Robin’s Newsletter #170

19 September 2021. Volume 4, Issue 38
Azure Linux VMs being compromised. OWASP Top 10 draft updates. Microsoft goes passwordless. Learning from other professions.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Vulns in Azure Linux VMs being actively exploited

Security researchers from found vulnerabilities in Microsoft Open Management Infrastructure (OMI)project that can trivially be exploited and used to remotely execute code on Linux virtual machines running in Microsoft’s Azure cloud.

By not providing an authentication token, the OMI agent on the VM would simply not perform an authentication check and default to running the commands as root. Oops.

The OMI agent is installed when selecting other Azure monitoring and log management services. Some users may not realise it has been installed when selecting those options: those with port 5986, 5985, or 1270 externally exposed are vulnerable.

The four vulnerabilities involved range from CVSS scores of 7.0 to 9.8/10 and user’s need to manually update the OMI agent (version onwards is not vulnerable).

It hasn’t taken cybercriminals long to pick up on the issue and, from Thursday this week, they have used a public proof-of-concept to enlist computer and bandwidth into mining cryptocurrency and participating in DDoS attacks.

“Astonishingly” sloppy work from Microsoft and one to check and patch immediately!,,

Interesting stats

2/3 cloud environment breaches stem from improperly configured APIs, says IBM

1/4 European cyber insurance claims between 2016 and 2020 were for ransomware, rising to 32% in 2020, according to Marsh

$133,400,000 reportedly lost in 1,800 romance scams in the first half of 2021, according to the FBI

Other newsy bits

OWASP Top 10 rankings updated

The Open Web Application Security Project (OWASP) has released a draft update to the ‘top 10’ vulnerabilities introduced by developers into software for the first time since 2017. Injection (such as SQL or XSS) falls from the top spot to third, while Broken Access Control is up five to take the crown.

Changes in the OWASP Top 10 rankings (source: OWASP)

The list is a good reference for software engineering and security teams to use as a benchmark for things that really shouldn’t be getting through to production environments.,

Microsoft goes passwordless

Microsoft announced this week that users will soon be able to go ‘passwordless’ on their accounts, relying on security keys, multi-factor codes and an authenticator app to login instead of a string of letters, numbers and special characters.

In Redmond’s post, they highlighted that they believe there are 579 attacks using passwords event second, or 18 billion annually and that 15% of people use their pets’ names as inspiration for passwords.

For their ubiquity, passwords are one of the major things that ‘security has got wrong’ especially given the huge number of accounts and services that form part of our modern lives. So expect the trend to continue as other large players begin to phase them out in favour of other authentication mechanisms.,

Interesting thinking

  • “The parts don’t fit” and importance of systems thinking: @HiredThought
  • Lessons to learn from the One Laptop Per Child project in EdTech (and other xTech sectors) @gauravsingh961

In brief

Attacks, incidents & breaches

  • Camera and scientific equipment manufacturer Olympus ransomwared by BlackMatter group
  • Travis CI (continuous integration) platform issue exposed user’s secrets and keys from build pipelines
  • Customer contact centre provider TTEC, used by Best Buy, Bank of America and Verizon, becomes a victim of apparent RagnarLocker ransomware attack

Threat intel

  • Cybercriminals have rewritten Cobalt Strike from scratch for Linux
  • Ransomware gangs don’t like negotiators: with Grief saying they will delete the decryption key if victims hire one
  • Malware developers starting to use Windows Subsystem for Linux as a new method to compromise devices and avoid detection
  • List of vulnerabilities commonly used by ransomware/initial access brokers @pancak3lullz

Internet of Things

  • MikroTik publishes guidance on remediating devices compromised by the Meris Botnet


  • France, Spain and Italy criticise Ireland for failing to act swiftly on data protection complaints against US tech companies
  • Google extends support for ‘Permission Auto-Reset’ for devices running older Android OS’ back to Android 6

Public policy

  • US, UK and Australia form Aukus alliance, promises to share nuclear and cyber know-how

Law enforcement

  • Three ex-US intelligence agents are charged with operating as mercenaries for UAE and helping to compromise target’s networks and devices
  • Man who bribed AT&T employees to install malware (vol. 2, iss. 32) sentenced to 12 years in prison
  • Illinois man found guilty of running two DDoS services used to launch more than 200,000 attacks faces up to 35 years in prison

Mergers, acquisitions and investments

  • BitSight receives $250M investment from Moody’s (making them the largest shareholder) and acquires VisibleRisk to improve financial cyber risk exposure calculations

And finally

If accounting were like cyber security

There are lots we can learn from other, more established professions and this fun, sarcastic take highlights some of the bizarre things cyber does as a profession and the things we could learn from accounts. (Something I’ve come to know a lot more about, and agree with, as part of a non-exec director diploma I’m doing)


  Robin's Newsletter - Volume 4

  Microsoft Azure Open Infrastructure Manager (OMI) OMIGOD Passwordless Passwords Profession Open Web Application Security Project (OWASP) OWASP Top 10