Robin’s Newsletter #204

15 May 2022. Volume 5, Issue 20
Costa Rica declares state of emergency over ransomware incidents. Civil penalties proposed for Colonial Pipeline over safety breaches.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Costa Rica declares national emergency after ransomware attacks

Rodrigo Chaves, who was sworn in as president of Costa Rica, has made one of his first acts to declare a state of emergency over the ransomware attacks against the country. Finance, labour and telecommunications ministries have been targets, as have the social security agency and meteorological institute. One estimate has suggested that $200 million had been lost due to tax and customs bottlenecks.

The Conti ransomware gang have claimed responsibility for the attacks (vol. 5, iss. 18) and the country has said it will not pay any ransom to the “cyberterrorists”.

The gang has leaked over 600 GB of data stolen during the incident and has also encouraged Costa Ricans to revolt if their government does not pay the ransom and ‘stabilise the situation’ quickly.

The US is offering up to $15 million for information on members of the Conti ransomware gang that leads to an arrest or conviction.

I’ve not seen any analysis yet as to how the group was able to gain widespread access or why the country would be targeted in particular.,, (revolt), (US)

Interesting stats

$7 for a two-month DCRat subscription for a basic remote access trojan and plugins, according to BlackBerry $260 for a years subscription for password-stealing malware, and $90 for a crypto-miner on one dark website and associate Telegram channel, according to Cyble

Other newsy bits

One year on, civil penalties are proposed against Colonial Pipeline

The US Department of Transportation’s Pipeline and Hazardous Materials Safety Administration has concluded proposed civil penalties totalling $986,400 for six violations that contributed to the disruption to fuel supplies following the DarkSide ransomware attack (vol. 4, iss. 19).

Practices in Colonial’s control rooms were in “probable violation” of safety regulations and meant that a smaller scale shutdown of operations was not possible, including not testing manual continuity plans on an annual basis.

A seventh violation, relating to not testing SCADA backup servers, was excluded from an immediate penalty on the advice that the company ‘promptly corrects this item’.

The focus on compliance with safety regulations is, in part, due to the minimal cyber security regulation for such critical infrastructure providers before the Colonial Pipeline incident. This spurred an executive order from President Biden aimed to improve cyber security across the United States. (Eric Geller’s tweets take a look at the progress that’s been made.),, @ericgeller

Microsoft launches a new range of managed security services

Microsoft has announced three managed security services to be launched in 2022. “Security Experts,” Microsoft says, “combines expert-trained technology with human-led services to help organizations achieve more secure, compliant, and productive outcomes.”

The three services are:

  • Microsoft Defender Experts for Hunting for those with a ‘robust security operations centre’ takes Microsoft Defender data from endpoints, Office, cloud and identity sources for threat hunting on an on-demand basis
  • Microsoft Defender Experts for XDR is a managed (extended) detection and response service using tooling in Microsoft 365 stack
  • Microsoft Security Services for Enterprise is a combo of the previous two with security information and event management (SIEM) for a ‘high-touch’ and ‘expert-led’ managed service against a custom statement of work

The services potentially help underwrite the company’s own security investment by turning existing ‘cost centre’ security operations staff into ‘revenue generating’ ones.

Not wanting to cause alarm amongst its partner community, Microsoft says it has designed these services in collaboration with partners including BlueVoyant, Red Canary and Mandiant. This has resulted in new APIs to expose more signals and threat intelligence to use in their services while “Microsoft is fully committed,” Redmond says, “to working with an ecosystem of partners and technologies that provide customers the flexibility to choose what works for them.”,

Reading and thinking

Wireless malware and ‘turned off’ iPhones

This paper will be released on Monday 16th May, but promises to be some really interesting research into running malware on the wireless chips in iPhone. Those radio chipsets stay powered on even when the phone is ‘turned off’ or runs low on power so that payment cards and passes in Wallet and Find My features still work.

“We analyze how Apple implements these standalone wireless features, working while iOS is not running, and determine their security boundaries,” says the abstract, “[demonstrating] the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.”

