Robin’s Newsletter #198

3 April 2022. Volume 5, Issue 14
Okta says it made a mistake. Wiper malware used against Viasat modems during Russian invasion of Ukraine. DCMS' cyber survey stats.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

DCMS Cyber Security Breaches Survey 2022

There’s always lots of interesting insight from the UK government’s Department for Digital, Culture, Media and Sport’s annual Cyber Security Breaches Survey. I suspect some of this may come as a surprise to some readers…

82% of boards or senior management rate cyber security as a ‘very high’ or ‘fairly high’ priority (up from 77% in 2021). 1/2 of businesses now update the board on cyber security matters at least quarterly, around 2/3 do not have a board member responsible for cyber security.

That tallies that only 1/3 have undertaken a risk assessment in the last 12 months to identify cyber security risks. Procurement processes don’t consider cyber security important: only 13% of organisations assess the risk from their suppliers.

39% of UK businesses identified a cyber attack in the last 12 months and 1/5 of those say they experienced a negative outcome as a result. Where there is a material outcome, this amounted to an average cost of £4,200 ($5,500), rising to £19,400 ($25,400) when considering only medium and large organisations.

When it comes to response, just 19% of businesses have a formal incident response plan (If you’re one of them, grab Cydea’s open-source IR plan to get started.) 43% have an insurance policy that covers cyber security.

This is the sixth edition and draws from a survey of 1,242 businesses and 424 charities, with the data being weighted to be representative, and is an official statistic.

Interesting stats

$2.2 million the average ransom demand following a successful ransomware attack, according to Palo Alto Networks

Other newsy bits

Okta admits it made a mistake 

Okta has admitted that it made a mistake in how it handled communications around the breach (vol. 5, iss. 13) of a third-party support provider, Sitel, earlier this year. Okta said that they “didn’t recognize that there was a risk to Okta and our customers,” and that while they are “ultimately responsible,” they needed to “more actively and forcefully compelled information from Sitel”.

Providing more information, it seems that Lapsus$ gained access via a VPN on 16th January and was locked out by 21st January following a company-wide password reset. Sitel also hire Mandiant to investigate the intrusion and Bill Demirkapi has posted some screenshots of the report, which includes a reference to a spreadsheet that appears to contain ‘domain admin’ accounts from a password manager (Sitel says it just contained usernames, not passwords.)

There’s also been clarification on that level of access that support engineers had (after being pretty vague in initial comms). Sitel employees could reset passwords and multi-factor authentication factors for users, but not choose what those credentials would be (they would need access to the affected email, at which point it’s less important to reset the password/MFA). Additionally, they could not create or delete users or download customer user databases.

Sitel has tried to manage the perception of the breach by pinning it on a ‘legacy’ network from the acquisition of Sykes Enterprises in August 2021.

Viasat modems were hit by Russian-linked ‘AcidRain’ wiper

The mysterious issue affecting satellite modems connected to Viasat’s KA-SAT satellite in Eastern Europe (vol. 5, iss. 12) has been pinned on a new ‘wiper’ malware that has been dubbed ‘AcidRain’ by SentinelOne researchers. The attack, early in the morning of the Russian invasion of Ukraine, knocked ‘tens of thousands’ of modems offline.

The wiper shares technical similarities to bits of VPNFilter, malware that has been used against US government agencies and which the FBI and NSA have attributed to Russian-linked actors.

Viasat says that the attacker gained access to their network via a misconfigured VPN appliance, then moved through a management network to the segment used to operate the network, before issuing commands to a ‘large number of modems simultaneously’.

Interesting reads

Keeping Ukraine’s internet online

Daryna Antoniuk at The Record interviews front-line telecoms workers in Ukraine that are working to keep their country’s internet access online. “Our days have become a little busier,” says Ukrtelecom engineer Kyrylo Popov.

‘New impetus for sovereign Internet’ in Russia

Russia has long been establishing the ability to segregate itself from the Internet (vol. 3, iss. 1) with necessary services to continue operations being located within its sovereign territory. The controls also allow the government to filter access to certain sites, though not on the same level as China’s ‘Great Firewall’. 

