Robin’s Newsletter #228

30 October 2022. Volume 5, Issue 44
Zero Truss: Former-PMs phone allegedly compromised by Russian intelligence. UK ICO says 'complacency' is biggest cyber risk. FTC sanctions Drizly CEO for breach.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Zero Truss

Liz Truss may be out of office, but not out of the news, as opposition parties urge the government to open an investigation into the potential compromise of her mobile phone by Russian intelligence agents.

The compromise came to light during Truss’s bid to become UK Prime Minister while she was foreign secretary. However, then-PM Boris Johnson and Cabinet Secretary Simon Case imposed a “news blackout” on the incident, partly due to the Conservative leadership election.

The Mail on Sunday reports up to a year’s worth of messages may have been downloaded from her phone, as well as “highly sensitive discussions with senior international foreign ministers about the war in Ukraine, including detailed discussions about arms shipments.”

While the speculated extent of the breach is significant, it shouldn’t surprise anyone: spies-are-gonna-spy. Prime, economic, domestic and foreign secretaries are all prominent targets.

These four ‘Great Offices of State’ already receive additional physical security details, and perhaps it’s time to extend this to enhanced digital security provision.,,

‘Biggest cyber risk is complacency, not hackers’ — UK Information Commissioner

The UK Information Commissioner has issued a £4.4 million (~$5M) fine to construction and outsourcing firm Interserve Group. The ICO found that Interserve had failed to put appropriate security measures in place and did not adequately investigate security alerts that led to an attacker being able to access the personal data of 113,000 employees in May 2020 (vol. 3, iss. 20).

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.” — John Edwards, UK Information Commissioner

The ICO investigation found that the company’s email filters did not pick up a phishing email. While antivirus quarantined the malware payload, the company did not conduct any further investigation. The attacker eventually had access to 283 systems via 16 different accounts.

The information on current and former employees included contact information and bank details, plus “special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information”.

Interserve’s representations, following the ‘notice of intent’, could not convince the ICO of any mitigating circumstances that would have reduced the penalty.,

FTC gets serious about executive-level cyber security responsibilities

The Federal Trade Commission has announced a planned settlement with Drizly and its CEO following a 2020 data breach (vol. 3, iss. 31). Uber acquired the online alcohol delivery firm in 2021 and will be required to destroy ‘unnecessary data’, implement a security programme and limit future data collection.

It gets interesting that the settlement will also personally sanction CEO Cory Rellas. The settlement binds Rellas to security requirements in future endeavours to ensure “the CEO faces consequences for the company’s carelessness,” according to Samuel Levine, FTC’s consumer protection director.

FTC Chair Line Khan said that C-suite accountability and boardroom obligations were the point: “Today’s settlement sends a very clear message: protecting Americans’ data is not discretionary. It must be a priority for any chief executive.”

Interesting stats

22% of worldwide phishing attempts seen by Check Point spoofed the DHL brand

$2,036,189 the average ransom payment made by industrial sector companies, according to Sophos, who also say that 37% of respondents who made payment ended up paying more than $100,000, while 8% pay more than $1 million, however just 59% of data is recovered after paying a ransom

