Robin’s Newsletter #172

3 October 2021. Volume 4, Issue 40
Azure AD wasn't logging all failed SSO requests. Ransomware crew gets pissy. 'Monoculture' cyber risk.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Azure AD wasn’t logging failed Seamless SSO login requests

A ‘flaw’ in the design of Azure Active Directory allows repeated, unlogged, single-factor authentication attempts without a lockout, according to research from Secureworks. This would allow attackers to brute force passwords of user accounts without any knowledge of the target organisation.

The issue, which exists in the Seamless Single Sign-On (SSO) process, was reported to Microsoft in June, who responded to the submission in July saying that the operation was “by design.” Now Secureworks have posted their research and a proof of concept the exploits the flaw is available on GitHub.

Azure AD’s Smart Lockout feature can be used to prevent abuse and Microsoft also now appears to be rolling out changes to ensure that the requests are logged (and available via graph API).

In a statement to Ars Technica, Microsoft says “All such requests for access tokens are then protected by Conditional Access, Azure AD Multi-Factor Authentication, Azure AD Identity Protection and surfaced in sign-in logs.”

Quality of design choice aside, the previous lack of logging is not behaviour many admins would expect. As systems develop in complexity maintaining a common set of services can become challenging, though consolidating (rather than reproducing) similar functionality across multiple APIs helps. (POC)

JVCKendwood ransomware attack and Conti get pissy

Electronics manufacturer JVCKenwood group, known for car stereos and speaker systems, has suffered a ransomware attack. The Conti ransomware gang compromised servers of the group’s European operations and made off with 1.5TB of data before demanding a $7 million ransom.

What’s interesting though is that, following the attack, screenshots of conversations between JVCKenwood and Conti surfaced online and the cybercriminals are not happy about it.

Publishing a ‘press release’ the group said that media coverage was to blame for failed negotiations and threatening that if any victims publish copies of chat logs or upload files to VirusTotal (where security researchers can pull out information needed to access these chat sites) they will release the data they have stolen.

It’s an attempt to intimidate victims, and journalists, and stifle coverage of their criminal activity as Conti, and other ransomware gangs, try to balance higher ransom demands with keeping off the radar of law enforcement and other authorities.

‘Monoculture’ cyber risk

An interesting read from Paul Rosenzweig on the putting-all-your-eggs-in-one-basket, or market-concentration risk of tech monopolies in enterprise and government and questioning if this needs to be addressed in the interests of national security.

Interesting stats

59% of people are able to avoid financial impacts of identity theft, however only 47% of black people, indigenous people and people of colour (BIPOC), who also experience  $200 worse consequences, on average, according to Malwarebytes, Digitunity and the Cybercrime Support Network

9/10 websites are now served over HTTPS, so EFF is deprecating the HTTPS Everywhere plugin because “HTTPS is actually everywhere.”

96% of third-party containerised apps contains known vulnerabilities, and 63% of code used to build cloud infrastructure contains misconfiguration, according to Palo Alto Networks

£1.09 per month the average amount a user would be willing to pay to Facebook or Google for a guarantee to receive generic, rather than targeted, adverts according to a survey of 4,000 UK consumers carried out by Which (There are roughly 50M Facebook accounts in the UK, that would net ~£650M, however, the social network currently generates over £1B in revenue from targets ads)

In brief

Attacks, incidents & breaches

  • Details of 3.1M customer cards of retailer Neiman Marcus Group were breached in May 2020 and it’s taken 17 months for them to notice
  • Freelancer and contractor services firm Giant Group has ’shut down its whole network’ following a “sophisticated” cyber-attack, affecting 8,000 people who use it as an umbrella company and get paid from clients
  • Google has removed 200 apps, installed by over 10 million people, from the Google Play Store that engaged in premium SMS fraud for eleven months
  • Ransomware attack against trucking firm Forward Air in December 2020 resulted in employee data, according to a new filing with the SEC
  • Cryptocurrency was stolen from 6,000 Coinbase customers after attackers were able to bypass the platform’s SMS-based multi-factor authentication controls, … while…
  • Competitor Compound accidentally paid our $90M following a system upgrade, with the founder threatening to dox customers that don’t repay the cryptocurrency

