Robin’s Newsletter #199

10 April 2022. Volume 5, Issue 15
Russian 'Cyclops Blink' botnet disrupted by the US. The value of Mailchimp distribution lists. Fundemental security metrics.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

The US says it has disrupted the ‘Cyclops Blink’ botnet (vol. 5, iss. 9, vol. 5, iss. 12) before it could be used for nefarious purposes. The malware is attributed to the Sandworm group, linked to Russia’s GRU military intelligence agency and affected small-medium business firewalls from WatchGuard, as well as domestic broadband routers manufactured by Asus.

The “sophisticated, court-authorized operation” involved accessing and removing the malware from thousands of devices and removing the vulnerability to “shut the door the Russians had used” to get in. The FBI has contacted the victim’s internet service providers and asked them to notify victims of the action where contact information could not be identified.

It’s not all rosy though, as Dan Goodin notes for ArsTechnica, WatchGuard patched the vulnerability - an authentication bypass - in May 2021. “These releases also include fixes to resolve internally detected security issues,” read a company update explaining that they didn’t want to tip off attackers to the vulnerability. It would go on to be assigned CVE-2022-23176 and a CVSS score of 8.8 out of 10.0.

Usually, a CVE is assigned at the time of patching and, in this case, WatchGuard waited for a total of eight months after the original release, and three months after FBI notification, which critics say put their customers at ‘unnecessary risk’ by downplaying the severity.

Interesting stats

1/6 organisations vulnerable to SpringShell have already been targeted by attackers, according to Check Point

$511,957 was the average ransom demand paid in 470 ransomware incidents handled by law firm BakerHostetler in 2021, roughly 2/3 of that paid in 2020, and resulting from investment in multi-factor authentication and backup capabilities

Other newsy bits

Mailchimp social engineered, used to steal mailing list info for a targeted phishing attack

Attackers gained access to 319 Mailchimp accounts relating to cryptocurrency and finance mailing lists and stole the distribution lists from 102 of them. They used these details to carry out targeted phishing attacks against subscribers, including users of the popular Trezor hardware cryptocurrency wallet.

Mailchimp confirmed that the breach was caused after an employee fell victim to a social engineering attack and their credentials to a support system were compromised.

Applying multi-factor authentication on Internet-facing systems, including your ‘internal’ tools, will help to prevent this sort of attack.

Hydra marketplace shut down

German law enforcement has shut down the “server infrastructure” of dark web marketplace, Hydra, which blockchain analysis firm Elliptic estimates has facilitated more than $5 billion of transactions since December 2015. 

In addition to seizing the infrastructure, the German authorities also seized more than $25 million worth of Bitcoin. The Russian-language site provided a marketplace for illegal narcotics as well as forged documents and other ‘digital services’.

The raid also resulted in the takedown of the Bitcoin Bank Mixer, a service used to ‘mix’, or obfuscate, cryptocurrency transactions that were used in the Colonial Pipeline ransomware incident.

Mahesh Bank lose millions of rupees during heist

Hyderabad City Police have been damning in their report following a cyber heist at an Indian bank where attackers were able to create new accounts, move funds and alter balances before cashing out at over 900 ATMs across the country. 

Mahesh Bank, which has 45 branches and around $400 million of deposits, had “no proper network infrastructure” and administrators shared passwords.

As Simon Sharwood puts it for The Register: “An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.”

Thoughtful reads

Fundamental (but really hard) security metrics

Some great metrics and thinking here from Phil Venables. A lot of these are very applicable to technology and platform companies. Software or infrastructure reproducibility and time to reboot the company stood out to me that highlight a concept I’ve been juggling for a few years now.

I tend to see an organisation through (at least) two lenses: the ‘corporate technology’ and ‘production technology’.

Corporate technology comprises the office-based systems needed for business functions to operate and includes things like email and collaboration tools, office apps, finance and HR systems, etc. That’s not limited to back-office functions though: sometimes it will include customer relationship management or support systems that have some level of passive, if not active, customer engagement.

Production technology is the stuff that generates the business’ revenue. For a bank that may be transactional systems, the cloud platform of a software-as-a-service (SaaS) vendor, or operational technology controlling industrial processes in a chemical plant.

In my experience, infrastructure reproducibility is much more achievable for technology-driven businesses developing their software. For these organisations that makes significant sense and, generally, this reproducibility is around their revenue-generating production technology.

For all businesses, much of their corporate technology is increasingly delivered through a combination of SaaS tools connected through application programme interfaces (APIs), or other ‘marketplace’ type integrations. This has come with an implicit trade-off of day-to-day maintenance for fragility if you had to rebuild completely from scratch.

Integrations and apps get stitched together on a piecemeal and case-by-case basis. Generally, there is no way to export and backup the configuration of your SaaS services. Yes, SaaS vendors should be handling the backup of your data and the availability of their platforms. However, that’s only part of the problem. What about if you had to replace a vendor? Or stay put but essentially start afresh? (Think of all those OAuth prompts!)

Rebuilding the modern web of critical corporate technology systems: understanding that ecosystem (including ‘shadow’ IT) and, crucially, being able to reproduce that organic growth is something I haven’t seen or heard much discussion about within the information security industry. How do we ‘backup and restore our ecosystem’?

PS, I also really like ‘stagnant systems’ and think it better encompasses the issues than ‘legacy’ or ‘heritage’ systems and nicely gets to the nub of if something is subject to ongoing care.

