Robin’s Newsletter #359

4 May 2025. Volume 8, Issue 18
Co-op, Harrods join M&S as victims of Scattered Spider breaches. Spanish power outage not a cyberattack. RDP lets you login with old creds.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 4th May 2025

  • RDP doesn’t invalidate credentials on password change
  • Co-op, Harrods add to UK retailers hit by Scattered Spider
  • AirPlay vulns leave devices exposed to remote code bugs
  • North Korea IT workers won’t insult Dear Leader
  • US to “normalize” offensive cyber operations
  • Iberian power outage not a cyber attack

Interesting stats

75 zero-day vulnerabilities were exploited in 2024 (down from 97 in 2023), with  50%+ being used in spyware attacks, and  5 each for North Korea and China-aligned state actors, according to Google. LINK

Five things

  1. A growing number of UK retailers have been targeted in suspected ransomware attacks. Marks & Spencer‘s online operations are still affected, with some food items unavailable via partner Ocado, 200 agency staff at a distribution hub ordered to stay home, and bosses asking customers to visit physical stores to make purchases and stem £3.8 million/day in revenue losses. Convenience store chain Co-op is also dealing with a cyberattack, and their employees are being asked to keep cameras on during video calls to verify attendees. Instructions also say, “Don’t record or transcribe Teams calls”, presumably to avoid details being made available to attackers still lurking in the network (though it also minimises discoverable records). “Proactive measures” taken to contain the incident include suspending VPN and remote access. Lastly Harrods became the third store to continue a cyberattack. All three are known to be working with the National Cyber Security Centre (NCSC), who described the attacks as a “wake-up call” for retailers. The attacks reportedly share a common adversary in the Scattered Spider group and the DragonForce ransomware-as-a-service operation. Scattered Spider is a loosely affiliated group that uses social engineering to gain access to systems via IT help desks (like LAPSUS$). The US Cyber Security Review Board (CSRB) investigated the group, and SANS has suggestions for defending against these tactics, techniques and procedures (TTPs). M&S, CO-OP, HARRODS, CSRB (PDF), TTPs

  2. Microsoft RDP allows users to log in with old credentials, even after they have been changed, and Microsoft says that is a “design decision to ensure that at least one user account always has the ability to log in no matter how long a system has been offline.” RDP caches copies of credentials and, if they match, grants access. Changing the password - a typical early step in securing an account after a suspected compromise - does not revoke RDP access using the old credentials. Also, no Defender, Entra, etc, logs are generated, making it difficult to detect. Microsoft has not advised you on how to prevent this behaviour. One to be aware of if you make use of Remote Desktop in your environment. RDP, DOCS

  3. Ask potential IT recruits how fat is Kim Jong Un? during interviews to help weed out fraudulent North Korean IT workers, says CrowdStrike. Of course, there’s always a chance your legit employees are just outsourcing their work to developers in North Korea and China anyway. LINK, OUTSOURCING

  4. A massive power outage in Spain and Portugal was caused by “very strong oscillation” in the network. There had been claims that it was a cyber-attack, though grid operator Red Eléctrica and the EU cyber agency ENISA have downplayed these. Bringing power back from a ‘black start’ is a challenge and requires generation capacity to be brought back in a considered way. Most large power stations require electricity to operate, so smaller sites need to be brought back first, while not overloading their capacity. OUTAGE, BLACK START

  5. From puppies 🐶 to goats 🐐 here’s everything you need to know from the RSA Conference 2025 petting zoo, in less than 3 minutes. LINKEDIN

In brief

⚠️ Incidents: Iran says that it prevented a “widespread and complex” attack on the country’s infrastructure last week. VeriSource, an HR service provider, says that 4 million, rather than 112,000 people, may have been impacted by a February 2024 data breach it has investigated for over a year. Ukrainian cloud provider De Novo suffered disruption last weekend caused by a power outage. The CEO of a cyber security company installed malware on a hospital guest computer that took a screenshot and copied it to a remote system every 20 minutes. Canada’s Nova Scotia Power suffered disruption to a customer support telephone line and web portal after discovering a cyber incident and taking some systems offline. SK Telecom is to provide free replacement SIM cards to their 25 million subscribers following a recent cyber incident where malware was detected running on its network. Ascension Health says a former partner suffered a cyber breach and “inadvertently disclosed” some of its patient’s medical data. IRAN, VERISOURCE, DE NOVO, HOSPITAL, NOVA SCOTIA, SK TELECOM, ASCENSION