In brief

Attacks, incidents & breaches

  • The electronic programme guide (EPG) showing TV programme information in Russia was compromised with every programme being changed to read “On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children. TV and the authorities are lying. No to war”
  • Canadian airforce training company Top Aces has suffered a ransomware attack caused by the LockBit group
  • Lincoln College, a university in Illinois, is to close its doors after a funding shortfall in part caused by a ransomware attack after 157 years
  • Ransomware actors continue to target healthcare organisations with AvosLocker’s attack on the 600-facility CHRISTUS Health marking its second in as many months
  • The US, UK and European allies have attributed the “unacceptable” attack on satellite company Viasat (vol. 5, iss. 12) to Russian military intelligence

Threat intel

  • The head of the UK’s GCHQ intelligence agency said that “perhaps the concept of a ‘cyber war’ was overhyped,” in the Russian invasion of Ukraine, however, they have seen “indications that Russia’s cyber operatives continue to look for targets in countries that oppose their actions”,
  • The NSA’s cybersecurity director, Rob Joyce, has used a speech at CYBERUK2022 to suggest that the decrease in ransomware attacks seen in the last couple of months maybe fallout from the conflict in Ukraine, in part because of sanctions making it harder to move money and buy infrastructure from cloud providers
  • Five Eyes cyber security agencies are warning that attackers are targeting IT managed service providers to abuse their privileged access into their customer environments
  • Secureworks says new malware samples indicate REvil malware “is under active development”
  • Stealthy Linux and Solaris backdoor, dubbed DPFdoor, was used by Chinese actor to target companies in the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar for up to five years


  • F5 BIG-IP vulnerability disclosed last week is being actively exploited after proof of concept is posted online
  • Zyxel USG and ATP firewall models subject to ‘easy to weaponise’ unauthenticated remote code execution vulnerability

Cyber defence

  • Top tips from NCSC on putting staff welfare at the heart of incident response (it’s always important to feed and water your responders!)
  • Also new from NCSC is an email security check that validates the presence of DARMC and TLS to help prevent spoofing and interception of email

Security engineering

  • Google announces ‘Open Source Maintenance Crew’ to “work directly on improving the security of critical open source projects”


  • Clearview AI settles American Civil Liberties Union lawsuit over Illinois biometric law and has agreed to not sell its facial recognition database to private companies, though they may still purchase the company’s algorithm
  • Georgetown University Centre on Privacy & Technology’s report American Dragnet argues that the US Immigration and Customs Enforcement (ICE) is a domestic surveillance agency, including “access to the driver’s license data of 3 in 4 (74%) adults,” and tracking “the movements of cars in cities home to nearly 3 in 4 (70%)”
  • San Francisco Police Department has used video footage captured by the cameras used on autonomous vehicles for investigations

Public policy

  • US President Biden has signed the Better Cybercrime Metrics Act requiring the DoJ and National Academy of Sciences to develop a taxonomy for categorising types of cybercrime (and cyber-enabled crime) and the Government Accountability Office to submit a report to Congress on the disparities in reporting between cyber- and other, traditional types of crime
  • European Commission takes aim at end-to-end encryption amidst proposal for tech companies to scan messages for child sexual abuse material (CSAM)
  • Critical infrastructure security improvements coming with ‘NIS2’ regulation from the EU
  • The Queen’s Speech, which sets out the UK government’s legislative agenda, set out promises of a Data Reform Bill that may see the UK deviating from the EU’s GDPR regime which prime minister Boris Johnson has described as ‘burdensome’. The ‘TIGRR team’ report (vol. 4, iss. 27) offers an insight into what Conservative lawmakers may be considering (all of it pretty terrible for citizens)
  • Singapore expands ‘security labels’ initiatives with the introduction of ‘Transaction Safety Ratings’ scheme for e-commerce sites based on their anti-scam measures, amongst other security aspects

And finally

Give that wolf a banana

A dog and a banana (Source: Ciaran Martin)


And see this video if you’re not a Eurovision fan*

* I’m sure how much this will help, though 😂


  Robin's Newsletter - Volume 5

  Costa Rica Conti Ransomware Colonial Pipeline Microsoft Immigration and Customs Enforcement (ICE) Clearview AI Security labels