Robin’s Newsletter #244

19 February 2023. Volume 6, Issue 8
Twitter to charge for SMS MFA. 'Anonymous' ideological attacks. GoDaddy discloses multi-year breach. The proliferation of 'risk dashboards'.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Twitter to charge for SMS-based multi-factor authentication

  • Twitter’s Two-Factor Authentication Change ‘Doesn’t Make Sense’. Twitter has announced that SMS-based multi-factor authentication will be disabled for users who do not pay the social media company for a Twitter Blue subscription in a month. In a blog post, Twitter claims this is because ‘bad actors’ have abused SMS, so it’s not as secure as authenticator apps or hardware tokens (both of which will continue to be free to use).
  • I think it’s a bit of a content design and communications failure on behalf of Twitter (who no longer have a PR/comms team) in the way that it has been framed. That’s obvious from the many “wtf?” reactions from users and infosec pros alike on the platform. At its core though, as much as Twitter say it’s about improving security, this has to be a cost-saving measure. If it were truly about security, you wouldn’t be able to pay for lesser protection. And having SMS MFA is better than having no MFA (which is what will happen by default).
  • But how sizeable is the problem? Rachel Tobac has some data to answer that, which might surprise you: Just 2.6% of Twitter users have at least one method of MFA enabled; SMS accounts for 74.4% of that. 
  • SMS MFA has flaws, and NIST has been calling for it to be phased out, but as a protocol, SMS is ubiquitous and is an adequate method for many consumers. Authenticator apps are free, but for many non-tech-savvy users, it’s not clear where to start: Why must I use a different app to log in? Which is right for me? What features do I need? We must balance security (risk) and usability as a profession. No control is 100% effective, so we need to build in defence in depth and make it easier for people to be secure. We mustn’t let perfection be the enemy of success.
  • Techcrunch has a guide on switching to an authenticator app or hardware token so you can continue protecting your account without having to fork over cash for the privilege.

Explanation demanded from police force over disclosure of sensitive personal information in missing person case

  • Nicola Bulley has been missing for almost three weeks when, In a televised interview, Lancashire Police said they had concerns over the welfare of the missing woman. Initially, the police force refused to elaborate on the “vulnerabilities”. However, hours later, they voluntarily issued a statement saying they understood she suffered from “significant” issues from alcohol and menopause.
  • The u-turn and unusual disclosure have drawn criticism. It’s hard to see how the details are relevant three weeks later or given the ‘working hypothesis’ that she fell into a river while out walking her dog.

”Police can disclose information to protect the public and investigate crime, but they would need to be able to demonstrate such disclosure was necessary.” — John Edwards, Information Commissioner.

  • The ICO has stated that they will ask Lancashire Police to set out how they decided to disclose the information. Lancashire Police has also referred itself to the Independent Office for Police Conduct.
  • As of writing this evening, the police have found a body in the River Wyre, less than a mile from Nicola Bulley’s last known location.

Interesting stats

87% increase in ransomware attacks against industrial infrastructure in 2022, according to Dragos, with  8x more attacks against manufacturing than the next nearest sector, food and beverage.

£65.7 million ($80 million) was demanded by LockBit from Royal Mail in their recent ransomware attack, claiming this was  0.5% of revenue.

Cyberwar stats:

300% increase in Russian phishing campaigns against NATO counties,  250% increase in phishing campaigns against Ukrainian targets, and  24x the number of destructive malware (wiper) attacks in the first four months of 2022 than the previous eight years, according to Google.

Other newsy bits & interesting reads

  • Hyundai, Kia to provide anti-theft software updates following viral TikTok challenge. Immobilisers aren’t mandatory in the US, and dissembling the steering column on Hyundai and Kia cars sold until 2021 reveals a USB-A style port and plugging in a phone charger cable hot-wires the ignition. (I bet you don’t have “TikTok challenge” on your risk register!)

