Robin’s Newsletter #249

26 March 2023. Volume 6, Issue 13
TikTok bans continue, Russia bans iPhones from Putin’s inner circle, China & Russia set sights on tech sovereignty
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

TikTok bans continue, Russia bans iPhones from Putin’s inner circle, China & Russia set sights on tech sovereignty 

Clop ransomware attacks against GoAnywhere mount

  • GoAnywhere: victims of the 130 organisations which the Clop ransomware gang claims to have compromised continue to come forward, with TechCrunch reporting comments from the City of Toronto and Proctor & Gamble this week. The UK Pension Protection Fund, which manages over £39 billion of assets, has also confirmed it is a victim. The cybercriminals exploited a vulnerability in the GoAnywhere file transfer system (vol. 6, iss. 7).
  • Fortra develops the GoAnywhere software; the company went by the name HelpSystems until November last year. Before the rebrand, HelpSystems had grown to “more than 3,000 employees with offices in 18 countries and over 30,000 global customers”. They have acquired several cyber security brands, including Alert Logic, Digital Guardian, PhishLabs and Tripwire.
  • Cobalt Strike: I hadn’t connected the dots previously, but as well as GoAnywhere, Fortra also owns Cobalt Strike, the “software for adversary simulations”. Cobalt Strike is popular with cyber criminals, such as Clop, who appear to have used the tool while compromising Fortra’s GoAnywhere customers.

Interesting stats

6 healthcare operators were attacked by ransomware gangs in February 2023, the lowest monthly count since January 2020, down from   17 attacked in February 2022, and  25 in February 2021, according to Recorded Future.

Other newsy bits / in brief

And finally

BreachForums administrator self-own

  • Connor Fitzpatrick, the administrator of BreachForums who goes by the handle Pompompurin, was partly identified by the FBI because of chat logs from a previous breach forum. The logs showed a message from Pompompurin complaining that a data breach posted to the site did not include “one of my old emails” that he’d checked using Have I Been Pwned. Pompompurin shared the email address while trying to throw others off the scent by saying it wasn’t his actual email address for “obvious reasons”.
Robin

  Robin's Newsletter - Volume 6

  TikTok Russia China Tech Sovereignty Clop Ransomware GoAnywhere Prompt Injection Netgear Veeam Acropalypse GPS