Robin’s Newsletter #218

21 August 2022. Volume 5, Issue 34
Cl0p ransomware gang mistakes attack on South Staffs Water for Thames Water. DigitalOcean caught up in latest Mailchimp breach. Apple security vulnerabilities.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

UK water company targeted by Clop ransomware gang

This week is an excellent example of how even high-profile groups — often lauded for thorough reconnaissance and planning of attacks — can sometimes not know what or who they’re doing.

The Clop (aka Cl0p) ransomware group was taunting Thames Water, a UK water company, for having compromised their network, accessed industrial control systems and stolen 5TB of data.

Thames Water disputed these claims and branded this a ‘cyber-hoax’.

Then Clop published some of the data they stole, including a spreadsheet of usernames and passwords for employees at a different water company: South Staffordshire PLC, the parent company of South Staffs Water and Cambridge Water. The company says that its ability to supply water was not affected and that they are “working closely with the relevant government and regulatory authorities” to investigate and remediate the breach.

Critical infrastructure, by its nature, is an attractive target for disruptive attacks like ransomware. However, upping the ante in this way also ups the response. It makes it more difficult for regimes to continue ‘turning a blind eye’ to cybercriminals launching attacks from within their borders.

And while industry marketing may fetishise nation-state APTs and the ‘asymmetric threat’ of faceless cyber criminals, it’s important to remember that both groups are finite, subject to organisational constraints or worthy of the pedestals some put them on.,,,

Interesting stats

30% of Microsoft’s alerts of ‘Seaborgium’ (aka Coldriver, Callisto) nation-state espionage activity has been to personal accounts of employees mainly working at defence and intelligence consultancies in NATO countries (see Threat Intel below)

7 new variants of wiper malware were identified in the first half of 2022, almost as many as detected in the previous 9 years, says Fortinet. Wiper malware is difficult to monetise — if successful, it ‘bricks’ a device rendering it unusable — making it a tool primarily of national cyber forces rather than cybercriminals

40% increase in ransomware attacks against organisations with under $25 million in revenue in 2021 H2 compared with 2021 H1, according to cyber insurance firm Coalition

Other newsy bits

  • Virtual private network (VPN) connections in iOS don’t terminate existing connections. Most connections end up within the VPN tunnel, but some — like those used for Apple’s push notifications — may persist for hours, contrary to what a user might expect and see in the user interface. Managed devices using ‘always on’ VPN aren’t affected

  • Cloud platform DigitalOcean says it was caught up in a compromise at Mailchimp last week targeting crypto-currency accounts. The compromise meant its registration and password reset emails weren’t sent properly. The incident was quickly detected, and affected users were contacted. While DigitalOcean’s response seems pretty thorough (and includes moving away from Mailchimp altogether), Mailchimp’s response involved a pretty poor blog post (and nothing on its ‘Security’ page). It’s the second breach this year at Mailchimp after attackers gained access to internal tooling in April (vol. 5, iss. 15).,,

  • Apple has taken the unusual step of publicising security updates for its Mac, iPhone, iPad and Watch devices that address a vulnerability that may have been “actively exploited”. As Joe Tidy notes for the BBC, “Apple has released similar emergency security updates throughout the year… without much fanfare or panic,” implying that the company is acutely worried about this. Your best bet is to turn on automatic updates (Settings app > General > Software Update on iOS or  > About This Mac > Software Update on macOS)

Interesting reading

  • Mario Platt has a good read on misalignments in (security) teams:

Often a (generally newly appointed) leader comes to appreciate that what and how they’ve been “doing security” isn’t appropriate anymore. That the way they may have approached in the past no longer aligns with the business value creation structures and that security is being perceived as an impediment to the creation of value. This realisation often leads to a change in strategy, usually one where the security team plans to make the strategic shift from being “requirement setters” to being “capability providers” and all else that goes with it. But more often than not, the current team isn’t really equipped (often not even willing) to start approaching our craft in fundamentally different ways.

  • Non-security: Modern cars with touchscreens typically take 2-4.5 times longer to complete tasks compared to older models with physical buttons. In the most extreme example, during that time, the car travelled 1,372 metres

In brief

Attacks, incidents & breaches

  • CS.MONEY, a trading platform for in-game items from Counter-Strike: Global Offensive, was compromised, leading to the theft of 20,000 digital items worth an estimated $6,000,000.
  • A cease and desist letter sent by cyber consultants Group-IB to an owner of a cybercrime forum hosting an advert for data allegedly stolen from Mexico’s Group Financiero Banorte has back-fired after the forum owner purchased the data and posted it publicly
  • The Russian People’s Cyber Army — a volunteer group akin to Ukraine’s IT Army — claims that 8,200 volunteers used over 7 million bots to flood the website of Ukraine’s state nuclear power company, Energoatom, off the internet


