Risky Bulletin: Cellebrite fires Serbia as a customer

Risky Bulletin: Cellebrite Fires Serbia as a Customer Hosted by risky.biz | Released on February 28, 2025

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest happenings in the cybersecurity landscape. From significant corporate decisions to sophisticated cyberattacks orchestrated by state-sponsored actors, the bulletin covers a wide array of topics that highlight the evolving threats and responses in the digital realm. Below is a detailed summary of the key points discussed, enriched with notable quotes and timestamps for reference.

Cellebrite Bans Serbia from Using Its Products

Timestamp: [00:04]

The episode opens with a significant development in the realm of digital forensics. Cellebrite, an Israeli technology firm renowned for its mobile data extraction tools, has taken a decisive stand by banning the Serbian government from utilizing its products. This action stems from allegations that the Serbian security service misused Cellebrite's technology to unlock dissidents' phones and install spyware, thereby infringing on human rights and democratic principles.

Claire Aird reports, “Israeli tech company Celebrite has banned the Serbian government from using its products over its alleged misuse of the technology” ([00:04]). Cellebrite emphasizes its commitment to upholding human rights, a stance that has been lauded by Amnesty International. Aird notes, “Amnesty International has praised Cellebrite, saying the withdrawal of live licenses from Serbia is a critical first step” ([00:04]). This move marks a pivotal moment in corporate responsibility within the cybersecurity industry, setting a precedent for ethical usage of powerful technological tools.

Chinese State-Sponsored Hacks Target Belgian Intelligence

Timestamp: [00:04]

In another alarming update, Chinese state-sponsored hackers have reportedly breached an email server belonging to a Belgian intelligence service. The intrusion, part of a broader 2023 campaign, exploited a zero-day vulnerability in the Barracuda email security product. As Aird explains, “According to local media, the hackers stole two years of unclassified email from the intelligence service” ([00:04]). This breach underscores the persistent threats posed by nation-state actors targeting governmental institutions to siphon sensitive information.

Republican National Committee Suffers Chinese Hack

Timestamp: [00:04]

The Republican National Committee (RNC) also fell victim to a cyberattack attributed to Chinese state-sponsored hackers in July 2024. This incident occurred shortly after Iranian hackers accessed the Trump campaign's email system. Aird highlights, “An upcoming book from journalist Alex Eisenstart claims the RNC chose not to notify the FBI about the intrusion” ([00:04]). The alleged delay in reporting raises concerns about the effectiveness of inter-agency communication and the transparency of political entities in handling cybersecurity breaches.

Philippine Exodus Security Leaks Military Data

Timestamp: [00:04]

A hacking group identifying itself as Philippine Exodus Security has leaked sensitive data from the Philippines' armed forces. The exposed information includes details on approximately 10,000 military personnel, encompassing medical records, financial information, and contact details. Claire Aird states, “The Philippine army has confirmed the breach” ([00:04]), highlighting the gravity of the situation and the potential national security implications stemming from such extensive data exposure.

North Korea's Massive Bybit Heist Linked to Lazarus Group

Timestamp: [00:04]

One of the most substantial cyber heists reported involves North Korea, responsible for a $1.5 billion theft from Bybit. The operation hinged on infiltrating a developer at SafeWallet, a multisignature wallet provider, and injecting malicious code into their web interface. Aird notes, “The FBI has confirmed North Korea's involvement in the hack and linked it to a group it tracks as Traitor Traitor, which is better known by us mere mortals as the Lazarus Group” ([00:04]). This sophisticated attack not only underscores the technical prowess of state-sponsored groups but also the increasing integration of cryptocurrencies in global financial crimes.

Infini DeFi Protocol Loses $50 Million to Threat Actor

Timestamp: [00:04]

The DeFi (Decentralized Finance) sector isn't immune to cyber threats, as evidenced by a recent $50 million theft from the Infini protocol. The attacker compromised private keys associated with a former developer who still had access, allowing them to drain the funds effectively. Aird remarks, “According to reports, the private keys belonged to a former developer who still had access” ([00:04]). While this theft may not rival the scale of the Bybit heist, it represents a significant financial loss for Infini and highlights vulnerabilities within DeFi platforms concerning key management and access controls.

Southeast Asian Data Theft: Hacker Detained in Thailand

Timestamp: [00:04]

Law enforcement made a notable arrest in Thailand, detaining a 39-year-old Singaporean hacker accused of selling data stolen from over 70 companies across Southeast Asia. Contrite and cooperative, the individual has reportedly confessed to the crimes. Aird succinctly states, “Thai police have detained a hacker who allegedly sold data stolen from more than 70 companies” ([00:04]). This incident showcases the regional efforts to curb cybercrime and the international nature of data theft activities.