Other newsy bits in brief

Attacks, incidents & breaches

  • Event ticketing company See Tickets has disclosed a two-and-a-half-year breach and informed customers that criminals might have stolen payment information after cybercriminals managed to install a card skimmer on the company’s website. The malicious javascript code was added in June 2019 and discovered on the checkout pages in April 2021, when an investigation began. Damningly, the company didn’t fully remove the code until January 2022, customer notification has taken almost another ten months, and no identity or fraud protection is being offered to affected customers
  • UK car dealer Pendragon Group has become a victim to the LockBit ransomware group, who has made a $60 million demand to restore systems and not publish stolen files. The London Stock Exchange listed company includes luxury brand Stratstone (who operates dealerships for marques like Aston Martin, Ferrari and Porsche), the mass market retailer Evans Halshaw and the Car Store used car brand
  • Medibank’s diagnosis worsens as the company confirms attackers had access to the data of all 3.9 million customers. In an update to the Australian stock exchange this week, the private health insurer said it expected the incident to cost between $25 million to $30 million as the company does not have cyber-insurance
  • **Hanover, Germany energy supplier Enercity has been hit by a cyberattack, though “grids and power plans are stable and security of supply is guaranteed”
  • Iran claims that a “specific foreign country” is behind the hacktivist group ‘Black Rewards’ compromise and leaking of information about its atomic energy programme
  • Threat intel firm Group-IB says it uncovered two campaigns targeting point-of-sale (POS) terminals using the MajikPOS and Treasure Hunter malware. Over approximately 18 months, the operation stole the details of 167,000 payment cards with a black market value of $3.3 million
  • The Hive ransomware group has claimed responsibility for breaching India’s Tata Power (vol. 5, iss. 42)
  • A New York Post employee abused their access to post ‘vile and reprehensible’ content on the tabloid’s website and social media feeds
  • Twilio confirms second breach that occurred in June this year, prior to the August (vol. 5, iss. 33) incident. The ‘brief incident’ was identified and remediated within 12 hours and conducted by the same ‘0ktapus’ group

Threat intel and vulnerabilities

  • Prepare to patch: OpenSSL warns of an update to fix ‘Critical CVE’ being released on 1st November, suggesting the issue may affect common configurations and be exploitable
  • Financially motivated ransomware group Vice Society is targeting the education sector, says Microsoft
  • Apple has released a patch for a zero-day vulnerability that “may have been actively exploited”. CVE-2022-42827 is a high-severity issue that can give an attacker the ability to remotely execute code on affected iPhones and iPads
  • Cisco has warned of two vulnerabilities in its AnyConnect Security Mobility Client for Windows, both of which are being exploited in the wild
  • VMware patches 9.8/10 vulnerability in Cloud Foundation and NSX-V appliances
  • Raspberry Robin worm is ‘part of a complex and interconnected malware ecosystem’ that leads to hands-on-keyboard attacks and human-operated ‘Clop’ ransomware attacks
  • “Quasi-civilian infrastructure may become a legitimate target for retaliation,” says Konstantin Vorontsov, a deputy director in Russia’s foreign ministry, of the support provided by US commercial satellite providers to Ukraine
  • Microsoft IIS web server logs used for command and control of infected servers, says Symantec, of the novel technique the Cranefly (aka UNC3524) group is using

Security engineering

  • S3crets Scanner tool looks for authentication and API keys and tokens in company AWS S3 storage buckets

Personal security

  • PayPal has added support for passkeys as an authentication method, though at the moment you can only create them on Apple phones and laptops
  • LinkedIn is rolling out new features to combat fake profiles that allows users to see when a profile was created, when it last changed profile picture, and other information such as if they have verified a phone number or linked a work email


  • ArsTechnica author Kevin Purdy tries out Google’s process for removing personally identifiable information from its search results, designed to combat doxxing

Public policy

  • CISA has announced performance goals for critical infrastructure providers. The voluntary goals are not comprehensive but provide a baseline set of practices ‘with known risk-reduction value’ for CNI operators to measure and benchmark their improvements against
  • Japan is planning to phase out public health insurance cards in favour of digital ID while citizens are reluctant to adopt the new scheme and may be left without the ability to get health insurance

Law enforcement

  • Unsealed charges allege that Ukrainian national Mark Sokolovsky is a ‘key administrator’ of the Racoon Infostealer malware-as-a-service operation. Sokolovsky was arrested by Dutch authorities in March 2022, who have also approved his extradition to the United States, where he faces a maximum sentence of 25 years, if convicted

And finally

  • NCSC Technical Director Ian Levy is leaving after 20 years and has published a blog post sharing some of the things he’s learned over his long career at GCHQ

  Robin's Newsletter - Volume 5

  Liz Truss Cyber-espionage Interserve Group UK Informtion Commissioner Cyber Risk Federal Trade Commission (FTC) Accountability Governance Boardroom See Tickets Insider Threat Twilio 0ktapus Raspberry Robin Authenticaiton Passkeys Performance measurement