Robin’s Newsletter #168

5 September 2021. Volume 4, Issue 36
Focus on proxyware, patch your confluence servers, the normalisation of surveillance, and interview with a ransomware negotiator.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

The next couple of newsletters will be a slightly condensed affair as I’m on holiday.

This week

Focus on proxyware

Cisco Talos have a good write up on proxyware: tunnelling traffic to ‘share’ internet bandwidth with other users and make it appear to be coming from other networks - a bit like Tor - with those that install the software often being paid modest fees for running a node and participating in the network. It’s an interesting risk due to the range of sources, events and consequences involved.

Source-wise, the monetisation aspect has made it interesting to cybercriminals who seek to gain access to corporate networks, install the software and profiting while the organisation foots the bill for any bandwidth changes. But the subreddits for projects like Honeygain and Nanowire show ‘insiders’ looking to cash in on their employers and even family members installing it on their devices surreptitiously.

Because the internet bandwidth is being shared with unknown parties - who are by nature seeking anonymity for their browsing - there are potentially serious consequences to unwitting victims that have had the software installed. These range from access to popular websites being restricted due to suspicious browsing habits (which in itself may hamper business activities). At the other end of the spectrum, as requests will originate from the organisation’s IP address, any legal challenges resulting from illegal activity or abuse notifications will be tracked back and sent to the unsuspecting victim. 

Interesting stats

33% rise in earnings transcripts mentioning ‘cybersecurity’ in the first half of 2021, according to Global Data

10.7% of Google Firebase databases are ‘open and exposing data’ according to Avast

3/4 of organisations have cyber insurance, according to Risk Ledger, with £1M-£10M being the most common level of cover. The spread looks like: 1.3% £1,000 - £10,000,  7.6% £10,000 - £100,000,  19.1% £100,000 - £1,000,000,  62.3% £1,000,000 - £10,000,000,  8.8% £10,000,000 - £100,000,000,  0.6% £100,000,000 - £500,000,000

Other newsy bits

Patch your Confluence servers!

A vulnerability in Atlassian’s Confluence product allows attackers to bypass authentication and execute commands is being actively targeted by cybercriminals. CVE-2021-26084 scores 9.8/10.0 on the CVSS scale and a US Cyber Command warning says that “mass exploitation” of the vulnerability “is ongoing and expected to accelerate.” If you use Confluence, patch it now!

Normalising surveillance

This week Apple announced that it was going to push back and review its Child Sexual Abuse Material features announced a month ago (vol. 4, iss. 32).

Susan Landau has a considered post on normalizing surveillance over at Lawfare looking at the repercussions of Apple’s approach and the precedent it sets for other, less well-meaning forms of surveillance.

Interview with a ransomware negotiator

Dominic Connor at the Register has an interesting read with Nick Shah, formerly of the UK’s National Crime Agency (NCA) and now of Storm Guidance on his role negotiating with ransomware actors.

In brief

Attacks, incidents & breaches

  • Bangkok Airways confirms a 23rd August personal data breach that appears to be the result of the LockBit ransomware group. Stolen data includes names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information for passengers (a list that looks suspiciously like the data for a frequent flyer programme)
  • Fujitsu tries to downplay 4GB of customer data apparently obtained from the out-sourcing giant, says it is being treated separately to the previous ProjectWEB breach in July (vol. 4, iss. 22)
  • Canada accepted 7,300 visa applications over their annual cap of 40,000 for students seeking a path to permanent residency due to a glitch in systems
  • Over one million records from Indonesia’s COVID-19 quarantine management app were available online

Lastly, two great scenarios for your to add to the list when you’re exercising your IR plans:

  • Coinbase accidentally told 125,000 that their account security details had changed… when they hadn’t
  • Disgruntled credit union employee deleted 20,000 files (21GB) after being fired, costing the organising over $10,000 to remediate

Threat intel

  • Proof of concept for sale on cybercrime forum hides malware in the RAM on graphics cards, away from the capabilities of current endpoint detection tools
  • US officials concerned that Hafnium exploit of Exchange servers may have been to train Chinese artificial intelligence systems
  • Rise in the number of native English speaker requests being advertised on crime forums as BEC scammers seek to improve the quality of their fraudulent emails
  • Dropper-as-a-Service, that can be tasked to install malware on thousands of victims computers, dissected by Sophos
  • VOIP service providers are being targeted by massive DDOS attacks and extortion demands that disrupt calls, while New Zealand ISP also knocked offline by large DDOS
  • Low-and-slow campaign gains access to victims inboxes and then periodically searches for gift cards
  • FBI warns farms and agriculture businesses of targeted ransomware attacks


  • ‘ProxyToken’ in Microsoft Exchange allows attackers to modify Exchange Server configuration without authentication, for example, they can add mail forwarding rules to users’ inboxes The issue was fixed in the July 2021 update and is tracked as CVE-2021-33766
  • 16 vulnerabilities in BlueTooth stacks, dubbed BrakTooth, released by Singaporean researchers
  • NPM package ‘pac-resolver’ fixes remote code execution vulnerability

Security engineering / blue team

  • Microsoft guidance on securing CosmosDB following vulnerability in Jupyter Notebook feature
  • The US Cybersecurity and Infrastructure Agency (CISA) have declared the use of single-factor authentication on internet-facing systems to be a bad practice that is ‘exceptionally risky’ to critical infrastructure, but also organisations at large.
  • … related: best practice can often be off-putting to organisations with limited budgets as costly, so the ‘anti-pattern’ of “bad practices” published by CISA will become a useful resource for the other side of the “OK, we can’t afford that, but we still need to not do this”
  • Microsoft will split Defender for Endpoint capabilities into two plans, allowing traditional anti-malware option for those on lower E3 licences
  • ‘Decisions and disruptions’ cyber response game looks pretty cool (H/T Phil)


  • Sky Broadband is allegedly monitoring customer’s connections to identify potentially pirated TV football streams and sharing this information with the UK’s Premier League
  • Ireland’s Data Protection Commission (DPC) fines WhatsApp €225M ($267M, £193M) for failing to comply with GDPR and not informing users of how parent company Facebook would use data. WhatsApp plans to appeal the decision
  • Bluetooth headsets don’t necessarily use address randomisation, allowing owners to be tracked finds Norwegian student


  • US Securities and Exchange Commission (SEC) fines three investment companies over compromises of email accounts. Cetera, Cambridge and KMS will pay $300K, $250K, $200K respectively for breaches of ‘safeguards’ rule 30(a) and exposing data of approximately 11,500 customers
  • Federal Trade Commission (FTC) bans spyware vendor SpyFone and CEO Scott Zuckerman from the surveillance industry, orders the deletion of ‘illegal’ acquired data and notify victims whose devices have been compromised by the firm’s software

And finally

Script floods Texas abortion whistleblower site with fabricated data

An activist opposed to Taxes’ “draconian” abortion law (passed this week) has released a script to flood whistleblower websites with fabricated data. The law bizarrely allows for citizens to sue other individuals they believe to have supported or enabled someone to get an abortion.


  Robin's Newsletter - Volume 4

  Proxyware Google Firebase Cyber insurance Atlassian Confluence Surveillance Apple Child Sexual Abuse Material (CSAM)