  • Kickstarter denies breach, says it is making changes to login process as it prompts password preset to around 5 million users

Threat intel

  • Indicators of compromise and write-up of techniques used by Seaborgium, a threat actor originating from Russia and whose campaigns align with Russian interests, have been linked to ‘hack-and-leak’ operations from Microsoft
  • Central and South American mining and oil companies are being targeted by a hacktivist group calling itself ‘Guacamaya’ (Mayan for the macaw parrot): “We hope to cause more people to join, to leak, sabotage, and hack these sources of oppression and injustice”
  • Financial technology (fintech) employees have been targeted by North Korea’s Lazarus group using a signed macOS executable, and fake job ad lures, says ESET
  • BlackByte ransomware gang back with ‘version 2.0’ operation that includes the option to pay for a time extension, to download and delete all stolen data
  • Chinese group Winnti (aka APT41, Wicked Spider) is splitting Cobalt Strike beacons into base65 encoded chunks to avoid detection. The group is also using custom SSL certificates only to accept connections from their beacons
  • Fraudsters are using online invoicing services, like this example from PayPal, to initiate scams and prompt victims to contact them


  • Patch available addressing CVE-2022-2856, a Google Chrome zero-day for “insufficient validation of untested input in Intents”
  • There’s an update available for Zoom on Mac to patch an auto-update issue that could bypass checks to downgrade the software to a previous version and get root access The video conferencing company had to have two goes to get it right (see also: Security Engineering/zero day initiative below)
  • Research published at DEF CON last week details a vulnerability in Realtek’s RTL819x system on a chip. The chip maker patched CVE-2022-27255 in March 2022; however, the 9.8/10.0 vulnerability may allow the execution of arbitrary code in networking devices made by brands like ASUSTek, Belkin, Buffalo, D-Link, Edimax and Zyxel, who all use the chip
  • Researchers at ThreatFabric have released a proof-of-concept showing how the ‘Restricted Setting’ feature in Google’s Android 13 can be bypassed. The setting is meant to prevent side-loaded apps from accessing powerful accessibility settings that allow malicious apps to interact with the device and hide in the background

Security engineering

  • The Zero Day Initiative (ZDI; a brand owned by Trend Micro) is ‘disturbed’ by the trend of software vendors not adequately fixing security issues thoroughly and is planning to reduce disclosure timelines to just 30 days for incomplete or easily circumvented patches
  • RubyGems — the software package registry for the Rubi programming language — is enforcing multi-factor authentication (MFA) for its top projects
  • In the US, the 2023 National Defense Authorisation Bill requires vendors to certify US Department of Defense software sales “free from all known vulnerabilities”

Operational technology

  • Hyundai software engineers used example keys from NIST documentation and online encryption tutorials to encrypt and sign firmware for their vehicles
  • You’re not an organisation with one of the 9,000 VNC servers exposed to the internet that doesn’t require a password to connect, right?


  • Jerrold Nadler and Bennie Thompson, respective chairs of the Judiciary and Homeland Security congressional committees, have written to leaders of the Justice Department, Department of Homeland Security, Customs and Border Protection, Immigration and Customs Enforcement and Bureau of Alcohol, Tobacco, Firearms and Explosives asking for details of their use of private data feeds for surveillance purposes. Data brokers are an increasingly hot topic in the US, whose business model aggregates, packages and sells access to databases containing personal information. The collection of such information usually requires a warrant; however, purchasing it commercially allows for circumvention of judicial oversight. A report earlier this year estimated that 75% of the US adult population was caught up in ICE’s ‘digital dragnet’ (vol. 5, iss. 20)

Public policy

  • US Cyber Command confirms ‘hunt forward’ operation with Croatia’s Security and Intelligence Agency (SOA) Cyber Security Centre

Mergers, acquisitions and investments

  • Antivirus vendor Malwarebytes is laying off 125 employees as part of a “strategic reorganisation” to focus on the SMB and mid-market segments. Citing a ‘recalibration’ of the sales function, the change in strategy also affects how the company will go to market, with less of a focus on enterprise sales and a greater emphasis on channel partnerships and managed service providers (MSPs)

And finally

Janet Jackon’s bad beats

The music video for Janet Jackson’s Rhythm Nation has been recognised as a security vulnerability. CVE-2022-38392 boasts a score of 5.3/10.0. The issue stems from the 5,400 RPM hard drives used in certain older models of laptops that would interact with the frequencies in the song, causing a “resonant-frequency attack” and resulting in the disk crashing and “denial of service”. Nowadays, your device probably has a solid-state disk (SSD). Though if you’re feeling adventurous, you can get your groove on the 1989 hit on YouTube.


  Robin's Newsletter - Volume 5

  Cl0p Ransomware Reconnaisance Thames Water South Staffordshire PLC Seabogium Wiper DigitalOcean Mailchimp Apple Janet Jackson