what’s changing. (I ended up speaking to a poor Google support rep over chat who had been inundated with enquires and lamented the poor product update comms). This Ars write up provides a much better description of the problem and change.

If you use Google Drive check it out, and how to explain the change to your colleagues and users. You can view a list of affected files by going to


Camille Stewart and Lauren Zabierek started the #ShareTheMicInCyber movement to tackle issues stemming from systemic racism and highlight the experiences of Black practitioners. Diversity of thought and experience is important in better defending organisations, and indeed society-at-large. Follow the hashtag and check out the website for more info.

Long reads

Phantom warships: integrity in maritime tracking 

A pattern in fake ‘AIS’ data signals, used by ships to advertise their location, heading and speed, has been discovered. It suggests that over 100 warships from 16 countries, including the UK, US and Russia, have been spoofed since August 2020, though for what means is unclear. It’s not always small changes either: on one occasion the Royal Navy’s newest carrier HMS Queen Elizabeth and an escort of five other vessels from three navies was spoofed.

In brief

Attacks, incidents & breaches

  • Kaseya denies direct or indirect payments in obtaining a decryption tool to unlock affected computers, says it was acquired from a ’trusted third party’ while requiring customers to sign a non-disclosure agreement before being able to unlock their networks and get back to business
  • Seized servers of VPN service provider Windscribe weren’t encrypted and contained server certificates and a private key that allowed customer traffic to be decrypted
  • UC San Diego Health, part of the University of California, suffers data breach of staff and patient data after five-month intrusion from phishing email
  • Dutch fishing (not that kind) site Raven Hengelsport left 246K customers records and 18GB of company data online in unsecured Azure blob for months
  • Northern Ireland’s COVID certification site was temporarily taken offline after some users received data of other users
  • Chipotle mail server taken over, used to send spam and phishing messages

Threat intel

  • Malware authors using newer programming languages in attempts to bypass countermeasures and frustrate reverse-engineering attempts
  • New ransomware group, DarkMatter, with ties to Darkside and REvil, recruiting network access brokers
  • Babuk ransomware decryptor ‘faulty’ and files rendered inaccessible, according to McAfee. This is not a good look for a ransomware group: poor results lead to weakening stance in negotiations with victims
  • Attack on Iranian train system was ‘never-before-seen’ wiper, dubbed Meteor by SentinelOne
  • New Android banking malware, dubbed Vulture
  • Compromised PyPI packages that may have been downloaded 30,000 times by developers stole credit card data, login credentials and installed other malicious code
  • Crypto-mining malware LemonDuck disables anti-malware tools, removes other malware and even patches some vulnerabilities in attempts to remain the sole occupants of an infected machine
  • Full data compromised by attackers in Electronic Arts breach released by attackers


  • Anyone can use a remote print server to grant themselves admin privileges 
  • US CISA, UK NCSC, Australia’s ACSC provide details of what they say are the ‘top 30’ vulnerabilities being exploited by malicious cyber actors, including vendors Citrix, Pulse Secure, Fortinet, F5, and Microsoft
  • The Purge: Cyber risk firm Qomplex to (re)release PunkSpider tool that scans and fuzz-tests websites for vulnerabilities then makes them publicly available hopes the people realise “we’re trying to do the right thing”. It’s a questionable judgement: small chance of actually resulting in a significant proportion of the vulnerabilities being fixed, while a significant probability that many will result in harm, not to mention the potential violation of computer misuse legislation

Security engineering

  • Reminder about why forcing regular password expiry is not a good move
  • ‘Safe Links’ feature being rolled out to Microsoft Teams for ‘just in time’ scanning of URLs for malware and phishing attacks  - Google’s Play Protect anti-malware app for Android detected just over two-thirds of malware, comes last in a league table against competitors


  • Google unveils more details on ‘safety section’ of Google Play Store where apps will have to disclose ‘privacy label’ type information
  • The privacy battle Apple isn’t fighting looks at ‘do not track’ requests in browsers

Public policy

  • Some cyber companies, including Accenture, CrowdStrike and Contrast Security, are excluding candidates from Colorado in an apparent attempt to avoid new laws that require the disclosure of salary ranges in a bid to combat inequality
  • Growing support for mandatory breach notification amongst US government officials
  • …while the UK considers lowering the reporting thresholds for digital service providers (think Amazon, Google, Microsoft) in post-Brexit regulatory divergence
  • New US Senate bill would require digital signatures for court documents in an attempt to cut down on fraudulent orders being used for authorising surveillance, domain seizures and online content removal


  • Israeli Ministry of Defense personnel ‘visit’ offices of spyware vendor NSO Group after a recent investigation by Amnesty International

Law enforcement

  • Ex-CIA staffer Joshua Schulte will represent himself in the retrial of ‘Vault 7’ leaks
  • Ex-eBay security boss sentenced to 18 months, and $15,000 fine, for their part in harassment and cyber-stalking, including sending a severed pigs head, to a Massachusetts couple that wrote negative stories about eBay (vol. 3, iss. 25)
  • Capitol rioter ordered to unlock PC with his face after ‘forgetting his password’ to gain access to video footage on the device; doesn’t violate Fifth Amendment rights

Mergers, acquisitions and investments

  • 1Password raises $100M in Series B funding round, valued at $2BN with $120M in ARR
  • Continuous asset management and controls platform Noetic closes $15M Series A funding round

And finally

Goofy password blunder on live TV

Italian commentators at the Tokyo Olympics didn’t realise they were on-air when trying to find the password for their computer. Complaining that Goofy, Pluto or Mickey Mouse were all too difficult, eventually viewers found out it was ‘Booth.03’ and matched their commentary booth. “Next time they will even put a semicolon.”


  Robin's Newsletter - Volume 4

  President Biden Amazon General Data Protection Regulation (GDPR) Iran AIS Spoofing Passwords PrintNightmare