Robin’s Newsletter #205

22 May 2022. Volume 5, Issue 21
Conti increases its demands against Costa Rica while also restructuring. REvil potentially back on the scene. DoJ won't prosecute 'good faith' security research under CFAA.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

  • The president of Costa Rica, Rodrigo Chaves, has said there are ‘collaborators’ inside the country that are aiding Conti in their attacks on the nation, which have affected at least 27 institutions (nine of them seriously). The cybercrime gang has claimed they have “insiders in [the Costa Rican] government,” doubled their ransom demand from $10 million to $20 million and continued calls for citizens to stage rallies and overthrow their government.


  • The Conti ransomware group took much of their infrastructure offline this week and announced it was “going through a massive reset” and breaking into smaller groups. Lots of information on the group was leaked in March (vol. 5, iss. 10) and AdvIntel speculates that since sanctions against Russia were imposed in February, almost no payments have been made to the group. The group’s malware has become ‘highly detectable’ and, in combination, these likely have forced the need for a rebrand and other improvements to operational security.

Other newsy bits

  • Darkweb servers and blogs belonging to REvil are back online raising speculation that the group may be ‘back in business’. Members of the group were arrested in raids in January (vol. 5, iss. 3) by Russia’s Federal Security Service. Chris Morgan from Digital Shadows speculates that the potential return coincides with the cessation of a diplomatic channel between the US and Russia dedicated to cyber security.

  • Hospitals in Greenland have been ‘severely’ affected by a cyberattack, according to the island country’s government. The statement didn’t indicate if it was a ransomware attack but reassured citizens that there had been no damage or copies made of their data.

  • “An entirely different kind of cyberattack,” as Russian troops reportedly storm an Internet Service Provider (ISP) in Kherson and make threats if the company didn’t route traffic via Russian networks. Information warfare has formed a key part of the conflict in Ukraine and routing requests via Russia would allow greater control over access to information and the promotion of disinformation to Kherson residents.

  • Microsoft says it has observed a 254% increase in activity from XorDdos, a Linux trojan that increasingly targets cloud infrastructure and Internet of Things (IoT) devices. XorDdos uses SSH brute force attacks to gain access to devices, before running a script to download its malware.

  • CISA released an alert this week on the weak security controls and practices that cyber threat actors routinely exploit to gain an initial foothold in target organisations. As well as a useful written narrative (covering things like lack of multi-factor authentication and the need to implement endpoint detection and response) they map to these five MITRE ATT&CK techniques: exploit public-facing application; external remote services; phishing’ trusted relationship; valid accounts.

  • Certification body (ICS)2 has launched a scheme in the UK for up to 100,000 individuals to apply for a self-paced* course that results in an exam and entry-level cyber security certification. The course is free and the exam fees will be waived. (* The course is accessible for 180 days and the exam must be taken within 1 year) It’s a great gesture and I’m sure nothing to do with potential future CISSP and CSSP exam fees ;-)

  • Singapore has set up the National Integrated Centre for Evaluation (NICE) that will conduct cyber security assessments of software and hardware products. The centre will also conduct research into evaluation techniques and follows the introduction of security labels (vol. 3, iss. 40).

  • The US Department of Justice (DoJ) will not use the 1986 Computer Fraud and Abuse Act (CFAA) to prosecute “good faith” security research. The policy change defines such research as that aimed at improving the security of apps and devices, as opposed to demanding payment in exchange for withholding information on a vulnerability.

And finally

  • A quick write-up by Lorenzo Franceschi-Bicchierai for Vice Motherboard on the paper (vol. 5, iss. 20) exploring the attack surface of the low-power Bluetooth, NFC and ultra-wideband radio chips in iPhones. It’s an interesting avenue of research and potentially useful as an add-on for existing malware implants and isn’t exploitable without first jailbreaking the phone. Also of note is that the radios providing connectivity to mobile and wifi networks do power down when the device is off.

  Robin's Newsletter - Volume 5

  Costa Rica Conti REvil Greeland Cyber skills XorDdos Singapore Computer Fraud and Abuse Act (CFAA)