Robin’s Newsletter #175

24 October 2021. Volume 4, Issue 43
US bans sales of offensive cyber tools to authoritarian governments. REvil taken offline in multi-national operation. The MoD's economic warefare unit.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

US to require export licences for dual-use, offensive cyber tools to authoritarian governments

The US Department of Commerce has introduced new rules, subject o a 45-day consultation, that will limit the sale of offensive cyber tools to authoritarian governments, such as China and Russia.

Under the rules, companies that have a US presence will be required to seek an export licence for such technology, even if the company is headquartered elsewhere.

NSO Group, and their Pegasus spyware, have been cited by a lot of media coverage as an example of what will be covered by the new rules (though NSO Group has denied having a sales and marketing function in the US).

It’s the result of a long process: the original rules were published in 2015 and faced pushback from cyber security companies that said the rules would prohibit them from participating in threat intelligence and vulnerability disclosure activities.

The European Union published similar rules in November 2020 on so-called ‘dual use’ technologies that can be used in both civilian and military contexts. The US rules will bring them in line with these under the Wassenaar Arrangement, which covers voluntary export control policies on these dual-use technologies.

The Wassenaar Arrangement is an important step in an attempt to establish International norms on behaviour in cyberspace. It’s important because it is an agreement signed by both the US and Russia who are usually on opposing sides of the development of cyber-norms.,,

Interesting stats

83% of 192 victims of ransomware say that they paid the ransom demand, according to ThycoticCentrify

$567,000 the average value of business email compromise (BEC) fraud attempts tracked by Palo Alto’s threat research group, Unit 42

25% of ~1,500 CobaltStrike samples uploaded to Virus Total share the same public key, suggesting significant reuse of the penetration testing tool by cybercriminals sharing cracked copies of the software. The shared public, and therefore private, key should make it easier for defenders to spot, and potentially decrypt traffic

Other newsy bits

REvil ransomware group taken offline

A multi-country operation has compromised the infrastructure of the ransomware group REvil and forced their websites offline.

The REvil group previously went offline and announced they were shutting up shop after significant law enforcement interest in their compromise of IT management vendor Kaseya earlier this year. The group resurfaced in September, without one of the prominent members, and it appears that the group spun back up their operations from backups.

In a delicious twist of irony, it seems that the operation was successful because the cybercriminals had restored their sites from backups, which included compromises from the FBI (and potentially other agencies). Restoring the sites also restored covert access.

Now the group has announced they are closing up shop again with one member, 0_neday, posting on an underground forum “Good luck, everyone; I’m off.”

As Recorded Future analyst Allan Liska points out: “no one brings old infrastructure that was literally being targeted by every law enforcement operation not named Russia in the world back online. That is just dumb.”,

This cyber security awareness month explain why your controls are important

This is an interesting anecdote of a ransomware attack against an organisation that had implemented device-based multi-factor authentication. The attackers were still able to get in because a senior member of staff received, and approved, MFA push alerts for access. They did so ‘because IT told me that is what I should do’. People are important to security. Make sure they understand the ‘why’ behind different policies and controls.

Creators beware: Google uncovers campaign targeting YouTubers with product reviews

Google has been investigating a series of compromises against high profile YouTube accounts over the last two years that managed to circumvent multi-factor authentication. The reason: attackers lured in creators by pretending to be sponsors seeking to promote things like VPN services. They would share copies of the software for review and, unbeknownst to the victims, the software would install malware that stole account information and cookies.,

Long reads

The UK Ministry of Defence’s economic warfare unit helped to disrupt Isis

“Why let them go as far as the battlefield, if you can denude them of resources before they get there?” — Air Marshal Edward Stringer

This is an interesting read into how the MoD realised and sought to fight Isis as the terrorist group began trading and operating as a ‘proto-state’. The unit is staffed by reservists, rather than a standing capability, and it would be interesting to see how effective such novel approaches may be to combating cybercriminal enterprises.

