Robin’s Newsletter #216

7 August 2022. Volume 5, Issue 32
Outage at NHS 111 service provider. Tory party balots delayed over security fears. Top malware strains. Peak inside a disinformation bot farm.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

NHS 111 IT provider suffers outage following cyber-attack

A cyber-attack against Advanced, a digital services firm, that support the UK’s NHS 111 non-emergency phone line. “As a precaution,” Simon Short, Advance’s COO told the BBC, “we immediately isolated all our health and care environments.”

The reactions of the company’s incident response team contained the incident to 2% of their health and care infrastructure. While the overall impact has been downplayed as calling ‘minimal’ disruption, delays were reported by the Welsh ambulance service.

There is speculation that the incident was the result of a ransomware attempt against a small number of servers that support the systems used to refer patients, dispatch ambulances and arrange out-of-hours appointments and emergency prescriptions.   The early stages go triaging an incident are often highly pressured, as facts are established. The incident highlights the business disruption that can occur as precautionary steps result in knock-on or unintended consequences. The balancing act of containment vs disruption can be a difficult tightrope to walk.

The disruption may continue into the coming week.

Interesting stats

659.6 million packets per second, the largest distributed denial of service (DDoS) attack mitigated by Akamai, topping out at  853.7 gigabits per second of bandwidth against an Eastern European customer of the company

Other newsy bits

NCSC advice delays Tory leadership vote ballot papers

Conservative party members will receive their ballot papers later to vote in the party’s leadership election to replace Boris Johnson. The delay was caused by advice from the UK National Cyber Security Centre (NCSC) which advised that the proposed online voting process may be open to manipulation.

The original process would have allowed votes to be changed by Tory members by post or online, up to the election deadline. The new process will allow members to only vote once, and not to change their intention at a later date.

There is no suggestion that the intervention came as the result of specific intelligence indicating manipulation of the results was imminent, but rather a weakness in the proposed process and the NCSC’s priority in “defending UK democratic and electoral processes”.

Concerns included that someone posts a picture of their ballot paper on social media, revealing the code needed for them to allow vote online. 

2021’s ‘Top’ malware strains

In a joint advisory, the US Cybersecurity and Infrastructure Agency (CISA) and Australian Cyber Security Centre (ACSC) has named the top malware strings they observed in 2021 and provided recommendations to help counter them.

The top malware strains of 2021 are: Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader.

MOUSISLAND is the only (relatively) new strain, with Qakbot and Ursnif having been in use for more than a decade and all the others bring around for at least five years.

Software updates, multi-factor authentication, and offline backups all feature in the mitigations, with end-user awareness training and close monitoring of ‘risky services’ like remote desktop (RDP) rounding out the recommendations.

Interesting reading

  • The Guardian’s top 10 books about cybercrime
  • Interview with a ransomware negotiator
  • Interview with the SolarWinds CISO on the ‘legacy and lessons’ from the Sunburst incident. Some interesting details, though a very glass-half-full outlook on ‘injecting a lot of [security budget] into the overall ecosystem” and “galvanising the US government”
  • A look into what a 1,000,000 bot disinformation farm looks like, as Ukrainian police dismantled a Russian-linked operation on their soil. Mobile internet dongles and 200 proxy servers helped to obfuscate the consolidated nature of the content’s origination

In brief

Attacks, incidents & breaches

  • The website for the president of Taiwan was taken offline for 20 minutes in the hours before a visit by US Speaker of the House, Nancy Pelosi, while hackers claiming to be connected with Anonymous defaced a Chinese government website to welcome Pelosi and say “Taiwan numbah wan!”,
  • Hacktivists from a group calling itself Guacamaya have posted over two terabytes of compromised emails and files stolen from Central and South American mining companies
  • A “massive” cyberattack has resulted in the German Chambers of Industry and Commerce (DIHK) shutting down its IT systems as a “precautionary” measure 
  • ALPHV, aka BlackCat, ransomware gang has claimed responsibility for an attack against gas pipeline and electricity network operator Creos Luxembourg last week, that disrupted customer portals but didn’t interrupt services
  • Germany-based Semikron, which manufactures electronics for power systems including wind turbines, has disclosed a ransomware attack that Bleeping Computer has linked to the LV ransomware group
  • OneTouchPoint has been notifying customers of at least 34 healthcare organisations, to whom it provides printing and mailing services, following a ransomware attack and data breach to which it is unable to say “definitively” what was accessed by the attackers
  • European defence firm MBDA has confirmed that it has become a victim of a cybercrime group that may have stolen 60GB of internal and confidential data from the missile manufacturer
  • ‘Frenzied mob’ steals $156 million from crypto-currency platform Nomad in copy-and-paste attack

Threat intel

  • Researchers at Cisco Talos have observed the ‘Manjusaka’ framework, an alternative to Cobalt Strike developed in the Rust programming language, being used by a Chinese-linked group against Tibetan targets
  • A malicious browser extension for Chrome and Edge has allowed North Korean threat actors to read Gmail and steal attachments. The extension is installed directly (rather than from a store) following a successful spear phishing attack and was discovered by researchers at Volexity
  • Fortinet says that a fork of the Mirai botnet, dubbed RapperBot, is brute forcing its way into Linux boxes, growing to over 3,500 IP addresses being observed with the botnet since mid-July


