Summary6 min read

Podcast Summary: Risky Bulletin – Another residential proxy provider falls

Podcast: Risky Bulletin (Risky Business Media)
Episode Date: March 13, 2026
Host: Claire (prepared by Catalin Cimpanu)
Episode Focus: Key developments in global cybersecurity including law enforcement actions, major hacks, significant threats, and policy updates.

Episode Overview

In this episode, the Risky Bulletin team delivers a concise roundup of pressing cybersecurity news. The top story details the joint FBI and Europol takedown of the SOX Escort residential proxy service, a platform leveraging a botnet to sell unauthorized network access. The episode covers a range of incidents, including government and enterprise breaches, new software vulnerabilities, emerging cyber threats, and noteworthy law enforcement actions.

Key Discussion Points & Insights

1. Takedown of SOX Escort Residential Proxy Provider

[00:05]

What happened?
The FBI and Europol dismantled SOX Escort, a residential proxy provider that used malware to create a network of infected devices for sale.
Technical details:
- SOX Escort operated on the Avrecon botnet, which compromised nearly 370,000 devices.
- Customers could rent proxy access to infected systems for malicious purposes.
Expert insight:
- “Lumens Black Lotus Lab says the service ran on top of the Avrecon botnet, which has infected almost 370,000 devices.” [00:15]

2. Notable Data Breaches

FBI Child Exploitation Lab Breach [00:28]

Incident: A hacker breached an FBI server (New York child exploitation forensic lab), unwittingly accessed documents related to the Epstein investigation, and reported child abuse images to the FBI.
Twist: The hacker didn’t realize he’d breached the FBI until agents confirmed their identities via a video call.
Quote:
- “According to Reuters, FBI agents showed their badges to the hacker on a video call to convince him they were actually feds.” [00:43]

Stryker Medical Device Maker Wiped by Iranian Hackers [00:52]

Incident: Iranian hacktivist group Handalla wiped Stryker’s global IT systems as retaliation for a bombing in Iran.
Method:
- Breach of the company’s Microsoft Intune server; remote wipe feature used to delete more than 200,000 devices.
Claim:
- "Handala says it's wiped more than 200,000 phones, server servers and workstations." [01:11]

Albanian Government Email Breach [01:18]

Hacker: Iranian group Homeland Justice.
Details: Breach disrupted staff email and PC access for several hours; group has targeted Albania before due to political tensions.

3. Ongoing Vulnerabilities & Log Requests

Cisco SD-WAN Attacks [01:37]

CISA Actions:
- Federal agencies must submit Cisco SD-WAN logs due to ongoing zero-day exploit attacks.
- Deadline for log submission: March 23, 2026.
- Future device logs will be sent to CISA to monitor attacks.

Apple iOS Updates Against Karuna Exploit Kit [01:51]

Background:
- Apple issued emergency patches for iOS 15 and 16 to address vulnerabilities exploited by the Karuna kit.
- Karuna, originally developed by L3Harris Trenchant (US defense contractor), leaked via a Russian broker.
Quote:
- "Karuna has an exploit kit for iOS devices developed by American defense contractor L3Harris Trenchant. It's thought to have leaked after a former employee sold it to a private Russian exploit broker." [02:08]

4. Government and Corporate Security Incidents

China’s Warning on OpenClaw AI Agent [02:25]

Reason: Security risks due to easy misconfiguration and exposure during installation.
Issuing Agency: China’s National Vulnerability Database cautions organizations against its use.

Canadian Retailer Loblaw Breach [02:36]

Response:
- All users were logged out and asked to sign in again.
- Financial services subsidiary unaffected.

5. Surveillance, Espionage, and Data Privacy

Dutch ISP Telemetry Leak [02:47]

Odito ISP: Sent customer router data to US AI company LifeMote without user disclosure.
Triggered Lawmakers: Feature withdrawn after privacy concerns.

Iranian Threats Against US Tech Firms [03:08]

Context:
- Iran threatens missile and drone strikes on Middle East offices of Google, Microsoft, and others, amid escalating geo-political cyber conflict.

6. Cybercrime and Law Enforcement Actions

Bangkok Scam Compound Arrests [03:24]

Meta involvement:
- 21 individuals arrested; over 150,000 scam accounts taken down.
- In 2025, Meta removed ~11 million scam-related accounts globally.

