Robin’s Newsletter #231

20 November 2022. Volume 5, Issue 47
Crypto-exchange FTX's governance failures. Medibank attackers release stolen mental health data. Majority of UK COBRA meetings are about ransomware.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Over $300 million stolen from FTX as new CEO reports a complete governance failure

  • An unknown party has stolen over $338 million in cryptocurrency from the FTX exchange as it collapsed. Watchers are keeping a close eye on the digital wallets the funds were transferred to, with the transaction fees for one paid for from an account with know-your-customer information meaning their identity is known to authorities.
  • ”Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here,” said John Ray III in a US country filing this week. Ray, a veteran insolvency professional, was hired to run FTX after former CEO Sam Bankman-Fried stepped down.
  • The filling was damning and listed failures of basic internal and security controls. The firm’s software was used to “conceal the misuse of customer funds”, they lacked an ‘accurate lists’ of FTX bank accounts or staffers, and were using an ‘unsecured’ group email account for the digital wallets containing customer funds.
  • Records about decision-making are hard to come by, as employees were encouraged to use messaging platforms with auto-delete functionality, and expenses — including purchasing personal real estate using customer funds — were authorised using emoji reactions in tools like Slack.
  • Meanwhile, accidentally sent over $400 million to another exchange while attempting to move the funds “to a new cold storage address”. Fortunately, the recipient, - another exchange, identified the error and was able to return the funds.

Fallout from the Medibank ransomware incident continues

  • Mental health records from victims of the Medibank ransomware attack are being released online. Hospitals and medical facilities make attractive targets for ransomware due to their time-critical and sensitive nature, and the consequences and harms are far-reaching and far beyond the organisation’s response and recovery costs. 
  • Medibank’s annual general meeting, held this week, was dominated by questions about the breach: who was responsible, remediation plans, and executive pay and bonuses. Medibank has contracted Deloitte to conduct a review.

Long read

  • How North Korea became a mastermind of crypto cybercrime.

Interesting stats

$100 million has been extorted from around  1,300 victims of the Hive ransomware gang since January 2021, according to the FBI

18 UK ransomware incidents required a ‘nationally coordinated response’, according to NCSC, and highlighted in this report from Alexander Martin for The Record. Ransomware incidents now make up the majority of ‘COBRA’ meetings of the Civil Contingencies Committee, which meet in the Cabinet Office Briefing Rooms.

Other newsy bits / in brief

Attacks, incidents & breaches

  • Iranian-linked actors compromised a US federal civilian agency using the Log4J vulnerability, spun up crypto-mining malware and gained access to the Domain Controller, says CISA, who also provided further info on indicators of compromise
  • Russian urban mobility firm Whoosh has suffered a data breach affecting 7.2 million users. 
  • US defence contractor Booz Allen Hamilton says a former employee may have downloaded the personal information of ‘tens of thousands’ of employees, many of whom hold high levels of security clearance.

Threat intel

  • Unsurprisingly, phishing lures relating to FIFA and the World Cup are on the rise, with some targeting Middle Eastern countries, in particular, say Trellix.
  • Seven groups are targeting e-commerce sites running Oracle’s Magneto software in the run-up to Black Friday, Cyber Monday, and the high-volume Christmas shopping period, according to Sansec. The ‘TrojanOrders’ attacks exploit a vulnerability (CVE-2022-24068; patched in February) in the order process to gain remote access to the system, from where criminals can then start stealing personal and payment data.
  • Symantec report alleges China-affiliated group Billbug (aka Lotus Blossom, Thrip) compromised a certificate authority. The group primarily focuses on government, defence and communication targets in Southeast Asia.
  • The ‘Royal’ ransomware group uses malvertising to snare victims. Microsoft says it has seen the group abusing Google Ads to serve up malicious adverts posing as “software installers or updates embedded in spam emails, fake forum pages, and blog comment”.


  • F5 has fixed two high-severity remote code execution vulnerabilities (CVE-2022-41622 and CVE-2022-41800) in its BIG-IP and BIG-IQ platforms.
  • Critical vulnerability (CVE-2022-43782) in Atlassian’s Crowd Server and Data Center products allows password bypass and to call privileged API endpoints.

Security engineering

  • Kicking out your ex: Netflix has added the ability to terminate individual sessions. Previously, you could only log out of all sessions at once. I see more and more of this kind of fine-grain view and control in user sessions, particularly across consumer social media, while B2B SaaS software sometimes needs to catch up.
  • A vulnerability in Google’s Android operating system would have allowed you to bypass the PIN screen using the personal unlocking code (PUK) on a SIM card. Upon entering the PUK code, Android would dismiss all security prompts, including the device PIN screen, leaving the device unlocked. The issue is now fixed and affected at least the Pixel 5 and Pixel 6 devices. It will be a valuable technique for any devices seized by law enforcement that they have been unable to unlock. Google paid researcher David Schütz a $70,000 bounty for finding the issue.
  • Microsoft is urging developers that still use the ‘long term support’ version of .NET Core 3.1 to migrate before it finally reaches the end of support next month. The most recent long-term support or ‘LTS’ is Version 6, with Version 7 being the most current.

Operational technology

  • Electric vehicle charging infrastructure is ‘seriously insecure’, say scientists at Sandia National Laboratory in Albuquerque, New Mexico after a four-year research project.


  • Google has agreed to pay $391.5 million to 40 US states for tracking users’ locations when they had turned tracking off. As well as a location tracking setting, the ‘Web & Activity’ setting, turned on by default and automatically when using an Android phone, collected the same location data. 

Public policy

  • European Union defence ministers have approved a 15% budget increase and the creation of a military computer emergency response team operation network (MICNET). 
  • Russia’s cyber capability “underperformed” in the Ukraine invasion, says Mieke Eoyang, the deputy assistant secretary of defense for cyber policy at the Aspen Cyber Summit.

Law enforcement

  • 40-year-old Ukrainian national Vyacheslav Penchukov is to be extradited to the US after his arrest in Switzerland. Penchukov is alleged to go by the nickname ‘tank’ and is on the FBI’s most wanted list for running the Zeus info stealer malware.

Mergers, acquisitions and investments

  • Palo Alto Networks is to acquire Cider Security in a deal valued at around $300 million. Cider’s application security platform will be integrated into Palo Alto’s Prisma Cloud offering.

And finally

  • Activist group Torrents of Truth are inserting clips about the impact of Russia’s invasion of Ukraine into pirate TV shows and films. The group then seeds the media on file-sharing sites popular with Russian users, with the download avoiding state censorship.

  Robin's Newsletter - Volume 5

  FTX Crypto-currency Corporate governance Governance Internal controls Medibank Healthcare Ransomware