  • Revealed: the hacking and disinformation team meddling in elections. ‘Team Jorge’ is a team of Israeli contractors who claim to have interfered in 33 presidential elections worldwide. Some of it is social media amplification of messages through an army of bot accounts, but other parts of their operation seem more focused on disrupting opposition campaigns by hacking email and instant messaging apps and sowing discord between key figures.

  • Z-Library, a pirate e-book site, is trying to stay online and avoid domain seizures by generating unique domains for each user. I’m not sure it will be super-effective long term - and costly to scale - but interesting to think about how personalised access like this may be applied in other use cases.

  • GoDaddy says a multi-year breach hijacked customer websites and account. The hosting provider, who has 21 million customers, says multiple incidents involving the same intruder started in 2020 and continued through 2022. Most recently, malware was installed that “intermittently redirected random customer websites to malicious sites.” Hosting companies, and DNS registrars in particular, are an attractive target for their scale, but attacks need to be particularly stealthy to maintain persistence: that very scale makes it evident if ‘too much happens at once’.

  • Cybersecurity Risk Dashboards: No Value, Extreme Liability. Jeff Pollard and co have some damning criticism of cyber vendors’ proliferation of ‘riskupsell dashboards’. They make an interesting point around liability and what happens if you have a breach and ‘ignore’ the warnings of a core security tool. Many of these tools (and more so their dashboards!) lack crucial business context. But why let that spoil a lawsuit?

In brief

Attacks, incidents & breaches

A few ideologically motivated attacks this week:

  • Israel’s top tech university postpones exams after ransomware attack. The attackers used a portmanteau of DarkSide and LockBit as the name. They appeared ideological rather than financial in the objective, with the “apartheid regime” being cited in posts claiming responsibility.
  • Scandinavian Airlines hit by cyberattack, ‘Anonymous Sudan’ claims responsibility. Scandinavian Airlines (SAS) website was taken offline, and national TV broadcaster SVT was temporarily offline by cyberattacks this week. A group calling themselves Anonymous Sudan claimed responsibility, citing the burning of the Quran during protests in Stockholm in January and threatening to continue attacks unless the Swedish government issued an apology.
  • ‘Russian hacktivists’ brag of flooding German airport sites. A group called ‘Anonymous Russia’ has claimed responsibility for the distributed denial of service (DDoS) attacks affecting Düsseldorf, Hanover, Dortmund, Erfurt, Nuremberg and Baden-Baden airports.


  • Salary details of 14,000 Liverpool NHS trust staff shared by mistake. The information, including National Insurance number and salary, was shared with hundreds of managers at the trust as a ‘hidden tab’ in a spreadsheet.
  • Eurostar forces ‘password resets’ — then fails and locks users out. The move is ostensibly about improving account security (potentially a new authentication routine), and it appears that the result may be a little too secure for those that dutifully did as they were asked promptly. A spokesperson attributed “[the] sudden volume of customers” to the “technical difficulties”.
  • Tonga is the latest Pacific Island nation hit with ransomware. Tonga Communications Corporation (TCC), the state-owned telco, is believed to have become a victim of the Medusa ransomware group. Congo has around 100,000 citizens and is the latest Polynesian country to be struck by ransomware, after Vanuatu in November last year (vol. 5, iss. 51).
  • City of Oakland declares state of emergency after ransomware attack.
  • Health info for 1 million patients stolen using critical GoAnywhere vulnerability. In a Securities and Exchange Commission filing, Community Health Systems of Franklin, Tennessee, said protected health information and personal information were taken by attackers using a weakness in the file transfer system. The zero-day vulnerability in Fortra’s GoAnywhere file transfer system was disclosed two weeks ago (vol. 6, iss. 6).
  • FBI tackles ‘isolated’ IT security breach. The incident at the FBI’s New York field office involved systems used for investigating child sexual exploitation.

