Risky Bulletin: FBI Says Online File Converters Are Nasty
Hosted by risky.biz | Released on March 14, 2025

In this episode of Risky Bulletin, host Claire Aird and co-host Panu Catalyn delve into a series of pressing cybersecurity issues, ranging from FBI warnings about malicious online tools to international cyber espionage activities. The episode provides a comprehensive overview of current threats, regulatory changes, and significant cyber incidents impacting various sectors globally.

FBI Alerts on Malicious Online File Converters

Claire Aird opens the bulletin with a crucial warning from the FBI regarding the misuse of online file conversion tools. According to the FBI, cybercriminals are exploiting both web-based and downloadable file converters to extract personal data from documents and deploy malware, including ransomware.

"The FBI says cybercriminals are using file format conversion tools to scrape personal data from documents and deploy malware such as ransomware."
— Claire Aird [00:04]

The FBI emphasizes that while this tactic isn't entirely new, the surge in its usage necessitates heightened vigilance. Users are encouraged to report any suspicious incidents to aid the agency in assessing the scale of the problem.

Chinese Cyber Espionage Targets Juniper Routers

The discussion shifts to a significant cyber espionage campaign attributed to a Chinese group known as UNC3886. This group has been embedding backdoors into Juniper MX routers by obtaining legitimate credentials and leveraging a zero-day privilege escalation vulnerability.

"The group has previously used zero days in Fortinet and VMware systems."
— Claire Aird [00:56]

Google's Mandiant division links these activities to targeting defense technology and telecommunications organizations across Asia and the United States. Despite Juniper MX routers reaching their end-of-life status, Juniper has proactively released security updates to mitigate the vulnerability.

North Korean Spyware Infiltrates Google Play Store

North Korea's hacking faction, Skycraft, has successfully inserted the Android spyware cospy into the Google Play Store. Disguised within a seemingly innocuous file management app catering to English and Korean-speaking users, cospy has been active since 2022, as confirmed by security firm Lookout.

This sophisticated spyware underscores the ongoing threats posed by state-sponsored actors aiming to infiltrate widely used platforms to harvest sensitive information.

Greynoise Identifies SSRF Vulnerability Exploits

Panu Catalyn highlights Greynoise's recent detection of a coordinated campaign exploiting Server-Side Request Forgery (SSRF) vulnerabilities across multiple software products, including GitLab, VMware, Avanti, and Zimbra.

"The pattern suggests structured exploitation automation or pre-compromise intelligence gathering."
— Panu Catalyn [03:24]

The campaign, which commenced on March 9, originated from approximately 400 IP addresses. Additionally, Greynoise notes that threat actors have exploited a zero-day vulnerability in the FreeType font rendering library, with attacks being traced back to the Facebook security team.

U.S. Senators Advocate for Enhanced Cyber Operations Against China

A group of Republican senators has urged former President Donald Trump to bolster the United States' offensive cyber capabilities against China. They cite recent Chinese intrusions into U.S. telecommunications, critical infrastructure, and the Treasury as pressing reasons for this call to action.

"The senators say the US needs to re-establish cyber deterrence against China because that's worked so well over the last 20 years."
— Claire Aird [02:46]

This push comes amidst strategic discussions on national cybersecurity measures and the balance between offensive and defensive cyber operations.

DHS Discontinues Advisory Boards Amid Cost-Cutting Measures

Amidst the cybersecurity discourse, Claire Aird reports that the U.S. Department of Homeland Security (DHS) has terminated eight advisory boards, including those focused on AI and cybersecurity. The DHS attributes these closures to a Trump-era executive order aimed at reducing expenditures.

"The agency cited a Trump executive order that mandated cost-cutting as a reason for the shutdowns."
— Claire Aird [02:48]

These advisory boards were previously instrumental in providing industry expertise to inform DHS strategies and policies.

Kazakhstan Implements Filtered Mobile Networks for Children

Panu Catalyn shares that Kazakhstan is introducing a mandate requiring smartphones used by children to connect through a new filtered mobile network. Parents must purchase specialized SIM cards for their children's devices, ensuring restricted access to social media and potentially harmful websites. Additionally, an accompanying app will relay the children's locations to their parents, enhancing oversight and safety.

"Parents will need to buy special SIM cards for their children's devices. The network will restrict access to social media and dangerous websites and will report children's locations to parents through an app."
— Claire Aird [03:14]

This measure reflects a growing global trend toward safeguarding minors in the digital landscape.

Spain Enforces AI-Generated Content Labeling

In a significant regulatory development, Spain has enacted a law imposing substantial fines on companies that fail to label AI-generated content. Non-compliant organizations could face penalties up to €35 million or 7% of their annual global turnover.

