
Loading summary
A
FATFS bugs enable physical access attacks on industrial equipment A clever password spraying attack bypasses M365 MFA. An AI agent is deploying ransomware in live attacks, and a Webinar platform sues two security firms over bad IOCs. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Airdrop. Today is the 3rd of July and this podcast episode is brought to you by Corelight. In today's top story Vulnerabilities in the FATFS file system can enable physical access attacks on industrial equipment and smart devices. The vulnerability allows attackers to use crafted file system images to run malicious code and jailbreak the devices. The malicious images are delivered through removable media plugged into the device, or through firmware update channels where the new image is mounted automatically. The bugs were discovered by Run zero and are still unpatched. Projects that use FATFS drivers will have to roll their own protections to safeguard devices against attacks. In other news, the US government has lifted export restrictions on Anthropic's Fable and Mythos 5ai models. The company withdrew the models from public access on June 12 after the U.S. commerce Department banned foreign nationals from accessing the tools. The Trump administration has been under pressure to reverse the decision. Since then, the Indian government has told Meta to pause the rollout of WhatsApp usernames in its market. The government claimed the new feature would lead to an increase in online fraud, phishing and impersonation attacks by allowing scammers to hide behind generic usernames in Indian officials asked Meta to respond within three days. India is WhatsApp's biggest market, with over 500 million users. Belgium's national police have set up a division to counter phishing campaigns. The new unit will aggregate data on phishing attacks to centralise evidence collection and track down perpetrators faster. The new phishing cell will start operating this summer and will be expanded later in the year. Belgium has seen a 30% rise in phishing reports since 2024. The Spanish government has quietly banned American tech company Palantir over national security fears. According to El Confidential, the government has privately instructed public companies to avoid working with Palantir. Several EU countries have started re evaluating their ties with Palantir due to its close ties to the Trump administration and its public anti EU stance. The FBI, Google and Lumen have disrupted the residential proxy service provider Netnut. The takedown comes two weeks after security firms linked the proxy network to Poppa, a malicious botnet involved in brute force attacks, ad fraud and large scale web scraping operations. The reports also linked NetNut to alarm technologies, an Israeli company listed on the Nasdaq webinar and video conferencing startup. Meetup TV is suing two security firms after a threat intelligence report incorrectly linked the company to a Chinese hacking group. The lawsuit targets Koi Security and Palo Alto Networks, which acquired the former in April. In a December report, Koi mistakenly linked the Meeting TV domain to Dark Spectre, a Chinese group that developed malicious Chrome extensions. Even though Coy corrected the report in February, MeetingTV still sued, claiming its domain was still blocked by multiple security products and services. US Authorities have successfully extradited a member of the Scattered Spider hacking group. Peter Stokes, aged 19, was arrested in April in Finland when attempting to board a flight to Japan. Stokes used the hacker name Bokeh and has been linked to more than 100 network intrusions. Attackers are targeting Microsoft 365 accounts with a credential spraying campaign Attacks over the past several weeks have targeted the old OAuth ROPC authentication scheme. Successful authentication using stolen or guest credentials allows threat actors to generate tokens that can bypass MFA protected accounts. A threat actor has deployed an AI agent to hack langflow servers, steal credentials, expand their access to, and then deploy ransomware to production databases. The attacks represent the first known cybercriminal campaign to be fully automated using an AI agent from start to finish. According to security firm Sysdig. The ransomware couldn't be decrypted even if a victim paid because the AI agent didn't store the encryption key anywhere. The company tracks the campaign as Jade Puffer. An Iranian hacking group tracked as tag 182 is targeting Iranians living inside and outside the country. The group is using free download tools and fake VPN applications to infect targets with Marky Rat. The infected tools have been promoted on social media networks since April and are likely to be part of an effort to identify and arrest dissidents. A Russian influence operation is targeting audiences with aggressive anti Western and anti Ukrainian propaganda on decentralised social networks. Their campaign's been active since last September on both Blue sky and Mastodon. Accounts were easy to spot due to their use of a bridging service to post on both networks at the same time. They posted images of dead Ukrainians, videos of killer drones and articles from Russian state media and their propaganda network. Researchers spotted hundreds of accounts, with many being short lived or hosted on unmoderated Mastodon instances. One of Taiwan's largest mobile operators is being extorted by a ransomware group. PI Mobile was hacked last month by a newly launched ransomware operation named Cetra. The telco says the hack didn't impact its widely used mobile payments platform. Taiwan's Ministry of Digital affairs is investigating the hack. The cryptocurrency industry has lost $16.69 billion to hacks over its lifetime, and about 40% of that amount was stolen Stolen using authentic private keys. This includes private keys exposed by accident, brute forced by attackers or hacked using exploits or phishing attacks in almost half of all private key hacks. The source of the compromise is still unknown. A vulnerability in Apple's Hide My Email tool can allow a remote party to discover a user's real email address, according to 404 Media. Apple has failed to fix the issue for more than a year. Apple rolled out patches in March, but the bug can still be exploited to reveal a user's real email address. Attackers can run malicious code on Android and Apple devices using newly discovered vulnerabilities in the Airdrop and Quick Share protocols. Attackers need to be within 10 to 30 metres of a target to exploit the bugs. No pairing, authentication or user interaction is needed. The bugs can take advantage of the protocol's design, with the protocols automatically running whenever a new device is close by. Some of the bugs have been patched while work continues on the others. Hackers have started exploiting a new Citrix vulnerability less than 24 hours after its public disclosure. The attacks exploit a Citrix Bleed like vulnerability that allows threat actors to leak a device's memory and find auth or config data. The bug impacts NetScaler, ADC and Gateway devices. According to security firm LoopVis, one threat actor appears to be behind the attacks. The Opera browser has rolled out a new feature designed to block click fix attacks. The new Paste Protect feature scans a user's clipboard for malicious commands and can show warnings about possible attacks. The feature is enabled by default and requires no configuration. And finally, the EU's highest court has upheld a 4.125 billion euros fine against Google. The EU fined the American tech giant in 2018 for abusing Android's market dominance to force phone makers to pre install its search and Chrome apps on customer devices. It was one of the three fines Google was trying to have repealed in the EU. The company was also fined 2.95 billion euros for its abuses on the advertising market and another 2.4 billion euros for favouring its own shopping service in search results. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Corelight. Find them@corelight.com thanks to your company.
