Robin’s Newsletter #174

17 October 2021. Volume 4, Issue 42
White House ransomware summit attended by over 30 countries. Client-side scanning (such as for CSAM) may undermine democracy. Don't view-source on Missouri state websites
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

30 countries discuss ransomware threat in White House-organised virtual meetings

The White House organised convened a summit of over 30 countries this week to discuss how to tackle the threat of ransomware. Taking place over a series of virtual meetings over two days there was an agreement of the “escalating global security threat with serious economic and security consequences.”

No formal treaty resulted from the meetings, though the UK, Australia, India and Germany will lead working groups to better co-ordinate and tighten the international response to ransomware. Action will be taken to “inhibit, trace, and interdict ransomware payment flows, consistent with national laws and regulations,” in the hope to disrupt the ability of cybercriminals to obtain financial benefit from their activities.

The ransomware problem has increasingly been likened to that of modern-day piracy. Efforts are needed to ensure that ‘safe harbours’ are not available for ransomware gangs to operate from. To that end, part of that will involve coordinated diplomatic response “to states whenever they do not address the activities of cybercriminals,” according to a statement released after the summit.

This kind of global cooperation and coordination is a welcome step towards consistent response and disruption to cyber criminals which needs to be tackled at the highest levels, rather than left to individual businesses alone to tackle.

The meetings involved representatives from Australia, Brazil, Bulgaria, Canada, Czech Republic, Dominican Republic, Estonia, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Poland, the Republic of Korea, Romania, Singapore, South Africa, Sweden, Switzerland, Ukraine, the United Arab Emirates and the United Kingdom. The European Union will also be represented.

Russia and China were notably absent from proceedings.,,

Interesting stats

2.4Tbps distributed denial-of-service attack mitigated in August, stemming from a 70,000 strong botnet, mainly based in the Asia-Pacific region, according to Microsoft

1/15 SolarWinds users are still running a version that is being actively exploited, according to Randori

95% of ransomware targets Windows, according to an analysis of samples uploaded to VirusTotal over the last eighteen months

518% increase in ransom demands in the first six months of 2021, compared to 2020, $5.3M average demand, with $570,000 the average payment, according to Palo Alto

Meanwhile… $5.2B of BitCoin transactions have been tied to ransomware payments by the US Treasury, from over 2,000 Suspicious Activity Reports (SARs) filed over the last 10 years

Other newsy bits

Bugs In Our Pockets: Client-side content scanning violates data privacy and is a form of mass surveillance, say experts

A group of leading experts has warned against the adoption of ‘client-side scanning’ (CSS), such as Apple’s controversial proposed child sexual abuse material (CSAN) functionality (vol. 4, iss. 32).

The ‘who’s who’ of cryptographers, including Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso, argue that “CSS neither guarantees efficacious crime prevention nor prevents surveillance.”

Of particular note is the historic inability of private companies, such as Apple to resist the pressures and legal requirements of governments in countries where they operate. The location of Chinese citizens data and removal of the ‘Navalny’ app in Russia being two examples cited.

“[Device scanning] makes what was formerly private on a user’s device potentially available to law enforcement and intelligence agencies, even in the absence of a warrant,” — Whitfield Diffie

The paper identifies technical ways in which CSS can fail and be evaded and expands on the ways in which it may be abused by authorities to be repurposed as a mass surveillance tool.

Ultimately the paper concludes that CSS is much more privacy-invasive than weakened encryption that would require the use of targeted warrants.

El Reg’s write up, and the executive summary of the paper are well worth a read.,, (paper)

In brief

Attacks, incidents & breaches

  • Four-hour outage of NHS vaccine passport system left travellers stuck in airports
  • Axosoft’s GitKraken service generated duplicate SSH key pairs: GitHub, Bitbucket, GitLab and Microsoft have all revoked the insecure keys
  • 26-year old allegedly stole credentials and used them to delete and alter maintenance information of a Florida flight school to mark planes as ‘airworthy’ in an apparent attempt to get back at former employer
  • Olympus takes network offline for the second incident in as many months (vol. 4, iss. 38)
  • OVH, the third-largest hosting provider in the world, experienced downtime after a router misconfiguration during planned maintenance (echoes of Facebook’s recent outage here)
  • Misconfigured ElasticSearch server leaked 1.75 billion sensitive files of Brazilian e-commerce platform Hariexpress
  • Taiwanese electronics company Acer has suffered an ‘isolated attack’ resulting in a breach of after-sales service systems in India, with 60GB of data being stolen, including details of 10,000 customers and 3,000 distributors and retailers
  • Verizon-owned mobile operator Visible confirms widespread credential stuffing attack against its users
  • Thingiverse, a 3D printing site, breached and details of 228,000 users compromised

