Risky Business Podcast

On this weeks show Patrick Gray and Adam Boileau discuss the weeks cybersecurity news:

• New York Times gets a little stolen Russian FSB data as a treat
• iVerify spots possible evidence of iOS exploitation against the Harris-Walz campaign
• Researcher figures out a trick to get Google account holders full names and phone numbers
• Major US food distributor gets ransomwared
• The Coms social engineering of Salesforce app authorisations is a harbinger of our future problems
• Australian Navy forgets New Zealand has computers, zaps Kiwis with their giant radar.

This weeks episode is sponsored by identity provider Okta. Long-time friend of the show Alex Tilley is Oktas Global Threat Research Coordinator, and he joins to discuss how organisations can use both human and technical signals to spot North Koreans in their midst.

This episode is also available on Youtube.

Show notes

• How The Times Obtained Secret Russian Intelligence Documents - The New York Times
• Ukraine's military intelligence claims cyberattack on Russian strategic bomber maker | The Record from Recorded Future News
• Harris-Walz campaign may have been targeted by iPhone hackers, cybersecurity firm says
• iVerify Uncovers Evidence of Zero-Click Mobile Exploitation in the U.S.
• Spyware maker cuts ties with Italy after government refused audit into hack of journalists phone | The Record from Recorded Future News
• Italian lawmakers say Italy used spyware to target phones of immigration activists, but not against journalist | TechCrunch
• Android chipmaker Qualcomm fixes three zero-days exploited by hackers | TechCrunch
• Cellebrite to acquire mobile testing firm Corellium in $200 million deal | CyberScoop
• Apple Gave Governments Data on Thousands of Push Notifications
• A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account
• Bruteforcing the phone number of any Google user
• Acreed infostealer poised to replace Lumma after global crackdown | The Record from Recorded Future News
• BidenCash darknet forum taken down by US, Dutch law enforcement | The Record from Recorded Future News
• NHS calls for 1 million blood donors as UK stocks remain low following cyberattack | The Record from Recorded Future News
• Major food wholesaler says cyberattack impacting distribution systems | The Record from Recorded Future News
• Kettering Health confirms attack by Interlock ransomware group as health record system is restored | The Record from Recorded Future News
• Hackers abuse malicious version of Salesforce tool for data theft, extortion | Cybersecurity Dive
• shubs on X: "IP whitelisting is fundamentally broken. At @assetnote, we've successfully bypassed network controls by routing traffic through a specific location (cloud provider, geo-location). Today, we're releasing Newtowner, to help test for this issue: https://t.co/X3dkMz9gwK" / X
• Ross Ulbricht Got a $31 Million Donation From a Dark Web Dealer, Crypto Tracers Suspect | WIRED
• Australian navy ship causes radio and internet outages to parts of New Zealand

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• Cyber firms agree to deconflict and cross-reference hacker group names
• Russian nuclear facility blueprints gathered from public procurement websites
• Someone audio deepfaked the White House Chief of Staff, but for the dumbest reasons
• Germany identifies the Trickbot kingpin
• Google spots China’s MSS using Calendar events for malware C2
• Meta apps abuse localhost listeners to track web sessions.

This week’s episode is sponsored by automation vendor Tines. Its Field CISO, Matt Muller, joins the show to discuss an open letter penned by JP Morgan Chase’s CISO that pleads with Software as a Service suppliers to try to suck less at security.

This episode is also available on Youtube.

Show notes

• 'Forest Blizzard' vs 'Fancy Bear' - cyber companies hope to untangle weird hacker nicknames | Reuters
• Ukraine's Massive Drone Attack Was Powered by Open Source Software
• Massive security breach: Russian nuclear facilities exposed online
• How a Spyware App Compromised Assad’s Army - New Lines Magazine
• Exclusive | Federal Authorities Probe Effort to Impersonate White House Chief of Staff Susie Wiles - WSJ
• Malaysian home minister’s WhatsApp hacked, used to scam contacts | The Record from Recorded Future News
• U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams – Krebs on Security
• Top counter antivirus service disrupted in global takedown | CyberScoop
• Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin | WIRED
• Australian ransomware victims now must tell the government if they pay up | The Record from Recorded Future News
• Google: China-backed hackers hiding malware in calendar events | Cybersecurity Dive
• Coinbase breach linked to customer data leak in India, sources say | Reuters
• US military IT specialist arrested for allegedly trying to leak secrets to foreign government | The Record from Recorded Future News
• NSO appeals WhatsApp decision, says it can’t pay $168 million in ‘unlawful’ damages | The Record from Recorded Future News
• ConnectWise says nation-state attack targeted multiple ScreenConnect customers | The Record from Recorded Future News
• Google Online Security Blog: Sustaining Digital Certificate Security - Upcoming Changes to the Chrome Root Store
• Meta and Yandex are de-anonymizing Android users’ web browsing identifiers - Ars Technica
• An Open Letter to Third-Party Suppliers

In this week’s edition of Risky Business Dmitri Alperovitch and Adam Boileau join Patrick Gray to talk through the week’s news, including:

• EXCLUSIVE: A Scattered Spider-style crew is hijacking DNS MX entries and compromising enterprises within minutes
• The SVG format brings the all horrors of HTML+JS to image files, and attackers have noticed
• Brian Krebs eats a 6.3Tbps DDoS … ‘cause that’s how you demo your packet cannon
• Law enforcement takes out Lumma Stealer, Qakbot, Danabot and some dark web drug traffickers
• Iranian behind 2019 Baltimore ransomware mysteriously appears in North Carolina and pleads guilty
• CISA’s leadership is fleeing in droves, even though the US needs them more than ever.

