Robin’s Newsletter #235

18 December 2022. Volume 5, Issue 51
Microsoft certs used to sign malware. AWS API exposed ability to modify, delete container images. BEC scammers are targeting sugar and milk powder.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Microsoft digital certificates used to sign malware

  • A Microsoft programme to digitally sign drivers for use in the core part of the Windows operating system has been abused to sign malware.
  • The drivers, certified by Microsoft’s Windows Hardware Developer Program, were being used maliciously in post-exploitation activity. This means that attackers had already managed to gain unauthorised access to systems, which made it easier for them to load additional malicious tools onto the compromised systems.
  • That’s because endpoint security tools often use code signed by Microsoft to indicate that it is safe. This type of abuse calls into question that assertion and the robustness of Microsoft’s certification processes.
  • SentinelOne, Mandiant, and Sophos discovered the abuse.

Internal AWS API could have allowed deletion, replacement of container images

  • Publicly available, undocumented API endpoints for an AWS service could have allowed any user to modify or delete container images used by other customers. Amazon Web Services (AWS) Elastic Container Registry allows users to “share and deploy container images, publicly and privately”. Security researcher Gafnit Amiga found references to internal API calls on the publicly available site.
  • Amazon has fixed the issues, conducted an “exhaustive analysis”, and concluded that the issue had not been exploited. No remedial customer action is required.
  • An attacker could have modified common images — such as Amazon’s own Linux image, EC2 agent or other popular software like Nginx — to include weakened security configurations or malicious code to do whatever the attacker wished as part of a supply-chain attack. Those malicious images would have appeared as ‘official’ images to users and may have been pulled in automatically by build scripts.

(H/T Lloyd),

BEC scammers are targeting food products, not just cash

  • Food and agriculture businesses are being targeted for their commodities in business email compromise (BEC) scams.
  • BEC attacks usually try to con finance teams out of cash however the US FBI, Food and Drug Administration and Department of Agriculture say that recent scams targeted truckloads of sugar and powdered milk valued at over $750,000.
  • Extrapolating the switch, we may see any easily transportable, difficult-to-trace commodities being targeted in the future., (PDF))

Two weeks on… details on LastPass’ most recent breach are still light; Rackspace backups MIA

  • LastPass notified customers of a breach two weeks ago (vol. 5, iss. 49). Little information has been published by LastPass, or partner GoTo, since then. Zach Whittaker looks at the notice to decipher what it likely means.
  • Separately, Rackspace customers are frustrated over the lack of progress in restoring their hosted Microsoft Exchange platform after a ransomware attack (vol. 5, iss. 49). Updates from the hosting provider suggest that they do not have recent backups available to restore from, instead directing customers to their local Outlook copies or third-party provided backup solution.

Interesting reads

  • GPS signals are being disrupted in Russian cities. This is potentially to hamper long-range Ukrainian drone attacks that rely on GPS for navigation, speculates Matt Burgess for Wired.

Interesting stats

“Almost 200 countries” home to people targeted by commercial ‘surveillance-for-hire’ businesses, according to Facebook parent Meta, in a report that this trend is ‘growing globally’

30% increase in unique command and control (C2) servers in 2022, up to over 17,000 from 13,629 in 2021, according to Recorded Future. Cobalt Strike, IcedID, QakBot and PlugX are the main culprits, hosted in  1,419 hosting providers across  116 countries.

Other newsy bits / in brief 

Attacks, incidents & breaches

  • Up to 17 million additional Twitter user records may have been stolen in their 2021 breach. The revised dataset, which includes Twitter usernames combined with private email addresses and mobile phone numbers, has been put up for sale on a dark web marketplace.
  • Uber supplier Teqtivity breached by apparent Lapsus$ group member and internal company device and user data leaked.
  • LockBit claims responsibility for ransomware attack on California Department of Finance. The group says it has stolen 76 GB of data, including “databases, confidential data, financial documents”. The California Governor’s Office of Emergency Services said that “no state funds have been compromised” in the attack.
  • The Swedish municipalities of Borgholm and Mörbylånga have taken IT systems offline and declared a ‘crisis situation’ following a cyberattack.
  • Streaming video service FuboTV was taken offline by a ‘criminal cyber attack’ during the World Cup semifinal on Wednesday.
  • The fire service in the Australian state of Victoria has shut down IT systems and switched to manual operations following a cyberattack that affected email and phone communications and automation systems, such as those which open the doors at fire stations when emergency calls come in to save time.
  • The US Cybersecurity and Infrastructure Agency (CISA) says it discovered Russian military intelligence (aka Fancy Bear, APT28) lurking within a US satellite network. Satellite communications, including commercial operators, have increased in importance and profile this year with Russia’s invasion of Ukraine. During the opening hours of that conflict, wiper malware transmitted to modems in and around Ukraine disrupted communications. (vol. 5, iss. 14).
  • The contents of a 427 GB backup database belonging to restaurant reservation company SevenRooms have been stolen by attackers. The sample of data posted included reservation lists, payment reports and promotion codes, amongst other data.

Threat intel

  • Ukrainian railway and other state agencies targeted with ‘DolphinCape’ malware using kamikaze drone identification as a lure. The attack, attributed to Russian interests, shows how physical battlefield actions can be repurposed in cyber warfare.
  • Check Point says that the Cloud Atlas group has increased activities against targets in Russia, Belarus and Transnistria (a region of Moldova). The group uses phishing emails and .doc attachments that load malicious document templates to avoid detection.
  • A new botnet dubbed “GoTrim” is scanning for self-hosted installations of WordPress and then attempting to brute force the administrator password. Fortinet says that the ongoing campaign has been underway since September 2022.
  • Proofpoint says that the Charming Kitten (aka Phosphorus, APT42) group is changing its targeting to meet intelligence needs. The group, linked to Iran’s Islamic Revolutionary Guard Corps (IRGC), is using new techniques against medical researchers, an aerospace engineer and a real estate agent.
  • Checkmarx and Illustria say that 144,294 malicious packages have been uploaded to the NPM, PyPi and NuGet repositories. The packages include links to phishing sites, promoted fake apps, surveys and giveaways. The campaign seems to be trying to boost the SEO ranking of their phishing sites by including the links in publicly visible package descriptions.
  • QBot campaigns use SVG files containing JavaScript to smuggle malware onto victims’ systems.