Threat intel

  • New ‘MortalKombat’ ransomware targets systems in the U.S. The campaign arrives as an email with a malicious attachment that either tried to encrypt the infected machine or download ‘Laplas Clipper’, which hijacks cryptocurrency transactions. This is interesting as it’s somewhat of a return to individual infections rather than the ‘enterprise’ ransomware of recent years.
  • Hackers start using Havoc post-exploitation framework in attacks. Havoc is being used as an alternative to long-standing favourite Cobalt Strike and relative newcomer Brute Ratel.
  • New Mirai botnet variant has been very busy, researchers say. The botnet, which Palo Alto Networks calls V3G4, uses thirteen vulnerabilities to exploit smart devices.
  • Researchers unearth Windows backdoor that’s unusually stealthy. The technique — which Sophos calls Frebiis — abuses the ‘Failed Request Event Buffering’ feature in Microsoft’s IIS web server to exfiltrate data from an already compromised network.


  • Apple releases iOS 16.3.1 and other updates with fix for “actively exploited” bug.
  • Microsoft fixes three zero-days in its 75-flaw February Patch Tuesday. A further nine critical flaws were also patched.
  • Fortinet fixes critical RCE flaws in FortiNAC and FortiWeb. CVE-2022-39952 affects FortiNAC and scores a critical rating of 9.8, while CVE-2021-42756 in FortiWeb scores slightly less (but no less critical) 9.3/10.

Cyber defence

  • Mapping your supply chain. Advice from NCSC for ‘medium to large organisations’.

Operational technology

  • The return of ICEFALL: Two critical bugs revealed in Schneider Electric tech. CVE-2022-45788 and CVE-2022-45789 affect Schneider’s Modicon programmable logic controllers (PLCs). The vendor released a security advisory to customers last month, though it’s unlikely they will have been able to apply those mitigations yet. Forescout security researchers discovered the vulnerabilities last year, though they weren’t disclosed at the same time as the other 56 ‘ICEFALL’ vulnerabilities (vol. 5, iss. 26).


  • Android launches yet another way to spy on users with “Privacy Sandbox” beta. The move is similar to Apple’s existing block of third-party cookies and will see users being profiled on-device, with the ability to block ads for the interest groups it identifies. Perhaps more importantly, the same Privacy Sandbox mechanism will be coming to Google’s Chrome browser later this year.
  • EU lawmakers argue against signing US data-transfer pact. The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has issued a non-binding opinion that the Data Privacy Framework falls short of the GDPR standards afforded to EU citizens.


  • “Regulators need to scrutinise tech vendors and other digital companies far more closely”, says Gillian Tett for the Financial Times in a piece looking at the vulnerability of the financial system in the wake of the ransomware attack at Ion Group (vol. 6, iss. 6) and ‘ripples’ through international markets.

Law enforcement

  • Spain, U.S. dismantle phishing gang that stole $5 million in a year. The group comprised nine individuals and conned around 200 individuals and companies in a year.
  • Russian with alleged ties to Putin convicted in hack-and-trade scheme. Vladislav Klyushin, the owner of Russian cyber security firm M-13, had compromised firms used to issue statements and filings to the financial markets, giving him the inside track on where to invest. The scheme made 900% returns over a period when the market grew by 25%, putting them firmly on the radar for insider trading.
  • Europol busts ‘CEO fraud’ gang that stole €38M in a few days. Police have arrested eight suspects, six in France and two in Isreal, for the business email compromise (BEC) scams involving stealing €38 million ($40.3 million) in one case.

Mergers, acquisitions and investments

  • Oligo raises $28M to secure open source libraries at runtime.

And finally

“A social engineering masterclass”

A comic strip showing three sheep on each other’s shoulders in a trench coat trying to get away with buying a single adult ticket. The cashier falls asleep while counting the sheep. (Source: TheJenkinsComic)

Top work TheJenkinsComic and h/t to Mike for bringing this one to my attention. @AppSecBloke,


  Robin's Newsletter - Volume 6

  Twitter Multi-factor authentication (MFA) SMS Lancashire Police Industrial control systems (ICS) Cyber warfare Disinformation GoDaddy Dashboards Hacktivism Anonymous ICEFALL Supply chain Social engineering