Robin’s Newsletter #93

29 March 2020. Volume 3, Issue 13
FBI COVID-19 scam warning; FIN7 mailing malware USB keys; predicting attacks from Russian APTs.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

Drop by the Security Watercooler

This week I’m going to be trialling an idea around a virtual ‘Security Watercooler’ to break up the day and showcase different viewpoints. Each day will feature a short (20-30min) video call co-hosted with other folks from the security industry. Each day of the week aligns to a different part of the NIST Cybersecurity Framework. So this Monday (quite possibly today when you’re reading this) it’s Identify and I’m going to be talking risk universes with CISO Mentor’s Phil Huggins. Let me know you’d like to be invited by registering your email.

This week

Some COVID-19 related guidance again upfront this week.

FBI warning on Coronavirus fraud schemes

The FBI is seeing an increase in COVID-19 themed cyber-crime in three forms: Fake CDC emails; phishing emails; counterfeit treatments or equipment. Fraudsters are capitalising on people’s fear to try and con them out of money. Keep an eye out for unsolicited emails on the following topics:

  • Charitable contributions
  • General financial relief
  • Airline carrier refunds
  • Fake cures and vaccines
  • Fake testing kits

More info on the Internet Crime Complaint Centre website.

Data protection for community groups

Some clear advice from the UK Information Commissioner’s Office for the community groups springing up to help the vulnerable or self-isolating during the COVID-19 pandemic. Key takeaway: have a think about the sort of data you may capture, how you plan to store it, and when/what you may need to share.

Advice for schools from NCSC

The UK’s NCSC have published a set of cyber security “practical tips” for schools and those in education. Please pass on to any teachers or school governors you know.

Something from my business, Cydea… We know lots of IT and security teams are rushed off their feet right now. So we pulled together a list of resources for popular remote working tools so folks can (go back and) get stuff secured plus keep on top of any future security updates.

Interesting stats

40,000 phishing alerts sent by Google in 2019, down… 25% on those send during 2018, with… 20% of those targeted being targeted multiple times, according to Google

17% of ransomware attacks begin from third-party access, according to Beazley Breach Response

Other newsy bits

Insurer Chubb possible victim of ransomware attack

Cyber insurance provider Chubb is investing a ransomware incident after the Maze group claimed to have encrypted their data. (That Chubb is investigating, rather than confirming seems to back up their claim it’s a third-party, not their network that was compromised.) It was @JoshuaMotta’s tweet that caught my eye: Insurance companies that offer cyber policies make themselves a target for attacks as, if they a breach is successful, the attackers get a list of companies who have insurance and, therefore, may be more likely to pay up.

FIN7 are mailing USB thumb drives of malware

USB thumb drives containing malware from the FIN7 group has been being mailed to target companies in the US. While ‘USB drops’ have been popular with pen testing firms these sort of tactics are not usually exhibited by cyber-criminals. These groups traditionally look for low-cost, and difficult to trace, ways to contact their victims. FIN7, who are believed to have netted over $1 billion from their attacks in recent years, is not your average group though. They are well organised and resourced, with some details of their operations coming to light after the trial of Fedir Hladyr, a system administrator for the group (vol. 2, iss. 37). The move from the well-resourced group makes sense as they probe different ways of getting access to an organisation. (If you have kanban boards for managing attacks, it’s not a stretch to imagine them doing A/B testing on attack vectors!) You should never plug in a USB key you find lying around. The same applies to giveaways at conferences and, of course, unsolicited stuff you get in the post.

Predicting attacks from Russian APTs

An interesting piece of analysis from Booz Allen Hamilton. Their threat intelligence team have analysed public intelligence on 200 attacks, spanning 15 years, that has been linked to Russia’s military intelligence agency, the GRU (aka Fancy Bear, Sandworm). In each case, the attack is in response to an action that clashed with one of 23 risks identified in Russian military doctrine. The takeaway is that if your nation, or organisation, is at odds with Russia’s foreign policy, then you should be on heightened alert as the target of espionage, disruption, or disinformation campaigns. You can access the report on BAH’s website though it is behind a registration wall.,

In brief

Attacks, incidents & breaches

  • AMD confirms intellectual property related to its graphics processors was stolen last year, now being posted to GitHub, Pastebin
  • PII of General Electric (GE) employees accessed by compromise of supplier email system
  • Account details of 538 million Weibo users, dating to mid-2019, for sale for just $250
  • South Korea the prime suspect sophisticated espionage campaign against North Korea that used five zero-day exploits

Threat intel

  • Source code of ‘Dharma’ ransomware pops up for sale on hacking forums for USD $2,000
  • Phineas Fisher pays $10,000 for Chilean military hacker under hacktivist ‘bug-bounty’ programme (vol. 2, iss. 46)

Security engineering

Internet of Things

  • DNS hijack attack targeting Linksys routers, prompts to download WHO COVID-19 app
  • DrayTek Vigor routers being actively exploited by two groups, capturing credentials from plaintext protocols and creating backdoor accounts


Law enforcement

  • Russia’s FSB shuts down card fraud ring, charges 25 people, for stealing data from 90 websites

And finally

“Can you just update this spreadsheet and send it back to me?”

There are many examples of people accidentally leaking email addresses by pasting them in the ‘to’ or ‘cc’ fields. Watford Community Housing went a step further this week, sending a spreadsheet of over 3,500 people’s personal data to recipients. The data included names, addresses, date of birth, …then went on to list the religion, sexual orientation, ethnic origin and disability status of each individual. WCH have reported themselves to the ICO.


  Robin's Newsletter - Volume 3

  Coronavirus (COVID-19) IC3 Third-sector data protection Schools & Education Chubb FIN7 Booz Allen Hamilton GRU DNS Hijacks Weibo Dharma Phineas Fisher FSB Russia