Robin’s Newsletter #176

31 October 2021. Volume 4, Issue 44
FCC revokes China Telecom license; Creating minimum viable secure products; ENISA threat landscape report.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

FCC revokes China Telecom license

The US Federal Communication Commission (FCC) voted unanimously to revoke China Telecom Americas license to operate this week. It’s the culmination of a request from the Department of Justice from April 2020 (vol. 3, iss. 15). The firm has 60 days to wind up its US operations and shut up shop.

The decision is driven by national security concerns, with the FCC review finding China Telecom “is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight”.

Those national security concerns are driven by classified briefings from intelligence agencies that allege the state-owned telco can ‘access, store and disrupt’ US communications as part of espionage activities. BGP hijacking is also a concern (vol. 1, and back in 2019 China Telecom mis-advertised BGP routes that redirected European traffic through China.

China Telecom Americas customers are primarily the Chinese diaspora living in the US, however, the company also provides fixed-line services to Chinese government facilities, the likes of embassies, in the US.,

Interesting stats

1,000 US schools disrupted by 70 ransomware attacks so far in 2021, according to Emsisoft and Recorded Future

Other newsy bits

Minimum viable secure product

Google and Salesforce have released an open-source ‘minimum viable secure product’ standard. Building on the company’s own work, and with backing from Okta, Slack and others, aims to ‘establish minimum acceptable security baselines’.

The standards will be useful for software-as-a-service (SaaS) startups and businesses looking to make sure they have a decent set of baseline security controls in place and is also intended to streamline procurement security conversations at businesses looking to buy such software.

Some good work here, check it out.,

Long reads

ENISA Threat Landscape report

ENISA, the EU cyber security agency, has released its ninth threat landscape report that covers the period from April 2020 to July 2021. The report indicates that cyber threats are (unsurprisingly) on the rise, with ransomware ranking as the prime threat for this reporting period.

”In general, cybersecurity threats are on the rise. Spurred by an ever-growing online presence, the transitioning of traditional infrastructures to online and cloud-based solutions, advanced interconnectivity and the exploitation of new features of emerging technologies such as Artificial Intelligence (AI), the cybersecurity landscape has grown in terms of sophistication of attacks, their complexity and their impact.”

The Key Trends section is well worth a read highlighting, amongst others:

  • Compromise through phishing e-mails, and brute-forcing on Remote Desktop Services (RDP) remain the two most common ransomware infection vectors.
  • Malware targeting container environments have become much more prevalent, with novel evolutions like file-less malware being executed from memory.
  • Business E-mail Compromise (BEC) has increased, has grown in sophistication and become more targeted.,

In brief

Attacks, incidents & breaches

  • Disruption for fuel at 4,000 petrol stations in Iran following a suspected cyber attack against payment infrastructure that prevented the sale of fuel
  • Grief ransomware gang (linked to the sanctioned group EvilCorp) claims breach of US National Rifle Association (NRA) and lists them on leak site
  • A ‘cyber event’ at dairy company Schreiber Foods took plants and distribution centres offline over last weekend, will not comment on alleged $2.5M ransom demand
  • EU investigating an apparent leak of the private key used to generate digital Covid passports
  • UK website Guntrader aims to avoid data breach lawsuits (vol. 4, iss. 30) as it calls in liquidators and director launches ‘Guntrader 2’ business

Threat intel

  • Microsoft says the Russian Nobelium (aka Cozy Bear) group has compromised 14 tech resellers, SaaS vendors and managed service providers in attempts to piggyback into customer networks, much like they did with the 2020 Solarwinds breach
  • Conti ransomware group is advertising network access - unclear if that’s a step towards ‘closing down’, a move into becoming a network access broker, or something else. It’d be odd to advertise access to named companies as that would allow them to be alerted
  • Increasing number of QR codes are being used in phishing emails to redirect users to malicious sites, according to Abnormal. This is interesting as the codes are likely to be scanned using a mobile device, restricting visibility of corporate endpoint telemetry
  • UK telco sector industry groups warn of on-going DDoS extortion campaigns against voice-over-IP (VOIP) phone providers
  • Chaos ransomware being distributed as Minecraft ‘alt lists’


  • Critical vulnerability in web comments service Discourse in versions before 2.7.8 could lead to remote code execution
  • High severity issues in the API of OptinMonster plugin for WordPress leaks server info, API keys and allow the inclusion of malicious javascript code
  • Shrootless vulnerability in macOS Big Sur and Monterey patched that would give elevated privileges to attackers during software installation

Security engineering

  • Free decryptors released for AtomSilo, Babuk and LockFile ransomware

A couple of things on the NPM front this week…

  • NPM package ua-parser-js, used to extract web browser information, compromised and used to deploy data-stealing and crypto-mining malware to unsuspecting software developers
  • Copycat typo-squatting NPM packages for Roblox include password stealer and ransomware

Internet of Things

  • Industrial goods and services firms most heavily targeted by ransomware groups, says Digital Shadows


  • Useful info in FBI document shows how law enforcement goes about obtaining geolocation data from telcos and how long they retain different types of customer data

Public policy

  • Release the hounds: GCHQ may use UK’s new National Cyber Force to “go after” ransomware gangs, says head Sir Jeremy Fleming,


  • Cyberspace Administration of China (CAC) issues draft guidelines on new rules requiring ‘Measure for Data Export Security Assessments’ from companies with more than 1 million Chinese users, dropping to 100,000 users for personal data, and 10,000 users where sensitive information is involved

Law enforcement

  • German law enforcement identify core REvil gang member posing as a crypto-currency investor
  • Russian national Vladimir Dunaev, extradited from South Korea, appeared in federal court facing fraud, money laundering and identity theft charges for alleged role in Tricot malware
  • Europol announced the arrest of 12 people believed to be behind LockerGoga, MegaCortex and Dharma ransomware attacks that claims 1,800 victims including Norsk Hydro

Mergers, acquisitions and investments

  • UK-based supply chain security start-up Risk Ledger has closed a £2.1M seed round. Massive congratulations to Haydn and the RL Team!
  • Industrial cyber security firm Drags raises $200M Series D on $1.7B valuation
  • Singtel sells off SecureTrust (the PCI part of security business Trustwave) to Sysnet Global Solutions for $80M as ‘first step’ in a strategic review of the Trustwave cyber business that will focus on managed detection and response

And finally

Smart meter security


A smart meter display showing a butchered ‘qwerty’ keyboard to input a wifi password (source: @cabe_bedlam)

Thanks, @cabe_bedlam


  Robin's Newsletter - Volume 4

  Federal Communications Commission (FCC) China Telecom BGP hijacking ENISA Secure product Security engineering