Indian Police Arrest Nigerian Hackers (Solar Spider) [03:38]

Criminals: Two Nigerians accused of targeting Indian cooperative banks; $750,000 stolen before arrest.

Insider Ransomware Case [03:47]

Individual: Angelo Martino, former Digital Mint employee.
Details: Conducted (with accomplices) at least 10 ransomware attacks, demanding over $75 million in ransoms while working as a negotiator.

7. Espionage Tools & Leaks

APT28 Roundcube Exploit Leak [04:03]

Discovery: Security researchers found exploit kit artifacts in an open directory, linking the kit to previous APT28 (Russian state-sponsored) campaigns.
Capabilities: Persistent mail forwarding, email exfiltration, address book theft, two-factor secret extraction, and browser credential theft.

8. Industry Bug Bounty & Security Initiatives

Google’s Bug Bounty Milestone [04:30]

2025 payout: $17 million—up 40% from previous year.
Total since 2010: $81.6 million, primarily for Android, Chrome, and Cloud.

WhatsApp & Meta Security Upgrades [04:44]

New features:
- WhatsApp warns users of suspicious device link requests.
- Facebook introduces advanced scam detection for friend requests.
- Messenger scam detection expands to more regions.
Parental controls:
- Meta launches parent-managed WhatsApp accounts for children, giving parents control over contacts and group access.

Notable Quotes & Memorable Moments

On the SOX Escort takedown:
“The FBI and Europol have dismantled the residential proxy provider SOX Escort. The service used malware to hack systems and sell their network access online.” – Claire [00:06]
On the unexpected hacker-FBI interaction:
“According to Reuters, FBI agents showed their badges to the hacker on a video call to convince him they were actually feds.” – Claire [00:43]
On Stryker attack scale:
“Handala says it's wiped more than 200,000 phones, server servers and workstations.” – Claire [01:11]
Apple’s emergency patch for old iOS versions:
“Karuna has an exploit kit for iOS devices developed by American defense contractor L3Harris Trenchant. It's thought to have leaked after a former employee sold it to a private Russian exploit broker.” – Claire [02:08]

Timestamps for Key Segments

| Timestamp | Segment | |-----------|-------------------------------------------------------------| | 00:05 | SOX Escort residential proxy takedown | | 00:28 | FBI forensic lab/Epstein breach | | 00:52 | Stryker medical device company wiped | | 01:18 | Albanian government email hack | | 01:37 | CISA asks for Cisco SD-WAN logs | | 01:51 | Apple iOS/Karuna update | | 02:25 | China warns against OpenClaw AI agent | | 02:36 | Loblaw retailer breach | | 02:47 | Dutch ISP Odito telemetry scandal | | 03:08 | Iran threatens US tech firms | | 03:24 | Bangkok scam compound arrests (Meta involvement) | | 03:38 | Nigerian hackers arrested in India | | 03:47 | Insider ransomware attacks (Digital Mint) | | 04:03 | APT28 Roundcube exploit leak | | 04:30 | Google bug bounty payouts | | 04:44 | WhatsApp & Meta scam/fraud controls, parental features |

Final Thoughts

This episode spotlights the sophistication and international reach of today’s cybersecurity threats, highlighting law enforcement’s ongoing efforts, persistent vulnerabilities in both public and private sectors, and industry-led countermeasures. The episode balances technical insight with real-world impact, underscoring the complex, fast-evolving nature of global cyber risk.

