Robin’s Newsletter #195

13 March 2022. Volume 5, Issue 11
Conti's involvement in crypto 'rug pulls'. Unintended consequences of isolating Russia from the Internet.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Cydea is matching donations to the DEC Ukraine Humanitarian Appeal, up to £10,000, and the UK government is offering a similar matching scheme for public donations of up to £20 million.

In a little over a week you’ve helped to raise over £3,100. That’s the equivalent of blankets to keep over 750 families warm. Thank you to those of you who have donated so far.

It’s not too late: Donate now and amplify your impact And please share this link to the JustGiving page with your connections on Facebook, Twitter and LinkedIn, etc.

This week

Conti cybercrime gang may have been behind the ‘Squid’ rug-pull, linked to Russia’s FSB

The criminal escapades of the notorious Conti cybercrime group may extend beyond the ransomware operations they are traditionally associated with, as analysts and journalists have continued to pour over the ContiLeaks internal chat logs the show the inner workings of the group.

In part four of his series, Brian Krebs looks at how members of the group debated creating their own crypto-currency platform. There is evidence that may tie the group to the ‘Squid coin’ pump-and-dump scheme in October 2021.

The ‘rug pull’ in crypto-currency lingo, is when the promoter of a new digital asset sells them for cash, before ceasing all activity and making off with proceeds. The Squid rug pull capitalised on the hype of, but was not related to, the popular Netflix show Squid Game. While the chat logs don’t mention it by name, the timing of messages like “24 hours remaining until the biggest pump signal of all time!” coincide with the scam.

The Squid scam is believed to have netted those behind it £2.48 million ($3.38 million) and messages indicate this isn’t the first time the group has engaged in crypto scams, describing “previous big successful pumps.”

Meanwhile, Dina Temple-Raston for The Record looks at some of the interactions between Conti members who appear to be analysing information collecting by Bellingcat, the investigative journalism group. Bellingcat had been working with Russian opposition leader Alexei Navalny to identify his attackers after a failed assassination attempt. The Conti members were storing relevant info for ‘the boss’ in a folder titled ‘Navalny FSB’.

The FSB is Russia’s Federal Security Service. Links between the Russian state and high profile cybercrime groups have long been suspected and these candid messages may provide further evidence of the relationship. The activities may be part of an informal ‘get out of jail free’ agreement.

The chat logs also give a hint at some of the innovations that Conti have debated to evolve their business model, such as using the blockchain and smart contracts to automatically release the decryption key for ransomware victims upon full payment of the ransom demands.

Interesting stats

500% increase in attempted mobile malware attacks in the first months of 2022, according to Proofpoint

29% of critical WordPress plugin bugs never get fixed, says PatchStack

65% of ransomware attacks in 2021 occurred in the manufacturing sector, says Dragos (see In Brief, below)

Other newsy bits

Still no major cyber component to the Russian invasion of Ukraine

While digital ‘scuffles’ continue — primarily manifesting as defacements or distributed denial of services (DDoS) attacks against Ukrainian and Russian linked websites — there has been no ‘catastrophic’ cyber attack in the conflict.

In an article for The Guardian, former White House chief information officer, Theresa Payton points out that Russia appears to have been investing more resources into disinformation campaigns than ‘overt hacking campaigns’.

For a cyber-attack to be effective in a conflict it likely has to affect the integrity or availability of systems to cause some kind of outage or disruption. That, in itself, is more likely to be considered escalatory than the ‘grey’ area of propaganda-driven disinformation.

It may also be down to the significant efforts undertaken in the three or four months prior to the Russian invasion, says the FT. Prior to the Russian invasion of Ukraine, US Army and civilian personnel were working closely with Ukrainian counterparts in government and critical infrastructure to review defences and detect potential infections.

In one instance these efforts discovered and disabled wiper malware on the Ukrainian Railways network. Trains have been instrumental in helping women and children to escape the conflict to neighbouring countries. On their return, carriages have been stacked with food and supplies for those left behind fighting in the resistance.

Unintended consequences of isolating Russia from the Internet

This week Lumen (neé CenturyLink) joined Cogent Communications in ceasing to provide Russian customers with Internet connectivity, citing “increased security risks,” and “[its] readiness to meet global events”. Meanwhile other providers core to the Internet’s backbone like Akamai and Cloudflare have argued that Russian citizens need free-flowing internet now more than ever. (Websites have been set up to ‘spam’ Russian email addresses and mobile phone numbers en masse with messages in the digital equivalent of a leaflet drop).

I’m minded to agree with them. I believe isolating the Russian population does more harm than good. The internet is, nowadays, more akin to a basic human need like water than sugary drinks and caffeinated beverages, or McDonald’s “no-fry zone”.

The damage can be seen in the Russian state stepping in to provide a domestic certificate authority. As sanctions have started to bite and organisations have been unable to renew TLS certificates, websites have started to be blocked by web browsers as unsafe. (Certificate authorities issue certificates that can be used to encrypt communications, like e-commerce transactions, and attest to the identity of websites.)

Without these services being available, Moscow is stepping in to provide a domestic root certificate authority so that Russian sites can create and update certificates and keep their websites online.