"Failure to comply could result in fines of up to 35 million euros, or 7% of their annual global turnover."
— Panu Catalyn [03:30]

This legislation aims to combat the proliferation of deepfakes and non-consensual adult content, making Spain the first EU country to incorporate provisions from the EU AI Act into its national framework.

Meta's Privacy Fine Upheld by South Korea's Supreme Court

South Korea's Supreme Court has dismissed Meta's appeal against a $4.6 million fine imposed for privacy violations. The privacy watchdog had penalized Meta in 2020 for unlawfully sharing the data of over 3.3 million South Korean users with third parties.

"South Korea's Supreme Court has rejected Meta's appeal to reverse a $4.6 million fine for privacy law violations."
— Panu Catalyn [03:24]

This case marks the final judicial avenue for Meta concerning this specific infraction, highlighting the increasing scrutiny tech giants face over data privacy practices.

"Crazy Hunter" Ransomware Targets Taiwanese Institutions

A new ransomware strain dubbed "Crazy Hunter" has emerged, targeting critical infrastructure in Taiwan. Within the month, the ransomware has compromised three hospitals, a university, and a power grid operator. The Taiwanese health ministry has reported that core functions at the affected hospitals have been restored following the attacks.

"A new ransomware operation called Crazy Hunter has compromised three hospitals, a university and a power grid operator in Taiwan."
— Claire Aird [04:33]

The attacks underscore the vulnerability of essential services to sophisticated ransomware threats.

Cyber Attack Disrupts Australian Hotel Group TFE

TFE, an Australian hotel conglomerate managing brands like Edina, Vibe, and Travelodge across Australia, Europe, and Asia, experienced a significant cyberattack. The incident has rendered the company's systems offline, forcing a rerouting of phone calls to a central call center and necessitating in-person guest assistance. As of now, no group has claimed responsibility for the breach.

"A cyber attack has disrupted services at... Australian hotel group TFE."
— Claire Aird [04:33]

This breach highlights the persistent threat of cyberattacks on the hospitality sector.

Data Breaches at Jaguar Land Rover and Other Corporations

A hacker has reportedly leaked hundreds of internal documents from the Jaguar Land Rover automotive group, following a breach earlier this month. This individual has a history of leaking sensitive data, having previously exposed information from Orange in Romania, the Zurich Insurance Group, and the Russian social media network VK.

"A hacker has leaked hundreds of internal documents from the Jaguar Land Rover automotive group."
— Panu Catalyn [04:36]

These data leaks pose significant risks to corporate security and intellectual property.

NIST Selects HQC as Backup for Post-Quantum Encryption

The National Institute of Standards and Technology (NIST) has chosen Hamming Quasi Cyclic (HQC) as a backup algorithm for post-quantum encryption operations. Last year, NIST had selected MLChem as the primary algorithm to safeguard data against potential quantum computing attacks.

"NIST says HQC is a backup standard and should be used only if a weakness were to be discovered in MLChem."
— Panu Catalyn [05:30]

This decision reflects ongoing efforts to future-proof encryption methodologies in anticipation of advancements in quantum computing.

ICANN Plans to Retire the .su Top-Level Domain

ICANN has announced its intention to retire the .su top-level domain (TLD) by 2030. The .su domain, originally assigned to the Soviet Union, is currently managed by Russian authorities. Although the ISO standard for country codes removed .su in 1992, ICANN only commenced the removal process in 2022. Additionally, there is speculation that the .io domain, representing the British Indian Ocean Territory, might also face discontinuation.

"Another domain could also be on the chopping block. Is .io the domain for the soon to be non-existent British Indian Ocean territories?"
— Panu Catalyn [05:50]

This move signifies efforts to streamline and update the global domain name system.

Rise in Remote Monitoring and Management (RMM) Tools in Email Attacks

Proofpoint has observed an uptick in the utilization of Remote Monitoring and Management (RMM) tools as initial payloads in email-based attack campaigns. The most frequently exploited RMM tools include Screen Connect, NetSupport, and Atera.

"Proofpoint is seeing an increase in the use of remote monitoring and management tools as an initial payload in email delivered campaigns."
— Claire Aird [05:50]

This trend indicates a shift in attackers' strategies, leveraging legitimate management tools to facilitate malicious activities.

Conclusion

The Risky Bulletin episode provides a thorough examination of the evolving cybersecurity landscape, highlighting the multifaceted challenges posed by state-sponsored cyber espionage, ransomware threats, regulatory changes, and the exploitation of software vulnerabilities. By incorporating expert analysis and timely insights, Claire Aird and Panu Catalyn deliver an informative session that underscores the critical importance of vigilance and proactive measures in safeguarding against cyber threats.

For more detailed updates and analysis, listeners are encouraged to tune into future episodes of Risky Bulletin.