Loading summary

Transcript1 lines

[00:04]
A
Authorities take down a residential proxy service Iranian hackers wipe the network of a US medical device maker Apple patches unsupported iOS against Karuna and CISA asked for Cisco SD WAN device logs. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aired today is the 13th of March and this podcast episode is brought to you by Thinkst, the makers of the much loved Thinxt Canary. In today's top story, the FBI and Europol have dismantled the residential proxy provider SOX Escort. The service used malware to hack systems and sell their network access online. Lumens Black Lotus Lab says the service ran on top of the Avrecon botnet, which has infected almost 370,000 devices. In other news, a hacker breached the FBI in 2023 and stole documents related to the Epstein investigation. The breach impacted a server at the Bureau's child exploitation forensic lab in New York. The hacker did not realise he'd breached the FBI. He contacted the Bureau to report the child abuse images he found. According to Reuters, FBI agents showed their badges to the hacker on a video call to convince him they were actually feds. Iranian hackers have wiped the IT systems of a US medical device maker. The company Stryker has shut down all production systems globally. Hacktivist group Handalla has taken credit. The group claimed the attack was in retaliation for the bombing of a girls school in Iran. Reports claim the group hacked the company's Microsoft Intune server and used the remote wipe feature. Handala says it's wiped more than 200,000 phones, server servers and workstations. The Albanian government is investigating a breach of an internal email server. The hack occurred on Tuesday. Staff members were unable to access their PCs or email accounts for hours while the breach was investigated. Iranian group Homeland justice has taken credit for the attack. The group has a history of hacking Albanian government agencies due to exiled Iranian opposition leaders being hosted in the country. CISA has ordered federal agencies to submit logs from their Cisco SD WAN devices. The devices have been under attack using a zero day since 2023. Aggregating the logs will let CISA assess the extent of the compromises. Agencies have until March 23rd to submit logs. They'll also have to configure their devices to send Future logs to CISA. Apple has released security updates for old versions of iOS to patch vulnerabilities used by the Karuna exploit kit. UN updates are available for iOS 15 and 16. Patches for 17 were released in December. Karuna has an exploit kit for iOS devices developed by American defence contractor L3Harris Trenchant. It's thought to have leaked after a former employee sold it to a private Russian exploit broker. China's warned against using the OpenClaw AI agent. The country's cert says the agent is easy to misconfigure during installation and you and can expose companies to security risks. China's National Vulnerability Database has also warned against using OpenClaw. Canadian retailer Loblaw has suffered a security breach. The company notified affected customers this week. It also logged out all users and asked them to sign back into their accounts. Loblaw said the incident did not impact its financial services subsidiary. Dutch ISP Odito has removed a feature that sent router telemetry data to American AI company LifeMote. The behaviour was discovered by Dutch security researcher Sipke Mellema last week. The feature was removed after Dutch lawmakers questioned its legality. Odeda had not disclosed the telemetry collection to its customers. The Dutch telco disclosed a major security breach last month. Iran has threatened to launch missile and drone strikes against Middle Eastern officers of US Tech firms. A telegram message affiliated with the IRGC listed Google, Microsoft, Palantir, IBM, Nvidia and Oracle as potential targets. Iranian officials threatened to attack American companies following recent U s Israeli strikes. 21 individuals have been arrested in Bangkok accused of running cyberscam compounds. Meta participated in the investigation and has taken down more than 150,000 accounts operated by the group. Last year, Meta removed almost 11 million accounts linked to scam compounds. Indian authorities have arrested two Nigerian nationals believed to be members of the Solar Spider hacking group. Police said they were planning to exploit vulnerabilities in Indian cooperative banks. The two had already stolen more than $750,000 from a bank in Gujarat before they were caught last week. A former employee of a US security firm has been charged with conducting at least 10 ransomware attacks. Angelo Martino allegedly demanded more than $75 million in ransoms. the time of the attacks, he was working as a ransomware negotiator for security firm Digital Mint. Officials say he was one of three cybersecurity professionals who hacked their customers, deployed malware and demanded ransoms. The other two were charged in November and later pleaded guilty. Russian Cyber espionage group APT28 has leaked its exploit for hacking Roundcube email servers. The exploit was part of a kit found in an open directory by security firm Hunt intelligence contained payloads, C2 components and operator artefacts. The payloads enabled persistent mail forwarding, bulk email exfiltration, address book theft and two FA secret extraction. Researchers also found a previously undocumented module that enabled browser credential theft. They found links tying the exploit Kit to previous APT28 campaigns that were discovered by security firm ESET. Google paid security researchers more than $17 million last year for vulnerability reports. This represents a 40% increase from 2024, an all time high. More than half of the payouts went to Google's Android, Chrome and cloud bug bounty programs since the program began in 2010, Google's paid more than $81.6 million for vulnerability reports. WhatsApp will warn users when they receive suspicious requests to link their account to a new device as part of its Scam Meta's, also adding alerts for unusual friend requests on Facebook. Additionally, the advanced scam detection feature in messenger will be made available in more countries. And finally, Meta is adding parent managed accounts to WhatsApp. The accounts are designed for preteen children. Access to settings will be controlled by a PIN set up by the parent. Messages will remain private, but parents can approve who their child communicates with, what groups they can join, and can review message requests from unknown contacts. And that is all for this podcast edition. Today's show is brought to you by our sponsor, thinxt. Find them at Canary Tools. Thanks for your company.