Robin’s Newsletter #171

26 September 2021. Volume 4, Issue 39
'Releasing the hounds' on ranomware actors, though FBI involvement in Kaseya shows offnseive operations may already be underway.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

America needs to ‘release the hounds’ on ransomware

“America Is Being Held for Ransom. It Needs to Fight Back.” Says CrowdStrike co-founder Dmitri Alperovitch in a New York Times op-ed piece this week.

Citing a lack of evidence that diplomacy is yielding any results on ransomware, and previous successful campaigns disrupting and degrading the Islamic State’s ability to operate in cyber-space, Alperovitch suggests that “purely defensive strategies will fall short,” and that “the task is too big” to expect every hospital, school, and small business to be able to defend itself.

There is some evidence that perhaps, on the down-low, a more offensive stance maybe being taken. During the Kaseya ransomware attack there was speculation that the company may have paid the cyber-criminals to obtain a decryptor for customers, but this week The Washington Post reports that the key came from the FBI, who had infiltrated REvil’s operations and has been monitoring the group.

The process of weighing the benefit to victims against compromising the long-term FBI operation resulted in a delay of 19 days, sparking debate and one victim to point out that complete restoration was already well underway by that point and “the decryptor key would have been nice three weeks before we got it.”

Meanwhile, the BlackMatter group attack on farming services provider New Cooperative - that may cause shortages in grain, pork and chicken - shows us that ransomware groups have similar ‘equities’ decisions to make: negotiations between Black Matter and New Cooperative show differences of opinion on what constitutes ‘critical infrastructure’.

BlackMatter is demanding $5.9 million to provide a decryptor to New Cooperative, who say their software is used in the production of 40% of the US’ grain and to schedule the feeding of 11 million animals.,,

Interesting stats

1/3 people have tried to guess someone else’s password and of those 3/4 have succeeded, according to Beyond Identity (shout out Gary!)

Other newsy bits

Interview with NSA employee recruited to UAE intelligence programme

Kim Zetter has an interview with David Evenden, a formal NSA employee, recruited to conduct cyber operations by a United Arab Emirates intelligence service, hot on the heels of charges being brought against three other former US intelligence employees by the DoJ last week (vol. 4, iss. 38).

Headhunters offering high salaries played a part in attracting him to the role, though he acknowledges that he was naive about the intentions and ‘red flags’ on some of the interview questions (concerned with compromising windows environments, rather than tracking terrorists as originally described) were present in hindsight.

As an industry, infosec has focused a lot on building technical skills and less on the ethical and responsible use of those skills. This has resulted in many people in the same shoes as Evenden who’s talent has resulted in developing impressive technical capability in a much shorter time than it takes to develop a rounded world view on what’s being asked of them.

Are cynicism and arrogant naivety the same thing?

Nation-state pressure on technology companies

Apple and Google removed an app created by opposition to Vladimir Putin’s United Russia party to coordinate ‘smart voting’, allegedly after threats of prosecution of their Russian staff, that shows concerns over how different technologies, such as Apple’s child sexual abuse material (CSAM) detection algorithm, are valid (vol. 4, iss. 32).

Ultimately tech (and other) companies can either comply with local legislation (regardless of public perception over how legitimate or dubious requests may be) or cease operations and pull out of a market alltogether.,

In brief

Attacks, incidents & breaches

  • Chinese-linked threat actor has apparently compromised India’s Aahaar biometric database and may now have fingerprints, retinal scans and photos of 89% of India’s population
  • NSO Group’s Pegasus malware found on Hungarian investigative journalist’s phone, plus five French cabinet members,
  • Man who bribed AT&T employees to install malware (vol. 2, iss. 32) so they could unlock iPhones caused $201,497,431 of lost revenue to AT&T
  • Epik’s data breach included data scraped from WHOIS records of a lot of non-customers (myself included)
  • Republican Governors Association breached in Hafnium Microsoft Exchange campaign earlier in 2021
  • Data breach at Texas-based mental health and substance abuse centre affecting more than 24,000

Threat intel

  • Mainstream coverage of smashing is picking up; threat actors could be adapting to greater use of mobile devices, because email protection controls are actually working, or a bit of both?
  • ’TinyTurla’ malware linked by Cisco Talos to Russian APT group, impersonates Windows Time Service, but checks in like clockwork every 5 seconds
  • Microsoft Exchange Autodiscover protocol blunder rerelease usernames and passwords to misconfigured client devices: having tried and, the client then tries (or other country-code TLD)
  • US Cyber Security and Infrastructure Agency alert on Conti Ransomware
  • New APT group dubbed ‘FamoutSparrow’ by ESET targeting hotels for intelligent purposes
  • Lithuanian National Cyber Security Centre (NCSC) publishes assessment of Chinese smartphone models, finds components to leak and censor information, dodgy repackaging of common apps for Huawei, Xiaomi and OnePlus handsets
  • No honour amongst thieves: REvil has been scamming affiliates out of ransom payments


  • Critical vulnerability in VMWare vCenter Server 6.7 and 7.0 ‘can be used by anyone who can reach vCenter Server… regardless of the configuration settings’
  • SonicWall

It’s been a bad week for Apple:

  • Only partially fixing an RCE by blocking file://, but not File:// or other capitalised versions like fiLe://
  • Three zero-days released by ‘frustrated’ bug bounty participant

Security engineering

  • Let’s Encrypt root certificate will expire on 30th September, HTTPS connections on older devices that haven’t received recent software updates may fail to establish connections

Internet of Things

  • Siemens launches security information and event management (SIEM) platform for Industrial IoT


  • Reminder that the Mozilla Foundation has a great set of privacy reviews of popular apps and gadgets

Public policy

  • CISA chief Jen Easterly and National Cyber Director Chris Inglis ‘wholeheartedly’ back mandatory breach notification legislation for US
  • China bans all cryptocurrency transactions


  • US Treasury imposes sanctions on SUEX cryptocurrency exchange that “facilitated illicit activities for [its] own illicit gains”

Law enforcement

  • Digital transformation of the Mafia: 106 members arrested for €10M/$11.7M worth of SIM swapping, phishing and BEC scams by Italian, Spanish police and Europol

Mergers, acquisitions and investments

  • F5 Networks acquires Boston-based cloud-security startup Threat Stack for $68M
  • LG acquires auto cyber risk assessment startup Cybellum

And finally

“Stick your ransomware in your ass”

Ransomware negotiations conducted in public can provide insights into the tactics of groups. One victim had very little left to give:

Ransomware negotiations on fire (source: @ddd1ms)



  Robin's Newsletter - Volume 4

  Ransomware Cyber-crime Defend forward Release the hounds Dimitri Alperovitch BlackMatter REvil Kaseya Cyber-norms United Arab Emirates (UAE)