Threat intel

  • Cybersecurity and Infrastructure Agency (CISA) alert on the threat to US water and sewerage systems
  • Fox-IT report on ’SnapMC’ group that is exploiting a vulnerability in the Telerik ASP.NET framework, conducts 30-minute smash and grab on data before demanding a ransom to not release files
  • ’FontOnLake’ malware targeting Linux systems, according to ESET
  • Romance scams are targeting users on dating sites, then encouraging them to install fake crypto investment apps that still their money and personal data
  • Imperva claim ad-blocking Chrome extension does that, then injects its own ads instead
  • Clipboard hijacking malware ’MyKings’ alters cryptocurrency addresses to siphon off funds, has netted almost $25M, according to Avast
  • A group dubbed MirrorBlast is targeting financial services firms with macro-laden Excel files, according to Morphisec
  • Twitter suspends accounts tied to North Korean attempts to catfish security researchers


  • LibreOffice and OpenOffice vulnerability patched that allowed document signatures to be forged
  • 71 Vulnerabilities, including 4 zero-days, fixed in October patch Tuesday from Microsoft
  • New side-channel attacks found against AMD CPUs that are similar to Meltdown vulnerabilities from 2018 (vol. 2, iss 20)


  • Potential $42M fine heading Facebook’s way for GDPR violations, but rights group accuses Irish Data Protection Commission (DPC) of allowing Facebook a “consent bypass” by labelling their agreement with their users a contract, rather than consent, under GDPR
  • 7-Eleven breached Australian data privacy laws by collecting and retaining faceprints of respondents during market research survey, finds Office of the Australian Information Commissioner (OAIC)

Public policy

  • US federal agencies were ordered to give CISA access within 90 days to endpoint detection platforms to improve security efforts across government. CISA is also to produce a maturity model for agencies to baseline and implement improvements against
  • Sticking with the US government, the White House plans to shift agencies from SMS and app-based multi-factor authentication to hardware keys in efforts to prevent phishing
  • Australian government to introduce new legislation and stand-alone offences for cyber extortion, targeting critical infrastructure, stealing data, dealing with stolen data, and buying/selling malware


  • LinkedIn to pull their main app from China, due to ‘challenging’ regulatory environment

Mergers, acquisitions and investments

  • Cambridge University calls off £400M deal with the United Arab Emirates citing concerns over Pegasus spyware
  • Evolution Equity Partners closes new $400M fund focussed on cyber security

Partnerships, rather than M&A, but Google has been striking deals:

  • Announces Cybersecurity Action Team and involvement of CrowdStrike and PaloAlto to provide blueprints for business customers looking to secure their environment
  • With Cyberreason on an initiative to improve cloud XDR (Extended Detection and Response)

And finally

YoU WouLdn’T ViEW soURcE a WEbsItE

Missouri governor, Mike Parson, united the infosec community this week with an absurd statement that a journalist was a ‘hacker’ worthy of prosecution for reporting that social security numbers of teachers had been leaked in the HTML source code of a state website.

Apparently right-clicking, view source (sorry, a “multi-stage process”) to look at the data (sorry, “decode the HTML”) transmitted by a web server to your browser is a computer crime.

Smashing F12 aside, I noticed a couple of interesting things from Governor Parson’s tweet:

  1. The Missouri Highway Patrol has a digital forensic unit
  2. They are best placed to investigate this type of computer crime in Missouri

Glad we cleared that up. Swift on Security won the internet for their response., @SwiftOnSecurity


  Robin's Newsletter - Volume 4

  White House Ransomware Client-Side Scanning (CSS) Child Sexual Abuse Material (CSAM) Cryptography Crypto wars