With Twitter access being blocked in Russia, Chris Stokel-Walker takes a look at the history and recent development of Putin’s ‘splinternet’

In brief

Attacks, incidents & breaches

  • California health care organisation hit by Hive ransomware group, with personal information of 850,000 people potentially amongst 400GB of data stolen
  • Outsource IT and software development company Globant has been breached by the Lapsus$ group, who also pasted administrator credentials to some of the company’s DevOps platforms on their Telegram channel. The group claims to have stolen data including folders titled ‘apple-health-app’, ‘Facebook’ and ‘DHL’

In the world of crypto-currency…

  • $2 million was stolen from decentralised finance outfit Revest Finance, who say they’re unable to cover the losses
  • $50 million was stolen from ‘stable coin’ Cashio, with attackers saying they will return funds to some as “the intention was only to take money from those who do not need it”
  • $600 million(!) stolen from Ronin Network, linked to the ‘play-to-earn’ game Axie Infinity

A lot of these crypto-currency attacks exploit weaknesses in the ‘bridges’ between networks. Lily Hay Newman has more on the problems of bridges  

Threat intel

  • Would your users know to spot ‘MFA Bombing?’ Both Lapsus$ and Nobelium have shown how effective repeated multi-factor authentication requests for those using push-notification services or phone calls are at winding users up to the point of them hitting ‘accept’
  • Cybercriminals are impersonating law enforcement and spoofing ‘Emergency Data Requests’ (EDR) to gain access to account information and content. Many large tech companies have EDR processes to respond to urgent law enforcement requests, where a full warrant or subpoena may not be possible within the timescales, such as responding to a reported suicide attempt. There’s no easy fix here. Krebs has more:,
  • Spyware firm FinFisher has filed for insolvency
  • Log4j attacks continuing against VMware Horizon instances
  • Google says Russia, Belarus and China are all using Ukraine-themed lures in campaigns
  • Apple releases updates for 0-day vulnerabilities in Macs, iPhones and iPads


  • Emergency update available for Google Chrome and Microsoft Edge after a 0-day vulnerability in the V8 javascript engine was discovered
  • TrendMicro web management console, Apex Central, is vulnerable to remote code execution and the vendor says they have observed active exploitation attempts in the wild
  • ‘SpringShell’ remote code execution (RCE) vulnerability in Spring Framework is worth patching, though only affects ‘nondefault usage’ “important but no Log4Shell”
  • Zyxel firewall and VPN devices are vulnerable to an authentication bypass that gives remote users administrative access to the device

Security engineering

  • Number of malicious npm packages identified by researchers reaches over 700, and appear to be being generated by a ‘factory’ set up to create unique user accounts and mimic legitimate software packages
  • GitLab servers using the OmniAuth provider can be taken over by attackers using hardcoded passwords

Operational technology

  • CISA has issued an alert for operators using Rockwell Automation Logix controllers. The vulnerability tracked as CVE-2022-1161, scores the maximum 10.0 for severity and CISA says that “successful exploitation of this vulnerability may allow an attacker to modify user programs”


  • Google’s “Privacy Sandbox” arrives with ‘topics’ ad targeting system
  • Cloaked, essentially a password manager with ‘hide my email’ and phone number functionality built-in has raised $25 million in Series A funding

Law enforcement

  • Two teenagers have been charged in the UK for their alleged involvement in the Lapsus$
  • Europol has arrested 108 people in Lithuania and Latvia and dismantled a call centre at the heart of a $3 million per month investment scam
  • ‘Operation Eagle Sweep’, led by the FBI, has arrested 65 US individuals, 12 in Nigeria, 8 in South Africa, 2 in Canada and 1 in Cambodia for suspected roles in a $51 million business email compromise scheme 

Mergers, acquisitions and investments

  • $27.5 million Series A funding round closes for Cyberpion and their attack surface management platform

And finally

Broadcasting security conferences on decommissioned satellites

Researchers gained permission to attempt the take over of a decommissioned satellite. They used legitimate access to a ground station to beam a live stream of a security conference to the satellite, which duly relayed the stream onward. “Technically, there are no controls on this satellite or most satellites—if you can generate a strong enough signal to make it there, the satellite will send it back down to the Earth,” said researcher Karl Koscher.


  Robin's Newsletter - Volume 5

  Department for Digital, Culture, Media and Sport (DCMS) Cyber Security Breaches Survey Board Governance Okta Lapsus$ Sitel Viasat Wiper Russia Satellite