Robin’s Newsletter #190

6 February 2022. Volume 5, Issue 6
News Corp targeted in 'advanced persistent' attack. US launches Cyber Safety Review Board. One guy knocks North Korea off the 'net.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

News Corp says it was targeted by Chinese interests

In a Security and Exchange Commission filing this week, News Corporation announced that it “[appears] to have been the target of persistent nation-state attack” that successfully compromised the organisation on 20th January this year. The ‘cloud systems’ provided by a third-party used to host journalists’ email and documents were accessed for “a number of publications and business units including The Wall Street Journal and its parent Dow Jones; the New York Post; the company’s UK news operation; and News Corp headquarters.”

Personal and financial data of customers is not believed to have been compromised in the attack.

An investigation by response firm Mandiant for the company has suggested that it appears to be consistent with the aims of Chinese intelligence. 

News Corp’s email is hosted by Google, whose Workspace suite also handles document management. So Google may be the ‘third-party supplier’ and the campaign more likely persistent phishing, than advanced 0-day vulnerabilities. Gaining access to a journalists Google Workspace account would give the attacker access to the victim’s email and files.

Journalists are known for being fiercely protective over sources that may give inside scoops into high-profile stories and, while ‘investigative journalists’ may be a threat source on many organisations’ security risk assessment, they are frequently targeted for what, and who, they know about world events. What’s more, many journalists are freelancers and may not have the backing and resources of a large media company.

In both cases, enabling multi-factor authentication, potentially using physical security keys for more targeted users, is a great place to start and prevent such attacks from happening in the future. (Though News Corp wouldn’t be alone in not having this enabled, see Interesting Stats below.),

Interesting stats

Only 1/2 of boards understand their organisation’s cyber risk, and 82% say they have felt pressure to downplay the severity being presented to the board, according to a Trend Micro survey of 5,321 ‘IT decision makers’

80% of Ireland’s HSE IT systems with encrypted by Conti ransomware in 2021

22% of all Azure Active Directory (AD) customers use multi-factor authentication (MFA) to secure their accounts, meaning ~4/5 haven’t enabled a simple feature to protect their organisations

Other newsy bits

The US establishes Cyber Safety Review Board

I really like this idea. The US Department of Homeland Security has established a Cyber Safety Review Board (CSRB) to learn lessons from large scale cyber incidents. The CSRB is modelled on its transport equivalent, which is tasked with investing rail, air and other transport accidents and incidents. Representatives are drawn from DHS, CISA and the NSA, amongst other parts of government as well as the private sector too (see CyberScoop for the full list).

I think objective, independent review of security incidents can be a tremendously powerful tool for organisations to properly understand the root causes, and ways that consequences can be prevented from reoccurring. Applying this at the national level, and sharing findings more broadly (which the group will do ‘wherever possible’) hopefully amplifies that impact.

Iranian TV stream hack

A hacktivist group hijacked the internet stream of Iran’s state-owned television station this week. The group, known as Adult Ali (‘Ali’s Justice’) interrupted the live broadcast of the Iran-UAE football match to show a 50-second video urging protest against the Khamenei regime. The video wouldn’t look out of place on a show like Mr Robot

Along with the sheer volume of content and platforms, modern TV production is growing in complexity, with digital feeds and ‘just in time’ production presenting opportunities for such compromise, and making it potentially difficult to pin down the point at which content was altered.

Interesting reads

Patching Log4Shell

Catalin Cimpanu interviews Christian Grobmeier, one of the developers who maintains the Apache Log4J package, about the work he and the wider team put into fixing the Log4Shell vulnerabilities that were widely reported in December last year. His plea is not for more funding, but more engagement: _“We would like to see more consumers of Log4j involved in development.”

