Robin’s Newsletter #242

5 February 2023. Volume 6, Issue 6
JD Sports expose PII of 10 million. Redcar council told to 'keep quiet' over ransomware attack. Zero-tolerance policy wipes over 2,000 devices.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

First, a plea: If you’re hiring for technical cyber security roles or a vendor looking for sales and account managers, can you reply and share links to your positions, please? As you’ll read below, NCC Group is laying off 7% of its workforce — penetration testers, incident responders, sales and account management folks, technical project managers, you name it — and I’d love to create a list to share with those that have been affected. Thank you.

This week

JD Sports breach loses data from 10 million customers from a two-year period

JD Sports Fashion Plc has warned investors of a “cyber security incident regarding historic orders” between November 2018 and October 2020. Attackers made off with the name, billing address, delivery address, email address, phone number, order details and the final four digits of payment cards of “approximately 10 million unique customers”.

The company, which owns JD Sports, says that customers of Millets, Blacks and other subsidiary brands may also have been affected.

It’s important not to confuse the period over which the transactions relate and the duration of any attack. While the data in question covers almost two years, the statement doesn’t suggest that the breach lasted that long.

If Magecart card skimming malware were used on the checkout would have caught the whole payment card information one transaction at a time over that period. But the card data accessed is limited. Instead, it seems more likely that this was an unauthorised access to a backup or extract of customer orders. That would also explain why it’s only 27 months later that the company is making the announcement.

‘Leading’ cyber security experts have been engaged, the ICO has been notified and affected customers are being contacted.

Interesting stats

$1,300—$4,000 is the median salary range offered in job postings for developers on cybercrime forums, according to research by Kaspersky.

100+ active ransomware gangs, using  50+ types of malware, are being tracked by Microsoft as of the end of 2022. @MsftSecIntel

Other interesting things and newsy bits

  • A Jupyter notebook that uses GPT-2 natural language processing to infer MITRE ATT&CK techniques from threat intel reports. Neat.

  • Risk Analysis & Threat Modelling: where they both fit and how they complement each other within GRC and engineering teams.

  • Remember to rate limit your login and MFA APIs! Meta’s new system for managing logins to Facebook didn’t rate limit, or cap failed attempts against an API for associating mobile phone numbers with an account. The process is pretty standard: a code is sent to the mobile number, and the user enters it to verify ownership of the device. Six digits give a potential ‘one in a million’ chance of a bad actor guessing it. However, Meta’s poor implementation allowed an attacker to cycle through all possible options and register that phone number with their account. In doing so, they’d also deregistered it, therefore disabling multi-factor authentication on legitimate user accounts. Interesting research from Gtm Mänôz.

  • Mary Lanigan, leader of Redcar and Cleveland Borough Council, says that a government minister told them to keep quiet about a ransomware attack that crippled the council’s operations at the beginning of 2020. The unnamed minister also promised that “whatever it is, we’ll meet the cost,” though such support was not forthcoming. Previous reports put the consequences of the incident at over £10 million (vol. 3, iss. 32).

  • OpenAI has released a tool (‘not fully reliable’) to detect content written by ChatGPT.

In brief

Attacks, incidents & breaches

  • The Vice Society ransomware group has claimed responsibility for an attack on Guildford County School in the UK. The group have posted files to their ‘leak site’, including several that appear to be safeguarding reports containing sensitive information about at-risk students.
  • A former employee of Yandex, the Russian tech giant, has stolen almost 45GB of source code. The files from the first half of 2022 are available on the dark web for anyone to download. The leak reveals the algorithm by which Yandex prioritises its search results.
  • A ransomware attack on the Indianapolis Housing Agency has resulted in the theft of personal information, including Social Security numbers, of 212,910 people.
  • GitHub says that unidentified attackers gained access to code repositories and made off with code-signing certificates for the Mac versions of its Desktop and Atom applications. The certs have been revoked, which may prevent the apps from running.
  • “Cyber security event” at financial data company Ion affecting exchange-traded derivatives and post-trade services.,
  • Portuguese brewer Super Bock Group is warning of potential disruption to supplies of its beers after reports of a cyberattack putting “constraint on regular operation”.
  • Google Fi is notifying customers of a data breach at a ‘primary network provider’ believed to be T-Mobile, who reported a breach in January (vol. 6, iss. 4).

Threat intel

  • A great write-up from WithSecure on North Korea’s recent campaign targeting the medical research and technology sectors. A good look at some of the activities and techniques used by the group, attributed with high confidence to Lazarus Group, will be relevant to those of interest to the North Korean state.
  • A zero-day vulnerability in Fortra’s GoAnywhere MFT managed-file transfer solution is being actively exploited, according to Rapid 7.
  • Microsoft has notified customers affected by an attacker that abused the company’s “verified published” status to trick victims into authorising access to their environments. The apps request OAuth permissions and access to mailboxes and calendars, amongst others.
  • New LockBit encryption ransomware, called ‘Green’, is based on leaked source code from Conti group, say researchers.
  • Over 1,200 Redis servers exposed to the Internet are compromised with Monero crypto-mining malware, according to Aqua Security, who says that antivirus vendors don’t readily detect the malware.
  • A threat intel report from CrowdStrike seen by TechCrunch suggests that 0ktapus is targeting computer games companies.
  • Microsoft says that Iranian cyber company Eminent Pasargad was behind the attack against the French satirical magazine Charlie Hebdo and the release of a sample of personal data of 200,000 customers.


