Risky Bulletin: F5 says an APT stole source code, vulnerability reports

Podcast: Risky Bulletin
Host: risky.biz
Date: October 16, 2025
Read by: Claire, report by Catalin Cimpanu

Episode Overview

This episode delivers a rapid-fire summary of noteworthy cybersecurity incidents from around the world, with a focus on state-sponsored cyber attacks, high-profile data breaches, regulatory actions, and new vulnerabilities. The standout story centers on a major breach at F5 by a suspected Chinese APT group, with additional coverage of attacks against governments, educational platforms, and critical infrastructure.

Key Discussion Points and Insights

1. F5 Breach by Suspected Chinese APT (UNC5221)

[00:04]

• Incident: American technology company F5 was infiltrated by suspected Chinese state-backed group UNC5221.
• Breach Duration: Hackers lingered in F5’s network for nearly a year.
• Data Stolen: Source code and internal vulnerability reports.
• Company Response: F5 has patched the stolen vulnerabilities and rotated all signing keys and certificates to prevent further exploitation.
• Attribution: Bloomberg sources point to UNC5221 as the threat actor.

"The hackers were in the company's network for almost a year and stole source code and vulnerability reports."
— Claire ([00:08])

2. UK Government Denies Massive Breach

[00:25]

• Report: The Times claims Chinese hackers accessed UK classified networks for over a decade, exfiltrating sensitive diplomatic and policy documents.
• Official Response: The UK government (including former NCSC boss Kieran Martin) labels the report as “categorically untrue.”

"Former NCSC boss Kieran Martin described the report as categorically untrue."
— Claire ([00:33])

3. EU MP Files Hacking Complaint Against Hungary’s PM

[00:38]

• Accusation: German MEP Daniel Freund files a criminal complaint, alleging the Hungarian secret service attempted to infect his device with Candiru spyware.
• Context: Attack was detected in May 2025 by the EU cybersecurity team.

"German Green Party member Daniel Freund claims the Hungarian Secret Service tried to deploy spyware on his device."
— Claire ([00:42])

4. Sentencing for PowerSchool Hacker

[00:52]

• Who: Matthew D. Lane, 20, Massachusetts.
• Crime: Stole personal details of 70 million students and teachers, extorted school districts, ransomed PowerSchool for $2.85M.
• Sentence: Four years in prison; ordered to pay $14 million in restitution.

5. Microsoft Revokes Certificates Used to Sign Malware

[01:10]

• Threat Actor: “Vanilla Tempest” a.k.a. Vice Society.
• Action: 200 certificates revoked after they were used to sign malware and spread via poisoned search results.
• Recent Activity: Known for deploying Resider ransomware.

6. Regulatory Actions and Fines

• [01:23] NY Auto Insurers: Eight companies fined $14.2 million after a breach exposed 800,000+ customers’ data, which was later used for fraudulent unemployment claims.
• [01:37] Capita Fine: UK’s ICO fines outsourcing firm Capita £14 million for a ransomware incident that exposed 6.6 million customer records; original fine was £45 million.

7. Ransomware Impacts US Municipal Financing Platform

[01:52]

• Platform: Muni OS debt marketplace
• Impact: Site down for several days, causing disruptions to government financing via municipal bonds.

8. Airport PA System Hijacks with Political Messaging

[02:01]

• Incident: Four airports (one US, three Canadian) had PA systems hijacked to broadcast pro-Hamas, anti-US/Israel messages.
• Notable: Incident hit Harrisburg International Airport, PA; messages targeted Donald Trump and Benjamin Netanyahu.

9. VS Code Extensions Leak Credentials

[02:15]

• Scope: Over 500 extensions leaked access tokens, with >130 permitting potential malicious updates.
• Exposure: 150,000 installs; most credentials were found in shipped JSON config files.
• Research: Wiz security surfaced the issue.

10. Russian Bulletproof Hosting Provider Shuts Down

[02:38]

• Service: Bear Host (aka Voodoo Servers).
• Closure: Cites political reasons; customers lose both data access and funds.
• Criminal Use: Known host for KILLIN ransomware group.

11. Chinese APT Targets Russian IT Firm for Supply Chain Attack

[02:52]

• Duration: Maintained access for at least five months.
• Goal: Stealing source code, potential for a supply chain attack.
• Suspected Group: Juulbug.
• Other Victims: Latin American government, Taiwanese, and South Asian IT companies.

12. North Korean Hackers Hide Code on Binance Blockchain

[03:11]

• Technique: “Etherhiding”—malware stored in smart contracts.
• Group: UNC5342 / Contagious Interview.
• Specialty: Cryptocurrency theft.

13. Cisco Switch Zero-Day Exploited in Routers

[03:26]

• Targets: CIS 9400, 9300, 3750G switches.
• Response: Cisco patched in September 2025, with minimal public detail.
• Research: Trend Micro traces ongoing attacks.

14. Adobe Experience Manager Critical Flaw Exploited

[03:44]

• Nature: Authentication bypass via developer-mode component.
• Timeline: PoC published in July; Adobe patched within a week.
• Severity: 10/10.

15. Red Lion Industrial Controller Vulnerabilities

[03:58]

• Devices: 6net, VersaTrack RTUs.
• Issue: Allowed root code execution via auth bypass.
• Severity: 10/10.

16. Google Launches Recovery Contacts

[04:07]

• Feature: Users can appoint friends/family to help recover accounts if they lose devices.
• Method: Code sent to chosen contact to regain access.

Notable Quotes & Memorable Moments

• “The hackers were in the company’s network for almost a year and stole source code and vulnerability reports.” — Claire ([00:08])
• “Kieran Martin described the report as categorically untrue.” — Claire ([00:33])
• “Matthew D. Lane stole the personal details of 70 million students and teachers.” — Claire ([00:54])
• “Hackers hijacked PA systems and defaced display screens at four North American airports this week.” — Claire ([02:01])
• “More than 500 VS code extensions have leaked access tokens and credentials.” — Claire ([02:15])
• “North Korean state sponsored hackers are storing malicious code in smart contracts on the Binance public blockchain.” — Claire ([03:11])

Timestamps for Notable Segments

| Segment | Timestamp | |---------------------------------------------------|------------| | F5 APT Breach, Patch Response | [00:04] | | UK Govt Denies Chinese Breach | [00:25] | | EU MP Hacking Complaint | [00:38] | | PowerSchool Hacker Sentenced | [00:52] | | Microsoft Revokes Malicious Certificates | [01:10] | | NY Auto Insurer Data Breach and Fine | [01:23] | | Capita Ransomware Fine | [01:37] | | Muni OS Ransomware Disruption | [01:52] | | North American Airport PA System Hijacks | [02:01] | | VS Code Extensions Leak Access | [02:15] | | Russian Bulletproof Hosting Shuts Down | [02:38] | | Chinese APT Supply Chain Attack on Russian Firm | [02:52] | | North Korean Etherhiding Technique | [03:11] | | Cisco Zero-Day Attacks | [03:26] | | Adobe Experience Manager Flaw | [03:44] | | Red Lion Controller Vulnerabilities | [03:58] | | Google’s Recovery Contacts Rollout | [04:07] |

Summary:
This Risky Bulletin episode rapidly covers global cybersecurity headlines, with deep implications for enterprises (F5, Cisco, Adobe, Microsoft), public institutions (schools, airports, governments), and consumers (Google, insurers), underscoring the relentless pace and varied targets of today’s attackers. The tone is brisk and factual, providing concise yet comprehensive coverage for professionals and interested laypersons alike.