In brief

Attacks, incidents & breaches

  • KP Snacks unable to ‘safely process orders or dispatch goods’ following suspected Conti ransomware attack that it’s warned will lead to supply issues of McCoys’s, Hula Hoops, Tyrell’s, Space Raiders, Skips, Butterkist, Pom-Bears, Nik-Naks, KP nuts until the end of March
  • Swissport, who provide services to airlines and 310 airports, has suffered a now ‘largely contained’ ransomware attack that caused minor delays to departures at some airports
  • Business process outsourcer Morley Companies has announced the theft of 521,046 people’s data, including social security numbers, apparently six months after the attack
  • Supplier to British Council loses details of 100,000 students in misconfigured Azure blob
  • Qubit, the decentralised finance platform who lost $80 million last week (vol. 5, iss. 5), are pleading with the ‘exploiters’ to return the cryptocurrency, in exchange for a $2 million bounty payment
  • … while similar crypto outfit Wormhole has lost approximately $300 million in Ether and Solana cryptocurrencies through a vulnerability in their currency conversion smart contracts. They too are offering a ‘whitehat contract’ bounty, of $10 million, for the safe return of funds. It appears that the attacker may have seen the vulnerability being fixed in a public commit to the project’s source code, and exploited it before the fixes were properly deployed to production systems (Such contracts haven’t always gone down well: recall a similar incident with Uber’s CISO vol. 3, iss. 34)

Threat intel

  • Going full circle: Sugar ransomware strain targets individual computers for low ransom payments
  • Ubiquiti network devices running Unifi software are being targeted by an actor using a Log4Shell exploit
  • Cisco Talos says Iranian-linked MuddyWaters group is targeting health and interior departments in Turkey, while Cyberreason is linking Iran APT35, aka Charming Kitten, with the Memento ransomware strain
  • Microsoft Security looks at the evolution of a Mac trojan called UpdateAgent, and how the continued investment in features suggests it will persist for the time to come
  • ’Remember to like and subscribe!’: Ransomware asks for YouTube comments to boost channel engagement in exchange for decryption key


  • Samba remote code execution vulnerability affects all versions before 4.13.17, patch now
  • ESET antivirus products patched to address privilege escalation bug
  • Path traversal bug patched in Kubernetes tool Argo CD

Cyber defence

  • Google is overhauling the privacy controls in its Workspace business package and will reenable the tracking of ‘web and app activity’ for non-Workspace apps (e.g. Google Search, Google Maps, YouTube, etc) for business users. Individual users will need to opt-out from their own account settings

Security engineering

  • The maintainers of the top 100 npm packages have been enrolled into mandatory MFA

Operational technology

  • German oil storage company Oiltanking and trading firm Mabanaft, subsidiaries of the Marquard & Bahls group, have become victims of the BlackCat ransomware. The attack on IT systems has caused the precautionary shutdown of some operations (much the same as with Colonial Pipeline) … while…
  • Terminals operated by SEA-Tank, Oiltanking and Evos in Belgium and The Netherlands is also delaying operations. Ports in Antwerp, Ghent, Amsterdam and Terneuzen following the ‘hijacking’ of IT systems  
  • One-in-seven ransomware attacks expose sensitive information about the victim’s operational technology, according to Mandient, who say it may be used in future attacks


  • Two divisions of OTE Group have been fined a total of 5.85 million euros ($6.55 million) for failing to disclose a data breach affecting millions of customers by Greece’s data protection authority
  • US ‘privacy shield’ proposal might allow EU citizens the right to submit complaints if they believe US intelligence agencies have mishandled their data … though it’s not clear how citizens would know that their data had been processed

Mergers, acquisitions and investments

  • Forescout Technologies is acquiring medical cyber firm CyberMDX for an undisclosed amount
  • Virtual CISO (vCISO) startup Cynomi has raised $3.5 million seed funding to develop artificial intelligence-powered automation to help small-medium businesses carry out cyber security operations

And finally

Hacker takes North Korea offline

A hacker going by the handle P4x has launched a series of denial of service attacks against North Korean websites and infrastructure, at times taking most of the country’s digital presence offline. Speaking to Wired, P4x says that he (along with other security researchers) had been personally targeted by the North Korean regime with a trojan as they sought to steal vulnerability research and exploits. After a year without a visible response from the United States, he has decided to take matters into his own hands, launch the ‘FUNK Project’ (FU North Korea), saying ”If they don’t see we have teeth, it’s just going to keep coming”. Hopefully his efforts don’t disrupt any more stealthy espionage efforts from friendly regimes (H/T Jamie)


  Robin's Newsletter - Volume 5

  News Corporation Advanced Persistent Threat (APT) China Espionage Cyber Safety Review Board (CSRB) Iran TV North Korea