Robin’s Newsletter #217

14 August 2022. Volume 5, Issue 33
Twilio, Cloudflare & Cisco attacks also targeted employee's personal devices and accounts. NHS 111 outage may last weeks. Sanctions for Tornado Cash.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Three interesting attacks against Twilio, Cloudflare and Cisco this week. They all involve pretty novel tactics and targeting of employees’ personal devices and accounts.

Twilio and Cloudflare targeted in ‘sophisticated’ phishing campaign 

  • Approximately 125 Twilio customer accounts were breached after employees were tricked by a phishing campaign that targeted employees via SMS on their personal and work phones.
  • Twilio provides services that let customers handle telephone and SMS communications with their end customers. These may include multi-factor authentication codes, though are also used for marketing, customer service and political campaigning purposes.
  • The Cloudflare blog has a good write-up of the attack. The company says that at least 76 of its employees were targeted with the SMS phishing messages and that three employees acted on the link and entered their credentials into a spoofed Okta login page, through the use of hardware multi-factor authentication (MFA) keys thwarted the attack at this stage.
  • The domain used in the attack was registered just 40 minutes before the SMS messages were sent, meaning it wasn’t detected by a system the company uses to detect spoofed domains.
  • Intelligence gathered from the server hosting the spoofed login pages linked the attacks between Twilio and Cloudflare to the same actor. The short timescales between stages of the attack suggest it was a well-organised attacker that had conducted research on the targets and had a meticulously thought out plan.
  • Twilio and Cloudfare offer cloud services popular with many organisations and, if successful, may have ultimately provided the attackers with the opportunity to intercept and redirect website and authentication requests for the companies’ customers.

Cisco confirms May breach by Yanluowang ransomware group

  • Cisco has confirmed that the Yanluowang ransomware group gained access to its network in May this year, however, the attackers were unable to steal sensitive data or impact operations before the company “immediately took action to contain and eradicate the bad actors.”
  • The attack is interesting because of a novel attack vector: the initial compromise was of an employee’s personal Google account. The victim used Google Chrome, had password syncing enabled and had stored their Cisco credentials in the built-in password manager. The attacker then attempted to get passed multi-factor authentication through voice phishing and MFA fatigue (where the user is repeatedly spammed with MFA push notifications until they accept one of them, often out of frustration). The attacker then enrolled new MFA devices and logged in to the Cisco company VPN.
  • Cisco Talos suggests, with ‘high confidence’, that the attacker is linked to an initial access broker (IAB) with ties to the Lapsus$ group. Their blog has a good technical write-up, including post-compromise steps and commands the attackers used.

Interesting stats

$1,500 the average price for network access in Q2, down 50% from  $3,000 in Q1, according to intelligence firm KELA

Other newsy bits

NHS 111 Outage continues as service provider Advanced admits it may be ‘3-4 weeks’ before services are fully restored 

  • At least nine out of the 36 healthcare trusts that use Advanced’s services are affected. The outages extend beyond the initially NHS 111 service, with The Guardian reporting these services are:

Adastra, which helps 111 call handlers dispatch ambulances and helps doctors access a patient’s GP records; Carenotes, which is used by mental health trusts for patient records; Caresys, which is used in care homes; Crosscare, which helps run hospices; and Staffplan, used by care organisations.

  • The outage was the result of Advanced severing connections in and out of the environment hosting servers that power these services as a ‘precautionary measure’. The incident bears all the hallmarks of a ransomware attack. It’s not known if any personal data was exfiltrated at this time.
  • Advanced is being supported by Microsoft’s DART and Mandiant’s incident response teams to assess systems and bring them back online with enhanced security protections. The process involved additional ‘blocking rules’, restricting privileged accounts and resetting credentials, scans to confirm the patch levels, and deploying additional EDR solutions and 24/7 monitoring.
  • The investigation is still in its “early stages” and the root cause “may take time” to identify. Incidents without a clear cause, or unknown extent of the compromise, typically take longer to investigate and remediate. (Our work at TalkTalk lasted months beyond the initial triage and getting their website back online).
  • According to the Oxford Health NHS Foundation Trust, they are expecting systems to be offline for at least two to three weeks. Restoration can be complex and it would not be unusual for these estimates of technical restoration to be optimistic.
  • The outage is hampering call handlers’ ability to efficiently hand off calls with notes, and also preventing some doctors from accessing and updating medical records. The Independent quotes one NHS director as saying “You can’t see any of it…Staff are going to have to write everything down and input it later.”
  • The disruption and consequences of the incident will therefore continue long beyond the technical restoration of services.,  context:

Tornado Cash is the latest crypto company to be subject to US sanctions

  • US Treasury applies sanctions to Tornado Cash — a cryptocurrency ‘mixer’ used to anonymise transactions and launder money — over ties to North Korea’s Lazarus group. Tornado Cash has laundered over $7 billion worth of cryptocurrency since its launch in 2019, of which at least $455 million is believed to be linked to the Lazarus group
  • Also, 29-year-old was arrested in the Netherlands this week for his suspected involvement as a developer for Tornado Cash
  • Criminals are also increasingly making use of cross-chain ‘bridges’ to launder their ill-gotten gains. These services allow the conversion of cryptocurrency from, say, Bitcoin to Ethereum. Analysts at Elliptic suggested this week that they believed $540 million has been laundered through the RenBridge platform in the last three years

