Robin’s Newsletter #191

13 February 2022. Volume 5, Issue 7
Slovenian TV disruption. 500 ecommerce sites compromised by MageCart. 2021 was a bumper year for cyber M&A.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

A slightly cut-down format this week as it’s my birthday 😊

Interesting stats

82% of ransomware attacks impact organisations with fewer than 1,000 employees, according to Coveware (see threat intel, below)

$600 million the ‘minimum’ cryptocurrency payments made to ransomware gangs in 2021, with 1/3 of that believed to be tied to the Conti ransomware gang, according to Chainlysis

$547 million lost by American’s to romance scams in 2021, according to the Federal Trade Commission

2021 was a bumper year for cyber startups, mergers and acquisitions… $29.5 billion venture capital raised by cyber security startups in 2021 ($12 billion, 2020), with another   286 M&A transactions, totalling  $77.5 billion according to data from Momentum Cyber

In brief

Attacks, incidents & breaches

  • Washington State Department of Licensing has disclosed a potential breach of 250,000 professionals following suspicious activity detected at the end of January
  • Vodafone Portugal 4G, 5G, fixed-line, SMS, and other services knocked offline by a “deliberate and malicious cyberattack”
  • A “serious incident” at the UK Foreign, Commonwealth and Development Office (FCDO) has been revealed following a procurement notice explaining why the public tender process had not been followed in awarding BAE Systems Applied Intelligence (my old employer) a £476,000 ($630K) contract for ‘business analyst and technical architecture support’
  • Slovenian television station PopTV broadcasts and new output was disrupted in an apparent extortion attempt
  • Approximately 500 e-commerce sites running version one of Adobe’s Magento shopping software have been compromised by a MageCart card skimming operation
  • Delay of game: the corporate network of the NFL’s San Francisco 49ers infected with BlackByte ransomware

Threat intel

  • Following law enforcement actions against them, ransomware gangs are less likely to target larger, international firms, and are instead seeking higher payouts from mid-sized organisations, according to Coveware
  • A good write-up of Qbot and how quickly an infection results in theft of credentials and browser history, potentially across your network
  • North Korea’s Lazarus group is sending out job offers again as lures, this time pretending to be from Lockheed Martin
  • Joint advisory from the US, UK and Australia warns of ‘increased globalised threat’ of ransomware
  • The UK’s Financial Conduct Authority, who regulate the financial services sector, has written to large UK banks telling them to strengthen and test defences against potential cyberattacks as Russia/Ukraine tensions continue to rise
  • FritzFrog, a peer-to-peer/decentralised botnet with infections rising quickly, targets SSH servers using known credentials
  • SentinelLabs claim to have joined the dots on an APT group aligned with Indian state interests, with attacks coming before arrests by law enforcement and, in some cases, appear to be a part of planting evidence on the devices of human-rights activists, lawyers and academics


  • Log4J vulnerability scores ‘perfect 10’ amid nineteen security issues patched in latest SAP release

Double-whammy for mobile OS bugs this week:

  • Zero-interaction remove escalation of privilege vulnerability patched in February’s Android 12 security update
  • Remote code execution vulnerability in Apple’s WebKit fixed, with CISA urging US government organisations to patch quickly

Cyber defence

  • Microsoft Office update will block macros in documents downloaded from the internet
  • Decryption keys for Maze, Egregor and Sekhmet ransomware families have been released by someone claiming to be one of the developers 
  • An employee of Volkswagen’s payments division was fired for raising concerns over potential fraud stemming from cyber security vulnerabilities (h/t Mario)

Security engineering

  • Turn on the new _Virtual Machine Threat Detection (VMTD) feature in Google Cloud to automatically detect and block crypto mining operations
  • A logic flaw in DPD Group’s package tracking API allowed researchers from Pen Test Partners to view personal information of deliveries. The shipping reference alone was used to load a map of the delivery location, from which the postcode could easily be deduced
  • Over 2,800 maintainers of almost 8,500 npm packages are using email addresses tied to domain names that have expired and are therefore open to hijacking, according to researchers from Microsoft and North Caroline State University

Operational technology

  • The infotainment systems in some Mazda’s near Seattle have been ‘bricked’ after a local radio station broadcast station information that included an image file with no extension. The ‘Connectivity Master Unit’ used the file extension to determine the file type, rather than the header of the file, and without it is unable to process the update, leaving the owner’s stereos in a loop. Dealerships are reporting that replacement units are needed — currently costing $1,500 each due to the global chip shortage!


  • The Internal Revenue Service “will quickly develop and bring online an additional authentication process that does not involve facial recognition” following backlash at requirements to use the commercially available service
  • Apple is introducing extra warning messages to AirTags, reminding users that they are tied to their Apple ID and that this may be reported to law enforcement, to dissuade malicious use for stalking
  • French data protection authorities say Google Analytics can breach GDPR. Commission Nationale de l’Informatique et des Libertés (CNIL) found the tool breached Article 44, which bans transfers of personal data to countries that don’t have equivalent privacy protections in place

Public policy

  • The US’ Secure and Trusted Communications Reimbursement Program, which covers costs for smaller telcos ripping and replacing Chinese-made networking equipment by companies such as ZTE and Huawei, has received applications totalling $5.9 billion, almost 3x the $1.9 billion budgeted costs, 88% of which was being met by the taxpayer at a cost of $11 per person (vol. 3, iss. 36)
  • The Polish government has announced the formation of the Cyberspace Defence Forces within Poland’s army to carry out reconnaissance, defensive and offensive operations
  • The UK government has tabled legislation requiring sites hosting pornographic content to verify the identity of their users. The Online Safety Bill has been criticised for its potential to create large databases of personal information while not necessarily preventing children from accessing adult content
  • The US Securities and Exchange Commission (SEC) voted 3-1 in favour of progressing proposals to tighten cyber security incident reporting, with notifications required from financial institutions within 48 hours

Law enforcement

  • Russian authorities have arrested six people and seized the websites of four carding forums, used to buy and sell stolen payment card information. A comment in the HTML source of the seizure notice — ”Which of you is next? 👮” suggests more arrests to come,
  • The US Department of Justice has announced the arrest of a New York couple for attempting to launder approximately 120,000 BTC, currently worth around $5 billion. The FBI and IRS Criminal Investigation Unit unravelled the pair’s activities that involved stolen identities, thousands of small-value transactions, and the deposit and withdrawal of funds at various darknet marketplaces. The cryptocurrency was stolen during the 2016 compromise of Bitfinex, a crypto exchange. The victims stand to make a heft profit after the forced-hold of their investment. Bitcoin is up over 3,000% since the Bitcoin was stolen.,,

Mergers, acquisitions and investments

  • Operational technology startup Shift5 closes $50 million Series B round to defend transport and vehicle networks
  • Mandiant financial results disappoint Wall Street while rumours swirl that Microsoft may try to acquire the threat intelligence and incident response firm

And finally

“You’ll enjoy today’s Wordle!”

Why yes, yes I did.

Wordle 239 1/6


Happy Birthday to ME! 🥳


  Robin's Newsletter - Volume 5

  Ransomware Romance scams Cyber startups Secure and Trusted Communications Reimbursement Program Online Safety Bill (UK)