  • A critical authentication bypass vulnerability (CVE-2022-31656) in VMWare Workspace ONE Access, Identity Manager and vRealize Automation should be patched immediately, says the vendor
  • The Federal Emergency Management Agency (FEMA) has warned that the US’ Emergency Alert System (EAS), which is used to issue alerts over TV, cable and radio networks, may be vulnerable and that an upcoming talk at DEFCON may present a proof of concept

A bad week for SMB routers:

  • DrayTek Vigor routers are susceptible to a perfect 10.0 vulnerability (CVE-2022-32548) allowing unauthenticated remote code execution, via either the WAN or LAN ports in default configuration
  • Cisco RV160, RV260, RV340 and RV345 devices subject to similar issue scoring 9.8/10.0 (CVE-2022-20842)

Cyber defence

  • Microsoft has announced two new features under its Defender umbrella security brand: Microsoft Defender Threat Intelligence provides access to raw threat intelligence data collected by Redmond, and Microsoft Defender External Attack Surface Management, which scans and scores the posture of an organisation’s digital footprint. Both features are built on the acquisition of RiskIQ, which was announced last year (vol. 4, iss. 29)
  • Industry group FIRST has issued an update to the ‘traffic light protocol’ used to label threat intelligence. TLP:WHITE will become TLP:CLEAR and TLP:AMBER+STRICT will prevent sharing of intelligence with any of the organisation’s customers
  • Musical cyber security awareness training, coming soon from Social Proof Security @RachelTobac

Security engineering

  • No, 35,000 GitHub repos were not compromised, but thousands of files containing malicious code were found in typo squatting cloned repositories


  • A list of the 37 companies, identified by The Markup who are collecting data from your car
  • Federal courts aren’t consistently and robustly following rules requiring them to scrub personal information from court fillings before they are made public, says US Senator Ron Wyden
  • Twitter says that a vulnerability was exploited by a ‘bad actor’ to obtain information that could be used to identify anonymous accounts
  • India has scrapped its Personal Data Protection Bill following a Joint Committee of Parliament that recommended 81 amendments to its 99 sections. The bill has been in the works for the last three years and, rather than working to address the concerns of Parliament, Big Tech and rights groups, a new bill will be unveiled at a future time

Public policy

  • An analysis by Andrew Dwyer and Ciaran Martin on the UK’s legal position on peacetime cyber operations, such as those conducted by the National Cyber Force (NCF). Attorney General, Suella Braverman, “affirmed the U.K.’s continuing reliance, during peacetime, on the narrower principle of non-intervention, rather than the more commonly agreed-upon principle of national sovereignty in cyber governance.” The pair wrap up by stating that “if the U.K. wishes to be a leader in both democratic and responsible activities in its ambitions for cyber power, then its current legal position on coercion and non-intervention needs clarification.”


  • Indonesia’s communication ministry, Kominfo, has instructed ISPs in the country to begin blocking sites that have not registered on the country’s licensing platform, resulting in PayPal, Yahoo and Steam being unavailable to internet users. The blocks are part of a policy introduced last year to help control access to content on national security and misinformation prevention grounds
  • China’s cyber regulator has fined ride-sharing company Didi Global $1.2 billion for violating its cybersecurity and data laws, in particular obtaining “screenshot information,” facial recognition and family relationship information illegally

Law enforcement

  • Australian police charge man with developing the ‘Imminent Monitor’ spyware used by more than 14,500 people

Mergers, acquisitions and investments

  • The UK Competition and Markets Authority (CMA) has approved the merger of Avast and NortonLifeLock, which was announced in August last year (vol. 4, iss. 33)
  • Training company Cybrary has announced a $25 million Series C fund-raising round to develop new ‘content and capabilities’
  • Private equity firm Thoma Bravo has announced the acquisition of Ping Identity for $2.8 billion. The company will sit alongside an increasing range of cyber investments including Sophos, Proofpoint, SonicWall and Veracode
  • Cyber risk quantification outfit Axio has announced a $23 million Series B round that will be used for product, engineering and go-to-market functions and expansion in ‘key geographies’

And finally

Post-quantum encryption algorithm cracked by single-core PC in 1 hour

Finding ‘quantum-resistant’ algorithms for encryption is a priority for the US government (vol. 5, iss. 19) and NIST published a raft of potential algorithms last month as potential successors to the likes of RSA, Diffie-Hellman and elliptic curve.

One such potential, called SIKE — Supersingular Isogeny Key Encapsulation, since you were wondering — was effectively ruled out of the running this week after it was defeated by a non-quantum, single-core, 2013-era Intel Xeon CPU.

While it’s a blow (and presumably minor embarrassment) for the folks behind SIKE, and of course, it is better to have discovered the floor before it became part of any standard, it speaks to the complexities of the mathematics needed to both create, and test, the algorithms needed to solve the problems faced by quantum computing.,


  Robin's Newsletter - Volume 5

  National Health Service (NHS) UK Conservative Party Election security Malware Reading list SolarWinds SunBurst Solorigate Disinformation Quantum Cryptography Traffic Light Protocol National Cyber Force Cyber norms Sovereign internet Connected vehicles