🏴‍☠️ Ransomware: The DragonForce group is recruiting other ransomware-as-a-service operators. A subsidiary of Japanese multi-national Hitachi that provides data storage and ransomware recovery services has suffered an Akira ransomware attack. Japanese logistics company Kintetsu World Express (KWE) has confirmed a ransomware attack, disrupting its business and claimed by the 888 ransomware group. DRAGONFORCE, HITACHI, KWE

🕵️ Threat Intel: The FBI has shared a list of 42,000 phishing domains associated with the LabHost phishing-as-a-service operation, which was dismantled in 2024. This list is intended to help as potential indicators of compromise, and I expect security vendors to build them into their products. LABHOST

🪲 Vulnerabilities: Unpatched Apple and third-party AirPlay devices are susceptible to a set of vulnerabilities, dubbed AirBorne, that can lead to remote code execution. LINK (ADVISORY)

🧑‍💻 End user and consumer: Researchers at the Graz University of Technology in Austria have been able to bypassjuice jacking protections in iOS and Android using a special charger that also acts as a Bluetooth keyboard. JUICE JACKING

🧰 Guidance and tools: Kali Linux has lost its signing key and needs users to add a new one to continue receiving updates. It sounds like the private key was lost, besides its compromised confidentiality. NCSC has released guidance on Advanced Cryptography. KALI, CRYPTOGRAPHY

🛠️ Security engineering: Microsoft is to charge $1.50/core/month for a hot patch service that doesn’t require rebooting servers during software updates. HOTPATCH

🧿 Privacy: Law enforcement is increasingly using warrants to obtain connected car data to pinpoint the location of suspects and other targets of investigations. The ICO has praised the British Library for its response and decided to cease further investigation into the October 2023 attack. (Disclosure: I hold a board committee position at the British Library) The Irish Data Protection Commission (DPC) has ordered ByteDance, the company behind TikTok, to pay a €530 million ($600M) fine for data transfer violations. CONNECTED CAR, LIBRARY, TIKTOK

📜 Policy & Regulation: US Secretary of Homeland Security Kristi Noem used a speech at the RSA Conference to call for Congress to reauthorise a key piece of cyber threat intelligence sharing legislation while justifying cuts at CISA of state-level and election infrastructure programmes. Also at RSA, Alexei Bulzel, senior director for cyber at the National Security Council, told attendees he wants to “destigmatize” offensive cyber operations and “increase costs” on adversaries. Raytheon and Nightwing Group have agreed to pay $8.4 million to settle Defense Department claims they had insufficient cyber security protections. NOEM, CYBER OPS, RAYTHEON

👮 Law Enforcement: A disgruntled former Disney employee has been sentenced to 36 months in prison and fined $688,000 for making unauthorised changes to a food menu system. Tyler Buchanan, 23, from Scotland, has been extradited to the United States to face charges of wire fraud and identity theft relating to Scattered Spider attacks. DISNEY, SPIDER

💰 Investments, mergers and acquisitions: Quite a few announcements timed to the RSA Conference. Cynomi has closed a $37 million Series B round for an agentic vCISO platform. Identity verification outfit Persona announced a $200 million Series D valuing the business at $2B. Veza, also in the identity space, scored $108 million in its Series D. Cloud security platform Sentra closed a $50 million Series B. CYNOMI, PERSONA, VEZA, SENTRA

🗞️ Industry news: DarkTrace wants to be an “80 to 90 per cent partner-led business”. Over 30 cyber professionals have signed a letter to President Trump denouncing the “spurious and retaliatory targeting” of former CISA director Chris Krebs and most recent employer, SentinelOne.  DARKTRACE, KREBS

And finally

  • Cartoonist Matt has been on top form with a few cyber-related strips this week: X/TWITTER

There are some substitutions. Cyber attackers changed your order to 400 jars of pickled gherkins (Source: @MattCartoonist)

Robin
  Marks & Spencer Co-op Harrods Retail Scattered Spider LAPSUS Electricty Microsoft Remote Desktop Protocol (RDP) North Korea North Korean IT Workers Insider Energy Grid RSA Conference Iran DragonForce Juice Jacking AirBorne AirPlay British Library TikTok Offensive Cyber Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #360
Previous:
Robin’s Newsletter #358