Risky Bulletin: F5 says an APT stole source code, vulnerability reports

Summary5 min read

Podcast: Risky Bulletin
Host: risky.biz
Date: October 16, 2025
Read by: Claire, report by Catalin Cimpanu

Episode Overview

This episode delivers a rapid-fire summary of noteworthy cybersecurity incidents from around the world, with a focus on state-sponsored cyber attacks, high-profile data breaches, regulatory actions, and new vulnerabilities. The standout story centers on a major breach at F5 by a suspected Chinese APT group, with additional coverage of attacks against governments, educational platforms, and critical infrastructure.

Key Discussion Points and Insights

1. F5 Breach by Suspected Chinese APT (UNC5221)

[00:04]

Incident: American technology company F5 was infiltrated by suspected Chinese state-backed group UNC5221.
Breach Duration: Hackers lingered in F5’s network for nearly a year.
Data Stolen: Source code and internal vulnerability reports.
Company Response: F5 has patched the stolen vulnerabilities and rotated all signing keys and certificates to prevent further exploitation.
Attribution: Bloomberg sources point to UNC5221 as the threat actor.

"The hackers were in the company's network for almost a year and stole source code and vulnerability reports."
— Claire ([00:08])

2. UK Government Denies Massive Breach

[00:25]

Report: The Times claims Chinese hackers accessed UK classified networks for over a decade, exfiltrating sensitive diplomatic and policy documents.
Official Response: The UK government (including former NCSC boss Kieran Martin) labels the report as “categorically untrue.”

"Former NCSC boss Kieran Martin described the report as categorically untrue."
— Claire ([00:33])

3. EU MP Files Hacking Complaint Against Hungary’s PM

[00:38]

Accusation: German MEP Daniel Freund files a criminal complaint, alleging the Hungarian secret service attempted to infect his device with Candiru spyware.
Context: Attack was detected in May 2025 by the EU cybersecurity team.

"German Green Party member Daniel Freund claims the Hungarian Secret Service tried to deploy spyware on his device."
— Claire ([00:42])

4. Sentencing for PowerSchool Hacker

[00:52]

Who: Matthew D. Lane, 20, Massachusetts.
Crime: Stole personal details of 70 million students and teachers, extorted school districts, ransomed PowerSchool for $2.85M.
Sentence: Four years in prison; ordered to pay $14 million in restitution.

5. Microsoft Revokes Certificates Used to Sign Malware

[01:10]

Threat Actor: “Vanilla Tempest” a.k.a. Vice Society.
Action: 200 certificates revoked after they were used to sign malware and spread via poisoned search results.
Recent Activity: Known for deploying Resider ransomware.

6. Regulatory Actions and Fines

[01:23] NY Auto Insurers: Eight companies fined $14.2 million after a breach exposed 800,000+ customers’ data, which was later used for fraudulent unemployment claims.
[01:37] Capita Fine: UK’s ICO fines outsourcing firm Capita £14 million for a ransomware incident that exposed 6.6 million customer records; original fine was £45 million.

7. Ransomware Impacts US Municipal Financing Platform

[01:52]

Platform: Muni OS debt marketplace
Impact: Site down for several days, causing disruptions to government financing via municipal bonds.

8. Airport PA System Hijacks with Political Messaging

[02:01]

Incident: Four airports (one US, three Canadian) had PA systems hijacked to broadcast pro-Hamas, anti-US/Israel messages.
Notable: Incident hit Harrisburg International Airport, PA; messages targeted Donald Trump and Benjamin Netanyahu.

9. VS Code Extensions Leak Credentials

[02:15]

Scope: Over 500 extensions leaked access tokens, with >130 permitting potential malicious updates.
Exposure: 150,000 installs; most credentials were found in shipped JSON config files.
Research: Wiz security surfaced the issue.

10. Russian Bulletproof Hosting Provider Shuts Down

[02:38]

Service: Bear Host (aka Voodoo Servers).
Closure: Cites political reasons; customers lose both data access and funds.
Criminal Use: Known host for KILLIN ransomware group.

11. Chinese APT Targets Russian IT Firm for Supply Chain Attack

[02:52]

Duration: Maintained access for at least five months.
Goal: Stealing source code, potential for a supply chain attack.
Suspected Group: Juulbug.
Other Victims: Latin American government, Taiwanese, and South Asian IT companies.

