Robin’s Newsletter #203

8 May 2022. Volume 5, Issue 19
Mandiant identified stealthy APT actor targeting M&A teams in large corporates. Heroku mishandles breach of customer paswords, environment secrets. $1.6 billion of cryptocurrency has been stolen so far this year.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Stealthy new threat actor identified by Mandiant is stealing data from large company M&A teams

Mandiant says that they have identified a new, stealthy threat actor that they are tracking as ‘UNC2524’ (the UNC standing for uncategorised). In some cases, they say the attacker had been in the victim’s networks undetected for 18 months.

The target of the threat actor appears to be the corporate development functions and staff involved in mergers and acquisitions at large corporations. The attackers use API calls to email servers to find and steal data of interest stored in messages and attachments either on-premise or in the cloud.

”For their long-haul remote access, UNC3524 opted to deploy [the backdoor] on opaque network appliances within the victim environment; think backdoors on SAN arrays, load balancers, and wireless access point controllers.”

‘Hiding’ on these sorts of network appliances helps to avoid detection as they rarely support anti-malware or endpoint detection and response agents used by companies to detect and investigate suspicious activity.

The actor intends to steal data, primarily sourced from email and then exfiltrate it using an SSH-based backdoor Mandiant have dubbed QUIETEXIT. The command and control domains in use, and the choice of SSH, are designed to blend in with typical company traffic.

A second piece of malware, based on the reGeorg web shell, was also used to help aid persistence in the victim’s environment.

Mandiant is cautious about attribution but does call out that some of the tactics and methodologies of UNC3524 overlap with Russia’s Fancy Bear and Cozy Bear groups.

“The high level of operational security, low malware footprint, adept evasive skills,” say Mandiant, puts “the “advanced” in Advanced Persistent Threat.”

Interesting stats

$1.6 billion worth of cryptocurrency has been stolen so far in 2022 (see Incidents below)

Other newsy bits

Backlash over Heroku’s handling of their data breach

Salesforce-owned cloud provider Heroku faced criticism this week for its handling of a data breach that required the reset of customer passwords. Poor communication and a lack of detail sparked concern on 4th May when a password change notification was sent to some customers without any reason being given.

In a subsequent explanation, the company clarified that a threat actor had “obtained access to a Heroku database and downloaded stored customer GitHub integration OAuth tokens” in the first week of April.

Machine accounts and automation tokens are increasingly being targeted by threat actors because of their privileged access. Points of concentration, such as providers like Heroku who have customer authentications with other cloud and production platforms, are particularly attractive because of the onward access they afford the attacker.

Worryingly for Heroku customers, it wasn’t just usernames and salted passwords that were taken, but attackers also “had access to encrypted Heroku customer secrets stored in config var,” though the company says that “secrets are encrypted at rest” and “did not access the encryption key” required to decrypt this data.

The recommendations from Heroku are a little self-reflective, as the rotation of keys, scanning source code repositories for secrets and generally improving credential management are equally applicable to the Salesforce division and would have helped prevent the attack.

Russia is rerouting internet connections in occupied areas of Ukraine

Internet services in the occupied territory of Kherson have been rerouted by Russian forces after capturing telecommunications infrastructure. That shouldn’t come as much of a surprise: Russia will want to control access to information and the Ukrainian internet service providers are hardly going to be willing participants in that. Diverting via their backhaul to Russian infrastructure gives that capability.

CCP Scheme changes

The UK National Cyber Security Centre’s Certified Cyber Professional scheme, required by UK government organisations for certain cyber security roles, is to be transferred to the UK Cyber Security Council. The move makes sense, as the scheme was created before the council’s creation, which is expected to “develop, promote and provide stewardship of the highest possible standards of expertise, excellence, professional conduct and practice in the profession.” Further information on the transition and longer-term changes are expected to be made at the CYBERUK 2022 conference being held this coming week.

In brief

Attacks, incidents & breaches

  • Russian ransomware group LockBit claims a successful attack against the Bulgarian government agency responsible for refugees. Bulgaria is one of the countries hosting thousands of Ukrainians fleeing their country after the Russian invasion
  • The phone of Pedro Sánchez, the Spanish prime minister, was ‘targeted with [NSO Group’s] Pegasus spyware’ Over 200 Spanish mobile numbers are apparently ‘possible’ surveillance targets of Morocco using the Pegasus spyware
  • A Californian resident has been found guilty of a phishing attack to steal the login credentials of US DoD suppliers. Sercan, Oyuntur used the stolen credentials to redirect a $23.5 million payment to a jet fuel supplier to a bank account he controlled
  • Car hire firm Sixt had to fall back to pen and paper for car rentals last week following a cyberattack requiring the company to limit access to IT systems
  • Trinidad supermarket Massy Stores unable to trade following “technical challenges” with the point of sale and card systems stemming from a cyberattack
  • The Black Basta cybercrime gang has claimed to have attacked the American Dental Association with ransomware
  • Healthcare startup myNurse is to shut down following a data breach that exposed patients’ names, phone numbers, and dates of birth, but also medical histories, diagnoses, treatments, lab test results, prescriptions, and health insurance information. The firm claims the winding up of the business is unrelated to the security incident but declined to provide further explanation
  • Massey Ferguson tractor manufacturer AGCO is investigating a ransomware attack
  • The dramatic leaking of the US Supreme Court draft opinion on the overturning of Roe v. Wade has been branded ‘illegal’ though, as Andy Greenberg writes for WIRED, which law, if any, has been violated is unclear

