Robin’s Newsletter #212

10 July 2022. Volume 5, Issue 28
Apple's extreme 'Lockdown Mode' to protect against NSO Group. Apparent breach of 1 billion Chinese citizens data. Bad week for NPM ecosystem.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Apple’s Lockdown Mode

Apple is introducing a new ‘Lockdown Mode’ for the very limited subset of users that may be targeted by espionage groups such as the NSO Group. Apple describes the optional mode as “extreme” and for those “who face grave, targeted threats to their digital security.”

The new protections require a reboot of the handset and aim to reduce the attack surface of Apple’s iPhone, iPad and Mac devices by reducing functionality, such as:

  • Blocking message attachments and disabling link previews
  • Complex or advanced web browser technologies, such as just-in-time JavaScript, are disabled
  • Incoming calls and invitations using Apple services like FaceTime from unknown contacts are blocked
  • Blocking wired connections with a computer or accessory when the device is locked
  • Configuration profiles, such as those used for mobile device management (MDM), cannot be installed

This classic security/usability trade-off will not be for the typical user, but it is great to see as a way for those that may be targeted to help protect themselves — something previously that was very difficult given the modern emphasis on ease of use.

Apple and Google have been notifying users of sophisticated attempts against them for some time, however, most users will not understand what are users meant to do with a notification or how they can improve their protection.,,

Interesting stats

Top10VPN internet shutdown? 54 ‘internet shutdowns’ — blackouts, social media shutdowns and mobile network throttling, often by oppressive regimes — so far in 2022 have cost $5.45 billion, according to Top10VPNs, using a methodology developed by the Brookings Institute in 2016

In brief

  • A post on Breach Forums claims to have obtained 23TB of data from the Shanghai National Police (SHGA), including personal details on 1 billion Chinese citizens including name, address, birthplace, national ID number, mobile number, all crime/case details. The poster, calling themselves ‘ChinaDan’ is requesting 10 BitCoin / ~$200,000 for the dump, update covering that the data may be been exposed, without a password, since April 2021

  • Following the kinetic attack on Iranian steelworks last week (vol. 5, iss. 27), the group calling itself Gonjeshke Darande has published a 20GB dump of data it says in the ‘first part’ of a leak of files it says show connections to Iran’s Islamic Revolutionary Guard Corps

  • British Army Twitter and YouTube accounts were compromised this week and used to promote (thankfully just) apparent crypto-currency and NFT scams

  • Disneyland is also investigating a take-over of its accounts that saw expletive and racially abusive language used in a string of messages

  • A Marriott hotel at Baltimore Airport was compromised and attackers made off with 20GB of data that they claim includes confidential guest and payment information

  • French mobile operator La Poste Mobile is struggling to bring services back online following a ransomware attack by the LockBit gang

  • Microsoft analysis of the most recent version of the Hive ransomware executable, following a switch to the Rust programming language

  • Palo Alto Networks claim ‘near-undetectable’ malware, based on the “red team and adversary simulation” tool ‘Brute Ratel’ (BRC4), is being used by Russia’s Cozy Bear advanced persistent threat (APT) group

  • The FBI, CISA and US Treasury are warning of North Korean state-sponsored attacks against healthcare providers using the Maui ransomware strain

  • Google has released an update for a vulnerability in its Chrome web browser that was being actively exploited. CVE-2022-2294 was in the implementation of WebRTC that allows for ‘real-time comms’ for things like video and voice calls

  • Microsoft is reversing its decision (vol. 5, iss. 7) to block macros in its Office suite by default

  • Two-dozen NPM typo-squatting packages were found containing obfuscated code that exfiltrates data from web apps

  • Also this week, almost 1,300 NPM packages containing crypto-mining malware were discovered by Checkmarx researchers, suggesting an automated campaign targeting the developer ecosystem

  • PyPI — the Python Package Index — is now mandating multi-factor authentication for critical projects (those in the top 1% of downloads in the previous six months), though some open-source developers are pushing back on the change with one, who deleted his projects to reset their download counts, saying they’d “rather just write code for fun and only worry about supply chain security when I’m actually paid to do so”

  • NIST has chosen one encryption and three digital signing algorithms to be included in its ‘post-quantum’ cryptographic standard

  • The German Federal Office for Information Security (BSI) has published a guide on the minimum cyber security requirements for satellites

  • Kaspersky has open-sourced its TinyCheck tool that runs on a RaspberryPi to detect stalkerware while minimising the chances of being detected by abusers

  • New technical report suggests Honda cars may be unlocked without using the key, while Honda says that the report is “old news” and that videos provided showing various Honda models being unlocked “do not include sufficient evidence to support the claims”

  • UK Home Secretary, Priti Patel, has proposed an amendment to the forthcoming Online Safety Bill that would give telco regular Ofcom powers to force Internet platforms to implement content scanning technologies. Patel says the move is to help combat child sexual exploitation, however, the policy is incompatible with end-to-end encryption that protects daily communications and online transactions

  • Relatedly… Lily Hay Newman’s piece for Wired this week draws parallels between encryption and the right to self-defence, afforded by the US Constitution’s Second Amendment. It’s an interesting perspective — especially given recent US Supreme Court action — around the right to defend your property… in a digital world

  • In a joint letter to the Law Society, the NCSC and ICO advise UK law firms that it is ‘incorrect’ to advise victims of ransomware that paying demands means that they will not need to engage the ICO or gain the benefit of reduced enforcement penalties

  • Ukrainian police have arrested suspected members of a cybercrime gang believed to have defrauded 5,000 victims of $3.38 million

  • Cyber insurance startup Coalition closes $250 million Series F on a $5 billion valuation and will use the money to begin offering policies outside of the US

And finally


A meme of Robin saying ‘Remote Desktop Protocol’ and Batman slapping him to correct that it should be ‘Ransomware Deployment Protocol’

H/t Tony: @Wookiee__


  Robin's Newsletter - Volume 5

  Apple Spyware NSO Group Attack surface China Shanghai National Police (SHGA) State surveillance Software supply-chain Online Safety Bill Child Sexual Abuse Material (CSAM) Privacy Gonjeshke Darande (Predatory Sparrow)