Robin’s Newsletter #292

21 January 2024. Volume 7, Issue 3
Microsoft email accounts compromised by Russian espionage group. Bumper password dump added to HIBP? Gaza phone services out for a week.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Email accounts of Microsoft execs compromised by Russian actors

  • Microsoft says that Russian-linked actors from Midnight Blizzard (aka APT29 or Cozy Bear) compromised the email accounts of senior leadership, cyber security, legal and other employees to find out what Redmond knew about the group.
  • The accounts were compromised via a “password spray attack” in November 2023 against a “legacy non-production test tenant” that was then able “to access a very small percentage of Microsoft corporate email accounts.” Microsoft detected the attack on 12th January, around two months later.

Bumper password dump contains 25 million new, unique credentials

  • A new password dump containing nearly 71 million unique credentials has been added by Troy Hunt to Have I Been Pwnd? The dump contained around 25 million passwords that weren’t previously in the breach database, pointing to new accounts or services compromised by credential stuffing, phishing or other info-stealer malware. Cybercriminals have been trading the dump on underground forums over the last four months.

Interesting stats

2x (£25M) spent by the British government on overseas cyber security programmes to aid foreign governments in improving their cyber resilience in 2022-23 compared to the previous year, according to the Cabinet Officer minister

❓What is the estimated financial impact of the cyber attack against Ukraine’s Kyivstar telco? A) $35M, B) $95M, C) $152M? Answer

Other newsy bits / in brief 

  • Internet services in Gaza have been disrupted for over a week after damage to Paltel infrastructure in Khan Younis (a city in the south of Gaza). The outage is the most prolonged blackout since the Israel-Hamas conflict began in October 2023.

  • Integrity: Fujitsu and the Post Office knew about bugs in the Horizon IT system “from the very start”, according to testimony from a Fujitsu exec. “I have seen some evidence of editing witness statements”, Paul Patterson, Fujitsu’s European chief, told the public inquiry.

  • The British Library has begun restoring its digital services after a ransomware attack 11 weeks ago. The full programme may take the rest of the year at an estimated cost of £6 million (vol. 7, iss. 1). 

  • VF Corporation, owner of brands including Vans and The North Face, says that attackers stolen the personal data of over 35 million customers from the company in December 2023. The disclosure was made in a regulatory filing, which did not mention the types of stolen information but did mention that some systems were encrypted, suggesting it was a ransomware attack.

  • The US’ Cyber Safety Review Board needs greater transparency around how it selects members and incidents to investigate, plus the power to subpoena companies, Congress heard this week. Addressing the lack of authorities and dependence on the participation of companies in investigations will close the gap to the National Transportation Safety Board, after which the group was modelled.

  • Threat researchers at Google say that Coldriver (aka Star Blizzard), linked to Russia’s Federal Security Service (FSB), is switching up from credential phishing to using custom backdoor malware delivered by email to achieve their objectives. The Coldriver group targets academia, defence industrial base, government organisations, politicians, and think tanks in NATO countries.

  • PixieFail: Nine vulnerabilities in the IPv6 stack of Tiancore’s popular EDK II library can lead to denial of services, DNS cache poisoning, network session hijacking, and remote code execution. The Preboot Execution Environment (PXE, or pixie) is a spec allowing computers and network devices to be installed or configured at boot.

  • Database servers with default passwords are being compromised by automated bots and their contents deleted, upon which the attacker demands a ransom to ‘restore’ the data… having only ‘backed up’ the first 10-20 rows of data.

  • BreachForums administrator Connor Fitzpatrick was sentenced to 20 years of supervised release by a federal judge this week. The 21-year-old, aka pompompurin, pleaded guilty to owning and operating the cybercrime forum and possessing child pornography in July 2023.

📚 Long reads:

🪲 Patch now: 

🚀 Investments, mergers and acquisitions: 

  • Snyk has acquired microservices security firm Helios for an undisclosed sum
  • Oleria, a platform with an “adaptive approach to identity security”, has announced a $33 million Series A funding round. The platform isn’t generally available yet but promised to secure “over-provisioned and complex” app access. It sounds similar to Push Security. 

And finally


  • $95 million is the estimated impact of the cyberattack on Ukraine’s Kyivstar telco, according to parent company Veon, which is largely revenue loss and customer loyalty measures.

  Robin's Newsletter - Volume 7

  Microsoft Russia Password spraying Kyivstar Gaza Post Office Fujitsu British Library Cyber Safety Review Board Colossus GCHQ Ransomware Harms PixieFail