12. North Korean Hackers Hide Code on Binance Blockchain

[03:11]

Technique: “Etherhiding”—malware stored in smart contracts.
Group: UNC5342 / Contagious Interview.
Specialty: Cryptocurrency theft.

13. Cisco Switch Zero-Day Exploited in Routers

[03:26]

Targets: CIS 9400, 9300, 3750G switches.
Response: Cisco patched in September 2025, with minimal public detail.
Research: Trend Micro traces ongoing attacks.

14. Adobe Experience Manager Critical Flaw Exploited

[03:44]

Nature: Authentication bypass via developer-mode component.
Timeline: PoC published in July; Adobe patched within a week.
Severity: 10/10.

15. Red Lion Industrial Controller Vulnerabilities

[03:58]

Devices: 6net, VersaTrack RTUs.
Issue: Allowed root code execution via auth bypass.
Severity: 10/10.

16. Google Launches Recovery Contacts

[04:07]

Feature: Users can appoint friends/family to help recover accounts if they lose devices.
Method: Code sent to chosen contact to regain access.

Notable Quotes & Memorable Moments

“The hackers were in the company’s network for almost a year and stole source code and vulnerability reports.” — Claire ([00:08])
“Kieran Martin described the report as categorically untrue.” — Claire ([00:33])
“Matthew D. Lane stole the personal details of 70 million students and teachers.” — Claire ([00:54])
“Hackers hijacked PA systems and defaced display screens at four North American airports this week.” — Claire ([02:01])
“More than 500 VS code extensions have leaked access tokens and credentials.” — Claire ([02:15])
“North Korean state sponsored hackers are storing malicious code in smart contracts on the Binance public blockchain.” — Claire ([03:11])

Timestamps for Notable Segments

| Segment | Timestamp | |---------------------------------------------------|------------| | F5 APT Breach, Patch Response | [00:04] | | UK Govt Denies Chinese Breach | [00:25] | | EU MP Hacking Complaint | [00:38] | | PowerSchool Hacker Sentenced | [00:52] | | Microsoft Revokes Malicious Certificates | [01:10] | | NY Auto Insurer Data Breach and Fine | [01:23] | | Capita Ransomware Fine | [01:37] | | Muni OS Ransomware Disruption | [01:52] | | North American Airport PA System Hijacks | [02:01] | | VS Code Extensions Leak Access | [02:15] | | Russian Bulletproof Hosting Shuts Down | [02:38] | | Chinese APT Supply Chain Attack on Russian Firm | [02:52] | | North Korean Etherhiding Technique | [03:11] | | Cisco Zero-Day Attacks | [03:26] | | Adobe Experience Manager Flaw | [03:44] | | Red Lion Controller Vulnerabilities | [03:58] | | Google’s Recovery Contacts Rollout | [04:07] |

Summary:
This Risky Bulletin episode rapidly covers global cybersecurity headlines, with deep implications for enterprises (F5, Cisco, Adobe, Microsoft), public institutions (schools, airports, governments), and consumers (Google, insurers), underscoring the relentless pace and varied targets of today’s attackers. The tone is brisk and factual, providing concise yet comprehensive coverage for professionals and interested laypersons alike.