In doing so though, all these sites are essentially giving Russia the ‘master key’ that can be used to access these encrypted communications. A massive boon for intelligence agencies and law enforcement. (Lumen) (Cloudflare) (Spam) (Starbucks, McDonalds) (CA)

In brief

Attacks, incidents & breaches

  • Samsung has confirmed a breach during which attackers stole intellectual property including source code on the firm’s Galaxy smartphones
  • Digital newspaper and magazine platform PressReader has suffered a two-day outage resulting from a ‘cyber security incident’
  • Mandiant says Chinese espionage group APT41 gained a foothold in at least six US state governments were compromised via a system to track disease in livestock called Animal Health Emergency Reporting Diagnostic System (USAHERDS; top backronym)
  • The Hive ransomware gang has targeted Romanian oil group Rompetrol, forcing the company’s website and ‘Fill&Go’ service offline. Refining activities were not affected by the “complex cyberattack” that resulted in a demand for $2 million
  • Ubisoft has suffered a cyber security incident requiring it to reset all employee’s passwords but has declined to elaborate on the cause of the event that results in disruption to games and services this week
  • Tire manufacturer Bridgestone’s American operations have suffered a LockBit ransomware attack

Threat intel

  • Misconfigured Mitel MiCollab and MiVoice Business Express VOIP systems can be used in distributed denial of service (DDoS) attacks that generates whopping 4,294,967,296 packets of traffic against victim systems from a single attacker initiation packet. Approximately 393Mbps of traffic would be generated for 14 hours from the initial 1,119 bytes of data, a 220 billion per cent amplification. The sustained attack is possible in part because victim systems send TCP reset commands, and the Mitel platforms dutifully resend the data
  • US CISA release indicators of compromise for the Conti ransomware gang, including details of 98 domain names
  • Groups helping manage the Ukraine refugee crisis have been targeted by the Belarus-linked Ghostwriter group
  • Password and information-stealing malware, disguised as DDoS tools, has been circulating on Telegram channels linked to Ukraine’s volunteer ‘IT Army’
  • BazarBackdoor (ex-TrickBot, now Conti) infections being initiated via company website contact forms


  • Linux ‘Dirty Pipe’ vulnerability (CVE-2022-0847) allows an attacker with unprivileged local access to modify paged (read-only) files to escalate their privileges
  • Microsoft Azure Automation Service did not properly segregate customer environments and allowed PowerShell or Python scripts to ‘[acquire] the Managed Identities tokens of other automation jobs’ running on the same host
  • HP has released patches for sixteen UEFI firmware vulnerabilities that could be used by malware to infect devices and avoid detection
  • Vulnerabilities in APC’s Smart-UPS product lineup that provides emergency power for computers and servers in the event of a power cut may allow an attacker to replace the firmware and potentially burn out the unit’s batteries, and cause permanent physical damage to capacitors, according to Armis

Cyber defence

  • ServiceNow publishes guidance on access control lists after report suggests 70% of instances may have excessive permissions set for guest users

Operational technology

  • Dragos has released its fifth ICS Cybersecurity Year in Review report covering 2021 

Internet of Things


  • Clearview AI, the controversial company that hoovered up people’s public social media images to build a biometric database has been fined €20 million for GDPR violations by Italy’s data protection regulator
  • Twitter has launched an ‘onion service’ allowing access via the Tor network @AlexMuffett

Public policy

  • The UN has been debating Russia’s proposal for a new treaty to replace the Budapest Convention on Cybercrime. The Russian proposals focus on ‘sovereignty’ and expand the definition of ‘crime’ in a way that many human rights groups worry would allow wide-reaching state crackdowns on a wider variety of online activities. The sovereignty point has drawn substantial criticism against the background of the Ukraine invasion.
  • The UK’s online safety bill has been changed to include obligations for platforms like Twitter, Facebook and Google to protect users from both user-generated scams and pre-paid fraudulent adverts that impersonate legitimate businesses or promote fake companies
  • US Critical infrastructure providers set to be bound by 72-hour incident reporting requirement (24 hours where a ransom is paid) following Senate approval

Mergers, acquisitions and investments

  • Vendor security auditing startup SafeBase, whose platform manages non-disclosure agreement and release of vendor security details to prospective customers, closes $18 million Series A fundraising round
  • Crowdstrike grew subscription customers 65% to a total of 16,325 in its 2022 financial year to 31st January 2022, representing a 69% increase in subscription revenue to $1.36 billion. Losses amounted to $142.5 million on $1.45 billion total revenues. Net losses widened to $234.8 million

And finally

Google buys Mandiant

This week Google agreed to buy incident response firm Mandiant for $5.4 billion. I wondered if this may lead Mountain View to consider bringing their advertising expertise to the incident response reports and threat intelligence briefings that Mandiant is famous for?

A mock-up of a Mandiant incident response report containing Google Search style promoted links as findings and recommendations (source: @RTO)

I’m so sorry for this potential money-spinner.

The acquisition will be Alphabet/Google’s second-largest ever, behind the $12.5 billion deal for Motorola Mobility and ahead of the $3.2 billion is paid for Nest. It’s expected to close before the end of the year, subject to regulatory approval.

Mandiant will slot into the Google Cloud division, which includes the ‘cloud-native SIEM’ platform Chronicle and is hot on the heels of the acquisition of SOAR platform Siemplify in January this year. In combination, this looks like a defensive play to catch up with Microsoft’s Sentinel and growing cyber services revenue. If that’s the case, we can expect further investments to instrument and manage endpoints that can compete with Microsoft’s Defender product suite.


  Robin's Newsletter - Volume 5

  Russia Ukraine cyber war Anonymous Conti (ransomware gang) Disinformation Information warfare Cyber-crime Clearview AI APT41 Distributed denial of service (DDoS) Google Mandiant