NFTs, blockchain transactions and privacy

A fundamental premise of blockchains and cryptocurrency built atop them is a public, immutable record of every transaction. The ‘anonymity’ of cryptocurrencies is widely recognised as a bit of a fallacy. Law enforcement has repeatedly been able to track criminal proceeds through public ledgers and identifies individuals where these meet traditional finance systems with well established ‘know your customer’ checks. These checks are coming to cryptocurrency, too, via regulation or voluntarily in attempts to boost customer adoption.

Non-fungible tokens and the associated NFT artwork presents similar privacy and security challenges too, as Eric Ravenscroft investigates for Wired, showing how linking that NFT art to your Twitter profile strips away privacy and the issues associated with removing unwanted material from a user’s wallet.

In brief

Attacks, incidents & breaches

  • Mattress company Emma notifies customers of MageCart card-skimming breach affecting purchases between 27th January and 22nd March this year
  • German wind turbine manufacturer Nordex Group shutdown systems to contain an “early stage” cyberattack
  • UK retailer The Works has closed some stores following delays to stock replenishments and online orders after a cyber-attack. Internal and external systems, including email, were taken offline to allow “advisers to evaluate and rectify the situation”
  • Block (neé Square) has revealed that a former employee retained access to systems and accessed accounts of Cash App customers for a year after leaving the company in an SEC filing. The company is contacting 8.2 million customers to provide further information
  • Finnish government sites were subjected to denial-of-service attacks during a speech by Ukrainian President Volodymyr Zelenskyy to members of the Finnish parliament.

Threat intel

  • FIN7 using a ‘novel’ new backdoor, and also leveraging supply chain trust and stolen credentials against RDP, say Mandiant
  • Chinese-linked group Cicada (aka Stone Panda, APT10) have been using a malicious DLL and VLC media player to act as a custom malware loader, according to Symantec
  • Cado Security have identified what they believe to be an AWS Lambda crypto-mining malware


  • Surprise surprise: VMware products contain multiple SpringShell remote code execution vulnerabilities. It’s this sort of common vendor platform that will see any significant exploitation of this type of bug where cybercriminals can maximise their return on investment by developing and testing exploits consistently against multiple organisations
  • Also, VMware has released patches for two CVSS 9.8 score vulnerabilities in Workspace ONE Access that allows malicious actors to “bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework”
  • Trend Micro 

Cyber defence

  • Microsoft says Windows Autopatch will make ‘Patch Tuesday’ a thing of the past for E3 licence-holders using Azure AD and InTune to gradually roll out patches and detect issues
  • Munich Re is tightening cyber insurance policies to exclude war from claims and be “very, very clear” on policy …wording to “avoid surprises.”

Security engineering

  • Something to consider if you’re building something with user customisable URL components: abusing character counts and vanity URL requests on YouTube
  • GitHub launches ‘push protection’ feature as part of Advanced Security suite to scan for, and block, secrets from pushes before they’re accepted

Operational technology

  • Report from Dragos highlights the one most active threat groups targeting critical infrastructure
  • Intrusions into seven ‘state load despatch centres’ of Northern India’s electricity grid are ‘likely’ linked to Chinese groups, says Recorded Future

Internet of Things

  • Raspberry Pi to remove default ‘pi’ username in response to IoT security regulations preventing default login credentials in a move that should make brute force attacks against the tiny computers


  • The EU’s top court has ruled that “the objective of combating serious crime, as fundamental it may be, does not, in itself, justify that a measure providing for the general and indiscriminate retention of all traffic and location data,” drawing a line between the bulk collection of data for surveillance and national security purposes and combating serious crime
  • Sticking with the EU, the European Commission’s ‘Prüm II’ proposals would see law enforcement powers extended from the sharing of fingerprints, DNA and vehicle ownership data to include driver’s licences and photos of suspected and convicted criminal’s faces. The proposal also allows authorities to run retroactive facial recognition algorithms against the dataset

Public policy

  • US State Department launched the ‘Bureau of Cyberspace and Digital Policy’ this week, to focus on the “national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy”
  • Meanwhile, the US Department of Defense is in a bun-fight over rules permitting the launch of cyber-attacks without prior White House approval. There has to be a proportionate conclusion here: permitting day-to-day ‘defend forwards’ access operations while still requiring authorisation for strikes, I think


Law enforcement

  • FIN7 member Denys Iarmak has been sentenced to five years in prison for his role as a ‘pen tester’ gaining access to victim’s networks

Mergers, acquisitions and investments

  • An investor is suing over ‘materially incomplete and misleading’ information from Mandiant over Google’s $5.4 billion acquisition plan (vol. 5, iss. 11)
  • … while Mandiant and CrowdStrike announce ‘strategic partnership’
  • Mid-market security solution, Coro, closes $60 million Series C fundraising round
  • The company behind Nord VPN has raised $100 million on a $1.6 billion valuation

And finally

AOC is a cyber professional?

Great assessment from US Congressional representative Alexandria Ocasio-Cortez on the cyber threat in response to a social media question:

A screenshot of AOC’s social media response to a question about cyber attacks. The answer is comprehensive, nuanced and includes analogies to aid understanding of the assessment, likely targets and steps a user should take in response (source: @SwiftOnSecurity)

H/t @SwiftOnSecurity


  Robin's Newsletter - Volume 5

  Russia Cyclops Blink Sandworm Mailchimp Hydra marketplace Mahesh Bank Security metrics Stangnant systems