Loading summary

Transcript1 lines

[00:04]
A
An APT stole source code and Vulnerability reports from F5A European MP files a criminal hijacking complaint against Hungary's Prime Minister. Airport PA systems are hijacked in Canada and the US and the Power School hacker gets prison time. This is the Risky Bulletin prepared by Catalan Kimpanu and read by me Claire aired today is the 17th of October and this podcast episode is brought to you by Nebuloc. In today's top story, American tech company F5 was hacked by a Chinese state sponsored group. The hackers were in the company's network for almost a year and stole source code and vulnerability reports. Sources told Bloomberg that the Chinese hacking group UNC5221 was behind the intrusion. F5 has patched the stolen vulnerabilities and has rotated signing keys and certificates. In other news, the UK government has refuted a media report that Chinese hackers breached its classified information system. This week the Times reported that Chinese hackers maintained access for over a decade. The hackers allegedly accessed diplomatic cables, government policy documents and private communications. Former NCSC boss Kieran Martin described the report as categorically untrue. A member of the European Parliament has filed a criminal hacking complaint against Hungary's Prime Minister Viktor Orban. German Green Party member Daniel Freund claims the Hungarian Secret Service tried to deploy spyware on his device. Last May, the EU cyber security team detected an attempted deployment of spyware made by Israeli vendor Candiru. Freund has been a vocal critic of Orban. A Massachusetts man has been sentenced to four years in prison for hacking the PowerSchool education cloud platform. 20 year old Matthew D. Lane stole the personal details of 70 million students and teachers. Last year, PowerSchool paid a ransom of $2.85 million. Lane also attempted to extort individual school districts. He was arrested earlier this year and pleaded guilty. He's been ordered to pay $14 million in restitution. Microsoft has revoked 200 certificates used by the Vanilla Tempest group to sign malware. The certificates were being used to sign apps that posed as legitimate software. The apps were distributed via poisoned search results. The Vanilla Tempest group is also known as Vice Society. Its most recent attacks deployed the Resider ransomware. Eight auto insurers have agreed to pay the State of New York $14.2 million over data handling practices. More than 800,000 New Yorkers had their data stolen from online quote forms that were pre filled with personal information. Some of the stolen data was later used to fraudulently file for COVID 19 unemployment payments. The UK's privacy watchdog has fined outsourcing company Capita 14 million pounds. The company was found at fault for a 2023 ransomware attack that exposed the personal details of 6.6 million customers. The regulator initially planned to fine the company 45 million pounds before capita accepted Liab. A ransomware attack has been disrupting the Muni OS debt marketplace. The platform allows US local and state governments to share bond offering documents to raise capital. According to Bloomberg. The site's been down for several days and has already disrupted municipal government financing. Hackers hijacked PA systems and defaced display screens at four North American airports this week. The attackers broadcasted messages praising Hamas while criticising US President Donald Trump and Israeli Prime Minister Benjamin Netanyahu. Incidents were reported on Tuesday at Pennsylvania's Harrisburg International Airport plus three Canadian airports. More than 500 VS code extensions have leaked access tokens and credentials. In more than 130 cases, the tokens would have allowed threat actors to publish malicious updates. Most of the credentials were found in JSON configuration files that ship with the extensions. According to Wiz, the extensions had been installed 150,000 times. A Russian bulletproof web hosting provider has shut down citing political reasons. Bear Host customers have been left without refunds or access to their servers. The service was also known as Voodoo servers and began operating in 2016. According to Reis Security, one of its most well known customers was the Killin Ransomware Group. A suspected Chinese APT group has hacked a Russian IT service provider. The attackers maintained access for at least five months and sought to steal the company's source code. Broadcom's security team believes the Juulbug Group was trying to launch a supply chain attack. The group also hacked a Latin American government, a Taiwanese company and another South Asian IT provider. North Korean state sponsored hackers are storing malicious code in smart contracts on the Binance public blockchain. The technique, known as etherhiding, has been used by cybercriminals and botnets since 2023. Google tracks the North Korean group as UNC5342. It's also known as Contagious Interview. The group is known for its cryptocurrency heists. Hackers are exploiting a recent zero day to deploy rootkits on Cisco switches. Cisco patched the vulnerability in late September while it was under attack, but did not provide further details. Trend Micro says the hacking campaign targeted CIS 9400 and 9300 switches. Some attacks also targeted legacy 3750G devices. Threat actors are exploiting a recently patched vulnerability in the Adobe Experience Manager form. Building extensions Attackers are bypassing authentication and running malicious code via a component that was left enabled in developer mode. Security researchers published a detailed write up and proof of concept code in July. Adobe patched the bug a week later. The vulnerability has a severity rating of 10 out of 10. Red lion has patched two vulnerabilities that could be used to take over six net industrial controllers. The flaws allowed attackers to bypass authentication and run code on the devices with root privileges. Vulnerable models include Red Lion 6 track and VersaTrack remote terminal units. Both vulnerabilities have a severity score of 10. And finally, Google users can now recover their accounts using the help of a friend or family member. The Recovery Contacts feature is intended for situations when users lose their phone or passkey devices. Google will send a code to a friend or family member that can be used to recover the account, and that is all for this podcast edition. Today's show was brought to you by our sponsor nebuloc. Find them at Nebuloc IO. Thanks to your company.