Podcast: Risky Bulletin by Risky Business Media
Date: July 3, 2026
Host/Reader: Claire Airdrop (prepared by Catalyn Kim Panu)
Sponsor: Corelight
This edition of the Risky Bulletin delivers a fast-paced roundup of the latest global cybersecurity news, with a headline focus on serious, unpatched vulnerabilities in the FatFs file system impacting industrial and smart equipment. Additional stories cover major attacks, policy changes, law enforcement action, and developments in both technology and cybercrime.
[00:04]
“Projects that use FATFS drivers will have to roll their own protections to safeguard devices against attacks.”
— Claire Airdrop ([00:35])
Anthropic AI Models Export Ban Lifted
The U.S. government has reversed export restrictions on Anthropic's Fable and Mythos 5ai models after public and political pressure.
[00:50]
Meta vs. Indian Government Over WhatsApp Usernames
India has demanded that Meta pause its WhatsApp usernames rollout due to fraud concerns, threatening increased phishing and impersonation. India remains WhatsApp’s biggest market with over 500 million users.
[01:08]
Belgian Police Create Phishing Unit
A new Belgian “phishing cell” will aggregate data and coordinate anti-phishing operations after a 30% rise in phishing reports.
[01:30]
Palantir Quietly Banned in Spain
Spain has privately instructed public companies to avoid Palantir, driven by national security concerns and political sensitivities.
[01:46]
NetNut Proxy Service Disrupted
The FBI, Google, and Lumen took down NetNut, which was linked to the Poppa botnet and ad fraud campaigns.
[02:07]
Meetup TV Sues Over Faulty Threat Intelligence
Webinar platform Meetup TV is suing Koi Security and Palo Alto Networks. Koi’s December report wrongly linked Meeting TV to a Chinese APT, and despite corrections, remediation lagged and caused lasting damage:
“MeetingTV still sued, claiming its domain was still blocked by multiple security products and services.”
— Claire Airdrop ([02:52])
Scattered Spider Hacker Extradited
Peter Stokes (“Bokeh”), age 19, extradited from Finland to the US, linked to over 100 network intrusions.
[03:22]
Sneaky Microsoft 365 Password Spraying
Attackers use credential spraying and the old OAuth ROPC method to bypass MFA, generating their own tokens post-authentication.
[03:45]
AI-Automated Ransomware Campaign
First-ever fully automated ransomware campaign attributed to Jade Puffer:
“The ransomware couldn't be decrypted even if a victim paid because the AI agent didn't store the encryption key anywhere.”
— Claire Airdrop ([04:12])
Iranian Group TAG-182 Targets Dissidents
Campaign uses fake VPNs and free downloads to deliver MarkyRat, aiming to identify and potentially arrest Iranians at home and abroad.
[04:33]
Russian Propaganda on Decentralized Networks
“Their campaign's been active since last September on both Blue sky and Mastodon… Researchers spotted hundreds of accounts, with many being short lived or hosted on unmoderated Mastodon instances.”
— Claire Airdrop ([04:55])
PI Mobile Ransomware Incident in Taiwan
Cetra ransomware group attacked PI Mobile, with mobile payments reportedly unaffected.
[05:21]
Crypto Industry Key Theft
$16.69 billion lost to hacks, with 40% via private keys—often with unknown compromise vectors.
[05:40]
Apple Hide My Email Flaw
“Apple has failed to fix the issue for more than a year. Apple rolled out patches in March, but the bug can still be exploited to reveal a user's real email address.”
— Claire Airdrop ([06:03])
Airdrop and Quick Share Flaws
Citrix NetScaler Bleed-like Vulnerability
Attackers exploiting a leak bug in NetScaler, ADC & Gateway less than 24 hours after disclosure.
[06:42]
Opera ‘Paste Protect’
A new feature scans clipboard contents for malicious commands and warns users by default.
[07:00]
“Projects that use FATFS drivers will have to roll their own protections to safeguard devices against attacks.”
— Claire Airdrop ([00:35])
“MeetingTV still sued, claiming its domain was still blocked by multiple security products and services.”
— Claire Airdrop ([02:52])
“The ransomware couldn't be decrypted even if a victim paid because the AI agent didn't store the encryption key anywhere.”
— Claire Airdrop ([04:12])
“Their campaign's been active since last September on both Blue sky and Mastodon… Researchers spotted hundreds of accounts, with many being short lived or hosted on unmoderated Mastodon instances.”
— Claire Airdrop ([04:55])
“Apple has failed to fix the issue for more than a year. Apple rolled out patches in March, but the bug can still be exploited to reveal a user's real email address.”
— Claire Airdrop ([06:03])
True to the Risky Bulletin’s usual style, the episode is concise and information-packed, bringing a global outlook and an authoritative voice to urgent cyber threats, policy shifts, and influential breaches. The tone is brisk, factual, and sometimes tinged with dry industry understatement.
This episode is ideal for cybersecurity professionals or industry watchers seeking a rapid, thorough digest of current events—with keen attention to new technical threats, ongoing attacker tactics, geopolitical maneuvering, and law enforcement developments.