This week’s episode is sponsored by Thinkst Canary. Long time friend of the show Haroon Meer joins and talks through where he feels the industry is at, having just returned home from the AI-fueled hype at this year’s RSA conference.

This episode is also available on Youtube.

Show notes

• China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says - Nextgov/FCW
• Risky Bulletin: SVG use for phishing explodes in 2025 - Risky Business Media
• KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Krebs on Security
• Midwestern telco Cellcom confirms cyber incident after days of service outages | The Record from Recorded Future News
• Microsoft leads international takedown of Lumma Stealer | Cybersecurity Dive
• Who said what? on X: "Message from the administrator of Lumma Stealer on the forums about the recent events🕊️👀 https://t.co/MOjCSMMErK" / X
• Ransomware hackers charged, infrastructure dismantled in international law enforcement operation | The Record from Recorded Future News
• Oops: DanaBot Malware Devs Infected Their Own PCs – Krebs on Security
• DOJ charges man allegedly behind Qakbot malware | The Record from Recorded Future News
• US, Europol arrest 270 dark web drug traffickers in Operation RapTor | The Record from Recorded Future News
• Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars | The Record from Recorded Future News
• Decentralized crypto platform Cetus hit with $223 million hack | The Record from Recorded Future News
• Nearly 70,000 impacted by Coinbase breach involving $20 million ransom demand | The Record from Recorded Future News
• USA: Crypto investor charged with kidnapping, torturing man in an NYC apartment
• Vietnam orders ban on Telegram messaging app over security concerns | The Record from Recorded Future News
• Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government | Reuters
• CISA loses nearly all top officials as purge continues | Cybersecurity Dive
• White House dismisses scores of National Security Council staff - The Washington Post

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:

• TeleMessage memory dumps show up on DDoSecrets
• Coinbase contractor bribed to hand over user data
• Telegram does seem to be actually cooperating with law enforcement
• Britain’s legal aid service gets 15 years worth of applicant data stolen
• Shocking no one, Ivanti were weaseling when they blamed latest bugs on a third party library

This week’s episode is sponsored by Prowler, who make an open source cloud security tool. Founder and original project developer Toni de la Fuente joins to talk through the flexibility that open tooling brings. Prowler is also adding support for SaaS platforms like M365, and of course, an AI assistant to help you write checks!

This episode is also available on Youtube.

Show notes

• TeleMessage - Distributed Denial of Secrets
• How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes | WIRED
• Coinbase says thieves stole user data and tried to extort $20M
• Hack could cost Coinbase up to $400M: filing | Cybersecurity Dive
• Severed Fingers and ‘Wrench Attacks’ Rattle the Crypto Elite
• Money Stuff: US Debt Rates Itself | NewsletterHunt
• 2 massive black market services blocked by Telegram, messaging app says | Reuters
• Telegram Gave Authorities Data on More than 20,000 Users
• GovDelivery, an email alert system used by governments, abused to send scam messages | TechCrunch
• ATO warning as hackers steal $14,000 in tax returns: ‘Be wary’
• Hack of SEC social media account earns 14-month prison sentence for Alabama man | The Record from Recorded Future News
• 19-year-old accused of largest child data breach in U.S. agrees to plead guilty
• Beach mansion, Benz and Bitcoin worth $4.5m seized from League of Legends hacker Shane Stephen Duffy | 7NEWS
• Pegasus spyware maker rebuffed in efforts to get off trade blacklist - The Washington Post
• Ransomware attack hits supplier of refrigerated groceries to British supermarkets | The Record from Recorded Future News
• UK government confirms massive data breach following hack of Legal Aid Agency | The Record from Recorded Future News
• Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities | Cybersecurity Dive
• Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)

In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security.

Push has built an identity security platform that collects identity information and events from your users’ browsers. It can detect phish kits and shut down phishing attempts, protect SSO credentials, and find shadow/personal account that a user has spun up.

It’s extremely difficult to bypass. That’s because when you’re in the browser it doesn’t matter how a phishing link arrives, or how a threat actor has concealed it from your detection stack – if the user sees it, Push sees it.

There are solutions for protecting your users SSO credentials, like passkeys. But what about all the SaaS in your environment? Even if it’s enrolled into your SSO, are you sure that’s how your users are authenticating to it? What about the automation platforms your developers and admins use? What about data platforms like Snowflake? Are your using setting up passkeys for those accounts? How would you know, and what problems can it cause if those accounts are vulnerable?

This is a fun one!

This episode is also available on Youtube.

Show notes