Microsoft Takes Legal Action Against AI Abusers

Timestamp: [00:04]

In a move addressing the misuse of artificial intelligence, Microsoft is suing four individuals accused of exploiting its AI services to generate deepfakes of celebrities and create sexually explicit content. These individuals allegedly accessed the services using leaked Microsoft customer credentials and then resold the AI capabilities on underground forums. Claire Aird explains, “The four are based in Iran, the UK, China, and Vietnam and are part of a group that Microsoft tracks as Storm 2139” ([00:04]). This legal action highlights the growing concern over AI-generated malpractices and the responsibilities of tech companies in mitigating such abuses.

Extradition of Russian National for Cryptocurrency Market Manipulation

Timestamp: [00:04]

The United States has successfully extradited a Russian national from Portugal implicated in manipulating cryptocurrency markets. Alexei Andrunyan, founder of Gotbit, along with two company executives, faces charges of market manipulation for allegedly inflating trading volumes to artificially boost asset values. Aird notes, “The FBI created its own crypto token last year to catch Gotbit and several other fraud as a service companies” ([00:04]). This case underscores the complexities of regulating and policing the burgeoning cryptocurrency ecosystem and the lengths authorities will go to enforce market integrity.

Myanmar Cyber Scam Centers Transition to Starlink

Timestamp: [00:04]

Cyber scam operations in Myanmar are adapting to increased regional law enforcement by shifting their internet access to Starlink satellites. Starlink equipment has been observed atop at least eight scam compounds since June, according to Aird: “The move to Starlink came after Thai authorities seized shipments of network equipment and cut fiber optic cables in the area” ([00:04]). This strategic transition illustrates the resilience of cybercriminal networks in circumventing local restrictions and maintaining their illicit activities.

Microsoft Removes Malicious VS Code Extensions

Timestamp: [00:04]

Microsoft has taken action against two malicious theme extensions previously available in the VS Code Marketplace, which collectively amassed over 9 million downloads. Claire Aird reports, “Microsoft says the malicious code was found by a member of the VSCode community, but did not give further details” ([00:04]). The developer implicated claims the compromise originated from a dependency, suggesting a broader issue of supply chain security within software development ecosystems. Microsoft is currently reviewing the developer's other extensions to prevent further malicious activities.

Surge in Voice Phishing Attacks

Timestamp: [00:04]

Voice phishing, or "vishing," has seen a dramatic increase, growing more than 400% last year according to CrowdStrike's annual threat report. These attacks typically deceive victims into calling fake tech support lines, leading them to inadvertently install remote access tools and ransomware on their systems. Aird explains, “It's become a common vector amongst cybercrime groups in China and Russia” ([00:04]). The surge highlights the need for heightened awareness and robust security measures to combat evolving phishing tactics.

New Variant of Void IoT Botnet Targets Smart TVs

Timestamp: [00:04]

A new variant of the Void IoT botnet has been identified, infecting over 1.6 million devices, predominantly smart TVs. Xianxin, a Chinese security firm, reports that the botnet's traffic volume has elevated its command and control (C2) services to a position among Tranco's top million websites. Aird notes, “The sheer volume of traffic to the botnet's infrastructure has earned some of its command control service a spot in Tranko's million most popular websites” ([00:04]). This development underscores the critical vulnerabilities in IoT devices and the expansive reach of modern botnets.

Vulnerability in Nakevo Backup Software Exploited

Timestamp: [00:04]

A significant vulnerability has been discovered in Nakevo backup software, which allows unauthenticated attackers to access backed-up files. Disclosed by Watchtower Labs, the flaw can be exploited to retrieve either the backup server's password or the backup files themselves. While the vendor has patched the bug, Aird points out, “The vendor patched the bug but did not reply to its disclosure” ([00:04]). This incident emphasizes the importance of prompt vulnerability disclosures and the need for vendors to engage proactively with security researchers.

Advancement in Radio Jamming Technology: Reconfigurable Intelligent Surfaces

Timestamp: [00:04]

The bulletin concludes with an exploration of a new development in radio jamming technology: Reconfigurable Intelligent Surfaces (RIS). Developed by a team of academics, RIS allows for fine-grained spatial control over signal jamming, enabling attacks that can be precisely targeted to disrupt specific devices while minimizing collateral impact on neighboring devices just millimeters away. Aird describes, “An RIS jamming attack can be tuned to target specific devices while avoiding impact to others as little as millimeters away” ([00:04]). This innovation represents a significant leap in the sophistication of signal interference techniques, with potential implications for both cybersecurity defenses and offensive capabilities.

Conclusion

Today's Risky Bulletin episode encapsulates a broad spectrum of cybersecurity challenges and advancements. From corporate ethical stances and state-sponsored cyberattacks to technological innovations and legal actions against cybercriminals, the bulletin provides listeners with a nuanced understanding of the current threat landscape. As cyber threats continue to evolve in complexity and scale, such updates are invaluable for professionals and enthusiasts alike to stay informed and prepared.

For more detailed updates and in-depth analysis, subscribe to Risky Bulletin at risky.biz.

This episode was sponsored by Nucleus Security, a leading vulnerability management and analysis platform. Visit nucleussec.com to learn more.