Google’s guidance on risk governance in digital transformation

I confess to not having read all of this (yet!) but h/t to Mario for drawing it to my attention. It describes “the nature of a cloud-based digital transformation and the different considerations and approaches that will be required across the three lines of defense to enable such a transformation whilst keeping your organization secure and protected.” While pitched at Chief Risk Officers and internal audit heads, it’ll be of use to lots of governance, risk and compliance folks too. (PDF)

In brief

Attacks, incidents & breaches

  • Trick-or-treat? Ferrara Candy, who produce Nerds and Gobstoppers were hit by ransomware on 9th October, now running ‘near to capacity’ in preparation for Halloween demand
  • US television broadcaster Sinclair, who controls 294 stations in 89 different markets, suffers ransomware attack that takes some programmes off-air,
  • Accenture says ‘proprietary information’ was lost in their breach earlier this year that has led to “breaches of systems and cloud-based services enabled by or provided by us”
  • National identity database of Argentina, Registro Nacional de las Personas (RENAPER), was compromised by an attacker who plans to sell off the data
  • A ‘stalkerware’ app is leaking call records, text messages and location data of thousands of people at risk - many of whom will not be aware they are victims
  • Crypto-miner malware found hidden inside three npm package repositories by Sonatype
  • Details of 50 million Moscow drivers have been stolen and are for sale for $800
  • UK supermarket Tesco website and app orders offline after “attempt to interfere with systems.” Tesco takes 1.3M orders/week and systems have one offline for approaching 48 hours.

Threat intel

  • FIN7 recruiting cyber specialists by fake front company ‘Bastion Secure’
  • Israel points finger at Chinese threat actors for ransomware attacks against healthcare organisations
  • TTPs of the BlackMatter ransomware group released by CISA
  • CrowdStrike says they believe LightBasin group is linked to the Chinese state and has compromised 13 telcos in pursuit of phone subscriber and call metadata for intelligence agencies
  • Interesting observation about the alignment between marketplaces and sellers/vendors: in this case two dark web markets where one single info stealer malware was the primary source of available PII
  • Evil Corp linked to ‘Macaw Locker’ ransomware variant in attempt to avoid US sanctions


  • Researchers from China, Singapore and Switzerland published a paper on ‘SmashEx’ - a vulnerability in Intel Software Guard eXtensions, or ‘secure enclave’

Internet of Things

  • Dutch government lab reverse engineers encryption on Tesla’s ‘black box’ driving data


  • FTC says US internet service providers are not clear to consumers on how they use, and monetise (rather than sell), their personal data and make it difficult to opt-out of such processing
  • Brave, the privacy-centric web browser, has replaced Google Search with its own search engine in the UK, Canada, USA, France and Germany


  • UK Competition and Markets Authority releases principles for auto-renewals on antivirus, making it easier for consumers to cancel and pricing more transparent

Law enforcement

  • Eight suspected romance scammers were arrested by South Africa police for stealing $6.85 million from victims
  • Pavel Stassi of Estonia and Aleksandr Skorodumov of Lithuania were sentenced to 24 and 48 months respectively for their roles in a ‘bulletproof’ hosting company that provided services to the Zeus malware operation

Mergers, acquisitions and investments

  • Valence announces $7m seed round to secure the ‘business application mesh’ of API connected SaaS and on-prem apps
  • SOC Prime completes $11M Series A with a novel model for collection and dissemination of cyber threat detection content

And finally

GPSd’s time machine

You may notice a few sites or services thinking it’s 2002 this Sunday. A bug in GPSd, a C library to allow time synchronisation with the Global Positioning System, will subtract 1024 from the ‘week rollover’ counter that should otherwise only reset once every 19.7 years. Versions from the end of 2019 through August this year are susceptible.


  Robin's Newsletter - Volume 4

  Export controls Cyber-norms Ransomware REvil