Threat intel

  • Criminals are posing as Amnesty International and advertising ‘anti pegasus’ apps that actually steal passwords
  • Microsoft publishes details on ‘FoggyWeb’ backdoor that intercepts SAML requests to Active Directory Federation Services (AD FS) portal and exfiltrates signing certificates 
  • BodyStealer malware includes features to steal accounts for gaming platforms including Steam, Epic Games Store and EA Origin
  • FinSpy/FinFisher has been updated to support UEFI bootkits, says Kaspersky
  • One-time password ‘interception’ services popping up on Telegram, says Intel 471, that place fake fraud prevention calls that require a victim to enter their multi-factor authentication code
  • Password brute-forcing against RDP servers doubled when comparing May to August with January to April, says ESET


  • Researchers from the University of Birmingham and University of Surrey demonstrate flaws in the Apple Pay ‘express transit’ mode of Visa cards to bypass Lock Screen and contact limits and make payments
  • Apple AirTags can be used in cross-site scripting attacks (XSS) against good samaritans the identify lost belongings

Security engineering

  • Cloudflare gets into email security, offers mailbox protection and ‘Security DNS Wizard’ to make SPF and DKIM easier for small businesses to enable
  • 1Password, partnering with Fastmail, announces ‘Masked Email’ a service similar to Apple’s ‘Hide My Email’ feature
  • NSA/CISA release guidance on ‘Selecting and Hardening Remote Access VPNs’
  • CISA releases insider risk self-assessment tool to help owners and operators of critical infrastructure understand their vulnerability to insiders
  • Facebook open sources Mariana Trench tool used internally to find and fix bugs in Android apps,


  • IKEA hid security cameras above toilet cubicles in its warehouse in the UK, as far back as 2015(!), for health and safety purposes

Public policy

  • The ‘quad’ group of USA, India, Australia, and Japan, will launch “Senior Cyber Group” and collaborate on tech standards and rare metal supply chains
  • Rob Joyce, NSA cybersecurity director, says “almost every nation in the world now has a cyber exploitation program”
  • US to host a meeting of 30 countries to discuss cybercrime, ransomware threats


  • US Federal Communications Commission (FCC) has proposed rules that telcos must use ‘secure methods’ to authenticate customers to help prevent SIM-swapping and port-out fraud

Law enforcement

  • Ilya Sachkov, CEO of cyber company Group-IB, was arrested by Russian authorities on charges of high treason
  • FBI arrests 33 people tied to ‘Black AXe’ gang across Texas for roles in BEC and romance scams that netted $17M from over 100 victims

Mergers, acquisitions and investments

  • Cyber insurer Coalition closes $205M Series E round, claims tech-first approach to underwriting is more successful as customer base doubles in the last year to over 50,000
  • Microsoft announces partnership with insurer At-Bay, savings promised for implementing specific controls
  • Akamai acquires micro-segmentation startup Guardicore in $600M deal 
  • Arctic Wolf acquires training company Habitu8

And finally

It’s always DNS… unless it’s the certificate

The intermediary certificate used by popular certificate authority Let’s Encrypt expired this week, causing issues with some websites and security products and services. Vendors from Palo Alto, Bluecoat, Cisco, Catchpoint, Fortinet to Auth0 were all being caught out by the entirely predictable need to update their certificate chains with a replacement for ‘IdentTrust DST Root CA X3’. As more than 9-out-of-10 sites now use HTTPS (Interesting Stats above), this kind of thing will only become more common and older devices that no longer receive support updates may be particularly badly affected.


  Robin's Newsletter - Volume 4

  Azure AD Seamless SSO Brute force Conti Ransomware Cyber risk Monoculture Risk concentration