And on the cryptocurrency front…

  • More than $90 million cryptocurrency stolen from decentralised finance (DeFi) platforms Rari Capital and Saddle Finance
  • In total, over $370 million of cryptocurrency was stolen from exchanged and decentralised finance (DeFi) platforms in April, bringing the current 2022 total to over $1.6 billion
  • The US Treasury has sanctioned the cryptocurrency mixer Blender for money laundering on behalf of the North Korean regime, which has turned to attacks and scams on cryptocurrency organisations and investors. Patrick Gray and Adam Boileau joked on Risky Business recently that DeFi platforms had become the “North Korean Patreon programme” joking that the DPRK has outsourced funding of their nuclear and ballistic missile programmes to cryptocurrency enthusiasts

Threat intel

  • Nobelium, the Russian-linked group behind the SolarWinds attack (vol. 3, iss. 51), is setting up a new phishing infrastructure that may spoof, or ‘typosquat’, real brands, according to Recorded Future
  • Chinese group Winnti are abusing Windows Common Log File System (CLFS) to store payloads and evade detection, according to Cybereason
  • North Korea’s Lazarus group still using LinkedIn to target victims and Office macros to compromise devices, say NCC Group


Patch your network equipment. All of it:

  • Five critical remote code execution vulnerabilities linked to the NanoSSL library found in HPE’s Aruba and Extreme Networks’ Avaya devices
  • Two vulnerabilities in Cisco’s Enterprise NFV Infrastructure Software (NFVIS) allow the attacker to run commands as root and escape the guest virtual machine
  • Critical vulnerability in F5’s BIG-IP products allows remote code execution

Cyber defence

  • Microsoft Defender for Business is now available for small and medium businesses, bundled as part of Microsoft 365 Business Premium for up to 300 users
  • US Department of Defense trial bug bounty programme found 401 vulnerabilities requiring remediation across 348 systems in the first year
  • NIST has issued Special Publication 800-161r1 Cybersecurity Supply Chain Risk Management Practices… containing guidance on identifying, assessing and mitigating supply chain cyber risk (PDF)

Security engineering

  • GitHub users will be required to use multi-factor authentication by the end of 2023. Just 16.5% of active GitHub users currently have MFA enabled, according to Microsoft

Operational technology

  • The Institution of Engineering and Technology (IET) has released a revised code of practice for cyber security in the built environment to provide “practical guidance on the key aspects of cyber security relating to specific jobs and responsibilities in maintaining the security of a building”

Internet of Things

  • DNS-poisoning attacks possible against IoT devices using the uClibc and uClibc-ng libraries


  • Mozilla has reviewed 32 mental health and prayer apps and found that 25 of them “routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies,” causing them to not meet the firm’s Minimum Security Standards
  • There’s growing concern over the unregulated space of data brokers in the US at the moment, and the most recent example is how $160 can buy you one week’s worth of data on the locations of visitors to abortion clinics

Public policy

  • The White House announced proposals this week to start a “timely and equitable transition of the Nation’s cryptographic systems to interoperable quantum‑resistant cryptography,” as concerns mount over ‘cryptanalytically relevant quantum computers’ (CRQC) that would be capable of the current public-key cryptography used to secure civilian and military digital communications,
  • South Korea joins NATO’s Cooperative Cyber Defense Centre of Excellence (CCDCOE), becoming the first Asian nation to do so

Law enforcement

  • Up to $15 million is being offered by the US State Department for information on members of the Conti ransomware gang that leads to an arrest or conviction

Mergers, acquisitions and investments

  • Machine identity and authentication startup Teleport has raised a $110 million Series C funding round, equating to a $1.1 billion valuation

And finally

This World Password Day, look to a password-less future

Thursday was ‘World Password Day’ and, amongst the vendor PR pieces about password security, Apple, Google and Microsoft announced a joint effort with the FIDO Alliance to allow password-less sign-ins for consumers.

The new standard would use Bluetooth to verify the proximity of a smartphone device and then a prompt would appear on the phone requiring a user to enter their PIN or biometric to login to the website or app.

The new capabilities are “expected to become available across Apple, Google and Microsoft platforms over the course of the coming year,” implying that next year should, perhaps, be called ‘World Passkey Day’.


  Robin's Newsletter - Volume 5

  Mandiant UNC2524 Mergers & Acquisitions (M&A) Heroku Salesforce Certified Cyber Professional Password FIDO Alliance