Robin’s Newsletter #364

This week

This week marks seven years of this newsletter landing in subscriber’s inboxes every Sunday.

What started as a way to keep me abreast of what was going on in the wild world of cyber has grown into something much more than that, with subscribers ranging from students and career changers to some of the world’s top security professionals protecting massive consumer brands, democratic institutions, and critical infrastructure.

Thank you to the thousands of you for lending me your time on Sunday evening / Monday morning every week, for your generous feedback, suggestions, and tips, and for recommending that your friends, peers, and others subscribe. It means the world when you get in touch and hear how it’s helped you prioritise what you need to do, save considerable time, and make yourself look smarter in front of your peers or (prospective!) boss.

I also want to give a special mention to my wife. She knows how important this is to me and puts up with me disappearing for a few hours every week to pull this together.

If you fancy doing something in return, it would be wonderful if you bookmark and check out some of these fantastic UK cyber security startups. I’m sure you’ll find something great for your security programme when you’re next looking to up your game:

• CybSafe “the human risk management platform”
• Harmonic Security “zero touch data protection”
• Intruder “real-time discovery and prioritisation of attack surface weaknesses”
• Immersive Labs “cyber drills, exercises, sims, ranges, and training”
• Push Security “stop identity attacks in the browser”
• Risk Ledger “connect, visualise and protect your supply chain”
• ThinkCyber “real-time cyber security awareness training”
• Tracebit “detecting intrusions without intensive effort or noise”
• And, of course, Cydea (my company) “quantify your cyber risk and build an effective security programme”

Thank you!

• Meta, Yandex de-anonymising Android users
• Bucolic Hills, Disruptive Birdy, ADS001, CVE-Central to collab on threat actor naming
• German regulator issues €45M fine to Vodafone for auth, partner weaknesses
• £47M lost to HMRC fraudsters through phishing scams
• Cartier, North Face suffer unrelated incidents as retail breaches continue

Interesting stats

$4.5 million in damage racked up by a 35-year-old arrested by Ukrainian police this week after compromising  5,000 hosting accounts. LINK

900 organisations have been breached by the Play ransomware gang, according to CISA and ACSC, up 600 (3x)  since October 2023. LINK

Five things

1. UK tax authority HMRC says that £47 million was lost to fraudsters last year. The “small loss to the taxpayer” was caused by cybercriminals phishing or credential stuffing their way into HMRC accounts of around 100,000 people and filing fake tax claims. Individuals will not be left out of pocket, and HMRC officials added that their systems had stopped £1.9 billion of fraud last year. The disclosure came as part of Parliament’s Treasury Select Committee oversight, with chair Dame Meg Hillier “gently — or perhaps not so gently” reminding HMRC’s chief executive John-Paul Marks that “it would be normal” to advise of such matters in advance, “not to have it announced during the committee hearing.” HMRC, MORE

2. Germany’s data protection regulator, Federal Commissioner for Data Protection and Freedom of Information (BfDI), has fined Vodafone €45 million ($51M; £38M) for two GDPR violations. The larger of the two, €30 million, was for weaknesses in the telco’s customer web portal and support line, while €15 million was because it has not “adequately checked and monitored partner agencies working for it” who filed fictitious contracts of changed terms to disadvantage customers. Vodafone says that it “regrets that customers were negatively affected” and that “systems and measures in place at the time ultimately proved to be insufficient”. The company says it has since fundamentally revised its systems and processes. VODAFONE

3. De-anonymising: Meta and Yandex have been circumventing sandbox protections on Android to identify users and link browsing behaviour to user accounts. The tracking pixels, used by both companies to track users around the web and monitor the effectiveness of advertising, had been updated to make local connections to their respective native apps, allowing them to tie ephemeral sessions to persistent identities. Google says the actions violate its Play Store terms of service and customer’s privacy expectations. TRACKING PIXELS

4. Retail cyber attacks continued this week, with jeweller Cartier and apparel company North Face falling victim to attackers. The North Face says attackers swiped the personal information of around 3,000 customers in April from credential stuffing attacks — where customers had reused credentials from previously compromised sites — which Bleeping Computer notes is the fourth such attack on the company since 2020. Meanwhile, Cartier told customers that “an unauthorised party gained temporary access to our system” and made off with “limited client information,” like names, email addresses, etc. In neither case was payment information compromised. Details of the ransom note sent to M&S have been released, with attackers describing how they “mercilessly raped your company”. It isn’t easy to understand the emotional toll that these large incidents have if you haven’t been through one yourself. (I wouldn’t wish it on anyone). NORTH FACE, CARTIER, MORE, M&S

5. Bucolic Hills, Disruptive Birdy, ADS001, CVE-Central: Microsoft and CrowdStrike will work together on threat actor naming. It doesn’t mean you’ll get a standardised set of names at this point, but does mean they will publicly recognise the other’s names, for example, that Midnight Blizzard, Cozy Bear, APT29 and UNC2452 are all the same group. A list of over 80 threat actors and their corresponding names has been published. Mandiant and Palo Alto’s Unit 42 have also said they’re joining the initiative. I still think Mandiant has the right idea: we don’t need marketing hype names. Don’t glorify the attackers. NAMING, LIST