In brief

Attacks, incidents & breaches

  • An automotive supplier being assisted by Sophos was breached by three ransomware gangs in two weeks. LockBit, Hive, and ALPHV/BlackCat affiliates all deployed their malware, after details of a firewall misconfiguration and remote desktop connection were sold by an ‘initial access broker’. Some files were encrypted five times, as the criminal’s malware found ‘new’ files generated by the other’s malware
  • Email marketing firm Klaviyo was breached by attackers seeking subscriber details of 38 accounts linked to cryptocurrency mailing lists. These will probably be used in spear-phishing campaigns to steal cryptocurrency 
  • The closure of 175 7-Eleven stores in Denmark this week was the result of a ransomware attack which made it impossible to “use the cash register or receive payments”
  • Pro-Russia group Killnet took the website of Latvia’s parliament offline this week after lawmakers in the Baltic state designated Russia a “state sponsor of terrorism”

Threat intel

  • A fake ‘Signal Premium’ app is loaded with Dracarys Android malware. (Only download apps from legit app stores)
  • Kaspersky has linked the Maui ransomware to the Andariel group. The group has been linked to North Korea by the US State Department and the Maui malware has been used in attacks against US healthcare organisations
  • Russian cyberattacks against Ukraine are “chaotic” with attacks driven by volunteer groups making use of DDOS tools and making website defacements, showing an “absence of strategy,” says Victor Zhora, a Ukrainian cyber official. The Russian attack against Latvia’s parliament (above) fits this description. As does much of Ukraine’s cyber-response against Russia: characterised by the ‘IT army’ telegram group


  • Research presented at Black Hat USA this week showed how vulnerabilities in Electron, the framework powering desktop apps for Teams, Slack and Discord meant clicking on a malicious link could have compromised an endpoint
  • Vulnerabilities in the trusted execution environment (TEE) chip manufactured by MediaTek for Xiaomi smartphones could be exploited to sign fake payment transactions, say researchers from Checkpoint

Cyber defence

  • Microsoft is making changes to its Edge web browser to dynamically alter security settings for unfamiliar websites. I’m a big fan of this move which should help protect users who end up at new or suspect sites accidentally or as part of phishing campaigns. ‘The padlock’ has long been a long poor, but widely adopted, security indicator and this sort of thing provides some protections and visual clues as to if they’re in a ‘good’ or ‘bad’ online neighbourhood, @RTO 
  • AWS, Splunk and Symantec, amongst 15 other companies, have announced a project called the Open Cybersecurity Schema Framework. The OCSF is intended “to wrangle the data and make tools talk to one another to create common pools of data,” AWS’ Mark Ryland told TechCrunch,
  • Elastic has released hundreds of YARA rules that “prevents ransomware and malware, detects advanced threats” and powers its Elastic Security for endpoint solution

Operational technology

  • Ransomware attacks on industrial companies were down in Q2, according to Dragos. Of the 43 ransomware groups that the ICS security firm tracks, only 23 were active, carrying out 125 attacks (compared to 158 in Q1 2022). The downturn is attributed to the shutdown of the Conti group in May this year (vol. 5, iss. 21), which was previously responsible for 25% of attacks against industrial targets

Internet of Things

  • SpaceX’s Starlink satellite terminal was compromised after a researcher used voltage ‘glitches’ during boot to bypass firmware signature verification and run his own code
  • New technique for jailbreaking John Deere tractors presented at DefCon, amid continued ‘right to repair’ debate


  • Some nuance on the debate around embedded browsers (aka webviews) in smartphone apps from @patmeenan
  • Softening surveillance: Amazon-owned MGM is producing a You’ve Been Framed style comedy clip show called Ring Nation that will feature clips from Amazon’s Ring doorbell cameras

Public policy

  • Former CISA director, Chris Krebs, has called for a “rethink the way government interacts with technology,” and proposed a new ‘Digital Agency’ that would bring together elements of CISA, NIST, FTC and FCC in the public interest to improve digital risk management. Failing that, Krebs wants CISA out of the Department of Homeland Security (DHS) to protect it from ‘political gamesmanship’
  • The US Federal Election Commission has approved plans that will allow campaign emails to bypass Gmail’s spam filters. The plans were brought forward as Republican candidates, such as Marco Rubio, complained that none of their campaign messages were reaching recipients. Ars reports that the reasons behind this may be because their campaigns hadn’t properly configured anti-spam measures on their email domains


  • The Federal Trade Commission (FTC) is to explore new rules, including potential civil penalties, on commercial surveillance practices, such as those behind digital advertising giants like Google and Meta. The ‘Advanced Notice of Proposed Rulemaking’ will look at if “new rules are needed to protect people’s privacy and information” and how those vast volumes of data may be put “at risk to hackers and data thieves”. Better late than never, eh FTC?

Law enforcement

The US State Department is offering $10 million for details on the leadership of the defunct Conti ransomware gang. Bounties on information tying Conti, TrickBot and Wizard Spider, or criminal hackers known as Tramp, Dandis, Professor, Reshaev and Target to attacks on US critical infrastructure may be eligible for payment under the ‘Rewards for Justice’ scheme. The announcement was accompanied by a sweet cyb0rz-themed video in English and Russian, video: @RFJ_USA

And finally

Two cool bits of research this week:

Invisible fingers remotely control a touchscreen

  • Proof-of-concept uses electromagnetic pulses to simulate a finger tapping on a touchscreen

Hiding encryption keys in polymers

  • A lot of cool science in this one: storing a 256-bit encryption key in special ink, with the key encoded in a similar way to how DNA stores data

  Robin's Newsletter - Volume 5

  Phishing Twilio Cloudflare Cisco Personal accounts Yanluowang National Health Service (NHS) NHS 111 Advanced Computer Software Group Health Ransomware Tornado Cash Sanctions Cryptocurrency SpaceX Starlink Right to Repair