  • A critical vulnerability in Fortinet’s SSL-VPN service is being actively exploited, says the vendor. CVE-2022-42475, a ‘heap-based buffer overflow’ bug, may allow remote attackers to execute code on affected systems. A patch is available in the recent releases of FortiOS.,
  • A critical zero-day vulnerability in Citrix’s ADC and Gateway products is actively exploited by state-sponsored attackers. Citrix advises customers to patch systems against CVE-2022-27518 “as soon as possible,” and the US National Security Agency has published an advisory linking the activity to China’s APT5 group., (PDF),

Cyber defence

  • Microsoft is ceasing support for Windows 7, 8 and Microsoft Edge in January 2023. (‘New Edge’, which runs on Windows 10 and 11, will continue to be supported.)
  • Web application firewalls (WAFs) from five major vendors — Palo Alto Networks, Amazon, Cloudflare, F5 and Imperva — were vulnerable to SQL injection attacks using JSON payloads. Despite database servers supporting such functionality for a decade, the five vendors’ WAF products didn’t and could not detect or block this type of malicious payload. Each of the five has addressed the issue following reports to each of them from researchers at Claroty. (H/T Tom) 
  • Microsoft is introducing a ‘data boundary’ for Microsoft 365, Azure, Power Platform and Dynamics 365 that will limit the storage and processing of data to facilities within the European Union on 1st January 2023.
  • The Australian Cyber Security Centre (ACSC) has released a series of guides aimed at helping small businesses use cloud services securely. The guides highlight meeting the Essential Eight principles in Microsoft 365.,

Security engineering

  • GitHub is rolling out its ‘secrets scanning’ service to all users for free. The feature, which has been part of a paid enterprise tier, helps to identify hardcoded credentials and API keys that may reside in source code and may be publicly visible. The service looks for 200 known token formats by default, and the company says it identified over 1.7 million potential secrets exposed during 2022. H/T Tim
  • GitHub will also require all users to enable multi-factor authentication before the end of 2023.
  • Google has released ‘OSV-Scanner’ that checks and notifies of vulnerabilities in open-source dependencies.


  • The French data protection regulator is considering issuing Apple a €6 million ($6.3 million) penalty. Apple’s introduction of permission dialogues to block or accept tracking within apps was not originally applied to its own apps, argues Francois Pellegrini, chief advisor to the CNIL (Commission nationale de l’informatique et des libertés). Apple fixed the issue in iOS 15, and now permissions must be granted to all apps
  • The European Union says that an Executive Order from President Biden in October 2022 ensures sufficient protection for personal data to be transferred to the US. The Executive Order limited the use of European personal data by US intelligence agencies to what is ‘necessary and proportionate’ for national security. Campaign Max Shrems says that the draft decision will not stand up to scrutiny by the European Court of Justice.

Public policy

  • In a break away from its post-WWII pacifist approach to international conflict, Japan is to amend its laws to allow offensive cyber operations.
  • Australia and Vanuatu have signed a bilateral security agreement that includes defence and cybersecurity cooperation. Vanuatu has been struggling to restore systems in the wake of an attack that took out its government’s IT systems in November., (cyberattack)


  • China’s Cyberspace Administration (CAC) has published regulations requiring permission from the subjects to be used in AI-generated ‘deepfake’ videos and all creations to be labelled.
  • Tech industry body NetChoice (which represents Meta, Google and TikTok, among others) is suing the state of California over new child protection legislation. NetChoice says California’s Age-Appropriate Design Code Act, which will force companies to consider child safety during product design and mandate age verification, is unconstitutional and “subjective” terms around the harms that must be prevented.

Law enforcement

  • Five were arrested in the UK for selling software that modified point-of-sale data so merchants could minimise their tax bills.
  • The US Department of Justice has charged six individuals and seized 48 domains relating to distributed denial of service (DDoS) services. The ‘DDoS-for-hire’ sites were selling their services via dark web sites.
  • Ahmad Abouammo, a former Twitter staffer who spied for the Saudi Arabian government, has been sentenced to three and a half years in prison. Abouammo has abused his access within the social network to pass identifying information on dissidents to Saudi authorities. The judge also ordered him to forfeit $242,000, the combined value of cash and luxury goods he was given in return for the information.

Mergers, acquisitions and investments

  • Protect AI has raised a $13.5 million seed-funding round to develop tools that will defend AI systems and machine learning models.

And finally

Instagram is rolling out a new process for recovering compromised accounts

  • A welcome addition to Instagram’s notoriously awful account recovery procedures this week. “If you find yourself locked out of your account, you will be able to choose two of your Instagram friends to verify your identity and get back into your account,” says the Meta-owned social network.

PS, congratulations to NCC Group CTO Ollie Whitehouse, who is leaving the company after a decade to join PortSwigger as a non-executive director.


  Robin's Newsletter - Volume 5

  Microsoft Windows Hardware Developer Program Digital signatures Amazon Web Services (AWS) Supply-chain attack Internal API Business Email Compromise (BEC) Commodities LastPass RackSpace GPS Spyware Surveillance Inastrgam Japan Offensive Cyber