In brief

• ⚠️ Incidents: SentinelOne says its outage last week stemmed from a flaw in tools used to control its infrastructure, leading to a loss of connectivity. Facebook suffered an outage in October 2021 caused by a similar tooling issue that resulted in needing a ‘cold start’ of their infrastructure (vol. 4, iss. 41). Vanta says it exposed hundreds of customers’ data in other customers’ environments. The data includes employees’ personal data, but Vanta would not confirm to TechCrunch what types. It’s a bad look for a security and compliance company. Unknown actors have compromised the root AWS and GitHub credentials of Indian grocery startup KiranaPro and wiped its servers, code, and data. Ouch. Ukranian intelligence claims to have compromised systems of Russian aerospace company Tupeloev and stolen classified information, including details of employees. Tupolev built and maintains Russia’s strategic bomber fleet, also targeted in recent weeks by Ukraine in an audacious drone attack. Russia uses the bombers to launch cruise missiles at Ukraine, so limiting their operation is a strategic win for Ukraine. SENTINELONE, VANTA, KIRANAPRO, TUPELOV

• 🕵️ Threat Intel: Google is booting Taiwan’s Chunghwa Telecom and Hungary’s Netlock certificate authorities from its list trusted by Chrome for “compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports”. Google also says a group it’s tracking as UNC6040 is targeting Salesforce users with a modified Data Loader application to steal data from the customer relationship management platform. Loosely affiliated to The Com, but seemingly distinct from Scattered Spider, the group uses social engineering and an IT support lure to get users to provide access to the data. In some instances, this access has been used to move laterally and gain upstream access to Okta, Workspace, and M365 environments. Data from AT&T’s 2021 breach has been combined to link their 70 million customers’ phone numbers, Social Security numbers, and dates of birth. PathWiper, a new strain of wiper malware, has been used against Ukrainian critical infrastructure. PathWiper contains similarities to malware attributed to Russia’s Sandworm group. CERT AUTH, SALESFORCE, AT&T, PATHWIPER

• 🪲 Vulnerabilities: HPE is warning customers of its StoreOnce backup solution about eight vulnerabilities, including a critical authentication bypass (CVE-2025-37093 (9.8/10)) and four remote code execution issues. Cisco is warning of three vulnerabilities, including one critical severity (CVE-2025-20286; 9.9/10) with public exploit code in its Identity Services Engine (ISE), which governs network management and endpoint access.  STOREONCE (ADVISORY), CISCO (ADVISORY

• 🛠️ Security engineering: The react-native-aria NPM package has been compromised with a Remote Access Trojan (RAT). The package has almost 1 million weekly downloads. New research from the University of California, Riverside and Deepbits shows that four popular software bill of materials (SBOM) generators — Trivy, Lyft, Microsoft, and Github — have deficiencies that lead to missed dependencies. They also introduce a new type of parser confusion attack to smuggle “malicious, vulnerable, or illegal software packages” into the supply chain. REACT, SBOM (PDF)

• 🏭 Operational technology: A bipartisan Senate bill proposes $50 million over the next five years to improve US energy sector cyber security. The Energy Threat Analysis Program Act would get The Department of Energy, CISA, intelligence agencies, and the private sector to share threat assessments and mitigations via DOE’s Energy Threat Analysis Center. Over 30,000 solar power devices from 42 different manufacturers are openly accessible to the Internet, according to Forescout, who added that some may require passwords to access their management interfaces but that none of them should be openly exposed. US ENERGY, SOLAR

• 📜 Policy & Regulation: President Trump has issued an Executive Order abolishing Biden Administration cyber security efforts. Biden had sought to use federal purchasing power to impose security requirements, such as software bills of materials, on software vendors. The EO billed these as unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.” The EO leaves a requirement on NIST to update a Software Development Framework but scraps a move for them to “issue guidance identifying minimum cybersecurity practices”. EXEC ORDER

• 👮 Law Enforcement: The US Department of Justice has seized $7.7 million linked to North Korean IT Workers. A North Korean Foreign Trade Bank representative was laundering the funds as cryptocurrency. N. KOREA 

• 💰 Investments, mergers and acquisitions: Mobile forensics company Cellebrite has announced its intention to acquire Corellium for a deal worth at least $170 million. CORELLIUM

• 🗞️ Industry news: “Effective immediately,” responsibility for UK government cyber security will move from the Cabinet Office to the Department for Science, Innovation and Technology as part of the Government Digital Service. GOV CYBER

And finally

• Check out Tim Orchard and me discussing our takeaways from Infosecurity Europe 2025, including… VIDEO

1. 🏰 Big players, EDR, and exposure management
2. 💻 Browser as the new operating system
3. 🚦GRC, risk management, and third party
4. 🤖 Agentic AI
5. 💬 Real, complete, total buzzword bingo