  • A critical, 9.4/10.0 vulnerability in Atlassian’s Jira Service Management Server and Dara Center can allow unauthenticated users remote access to the systems. CVE-2023-22501 affects versions 5.3.0 through 5.5.0.
  • An SQL injection vulnerability in QNAP’s network-attached storage (NAS) devices may leave 29,000 open to ransomware attempts. CVE-2022-27596 scores 9.8/10.0 and should be patched immediately.
  • Changes to the config file of KeePass can trigger it to silently export plaintext usernames and passwords next Tim the user enters their master password. The developers of the password manager claim it’s not a vulnerability, as “KeePass cannot magically run securely in an insecure environment.” I think this is a classic bit of security vs usability. It’s true that write access could also enable a hacker to replace the entire KeePass executable, but that doesn’t negate the user’s needs and expectations of such software. The vulnerability is tracked as CVE-2023-24055 and scores 5.3/10.0 (pending review).

Operational technology

  • The electric vehicle (EV) industry is being slow to update charging infrastructure to remove vulnerabilities in the open charge point protocol (OCPP) — used to communicate between charging points and management systems — says Saiflow, who adds that the issues can disable charging points or allow free charging.

Internet of Things

  • Anker smart-home subsidiary Eufy has acknowledged deficiencies in its ‘no clouds’ lines of products that were found to be uploading data to the cloud (vol. 5, iss. 49). As well as immediate technical changes to address the reported issues, the company will be engaging a ‘well-known expert’ to produce a security report; commissioning assessments from ‘several’ security consulting, certification and penetration testing firms; and establishing a bug bounty programme.


  • ‘Privacy assistant’ Jumbo is now free — citing high churn and unwillingness for consumers to pay — and includes identity theft insurance for US users.
  • Spyware developer Patrick Hinchy will notify victims that their phones were compromised as part of a deal with the New York attorney general. 

Public policy

  • The Transport Security Administration has issued a dressing down to US airlines and airports after the ‘no-fly’ list was recently leaked. A 2019-era copy of the list with 1.5 million entries was left exposed by United Airlines subsidiary CommuteAir. Rather than handing them a flat file or database of names, perhaps the TSA could offer a more modern, API-driven approach?, (leak)


  • Singapore’s Online Safety (Miscellaneous Amendments) Act came into force on 1st February and allows the state to order communication services (such as social media platforms) to block “egregious” content.

Law enforcement

  • Former RAC employee passed details of accidents to ‘claims management’ companies. Asia Iqbal Khan pleaded guilty to two counts of stealing data and has been fined £5,000 and ordered to pay a victim surcharge and court costs.
  • Nickolas Sharp, from Portland, Oregon, has pleaded guilty to a plot to extort $2 million from his previous employer, Ubiquity Networks. Sharp abused his administrative access to the company’s cloud and source control systems to exfiltrate data. When the company didn’t meet his demands, he released some of the data and stories to the press, causing the company’s market capitalisation to fall by over $4 billion. Sharp faces up to 35 years in prison.
  • A former member of the ‘Lizard Squad’ group, Julius Kivimäki, has been arrested in France. The Finnish national was responsible for the attack against a psychotherapy centre (vol. 3, iss. 44) where individual patients received ransom demands not to release details of their treatments and medical files.

Mergers, acquisitions and investments

  • Guardz, who offers low-code security tools and insurance to SMBs with 10-250 users, has announced a $10 million funding round led by Hanaco Ventures.
  • Darktrace has announced plans to buy back up to £75 million ($90 million) of shares following reports of short selling over potential ‘irregularities in contracts with resellers and customers’.
  • NCC Group is to cut its workforce by 7% - primarily in the UK and North America - in response to ‘tough market conditions’. Around 125 of the company’s 1,800 employees will be affected.

And finally

About that zero-tolerance policy for non-compliance…

Unstoppable force vs immovable object

A piece of software used by a quarter of your workforce has come end of life. You managed to negotiate a (largely ineffective but contractually sound) extended support contract for 12 months. You also have a policy that IT systems should remotely wipe any device out of compliance. You can probably see where this is going.

Fetch the popcorn to go with your Monday morning coffee, folks, and check out this example of middle-management infighting that wouldn’t be out of place in the CIA’s Simple Sabotage Field Manual. (H/T Paul) @SecurityWriter


  Robin's Newsletter - Volume 6

  NCC Group JD Sports Cybercrime OpenAI GPT-2 Application Programming Interface (API) Rate limiting Account registration Lazarus Group Risk Analysis Threat Modelling Compliance Middle management Simple Sabotage Field Manual