Summary5 min read

Risky Bulletin: FCC Relaxes Foreign Router Security Patch Ban

Podcast: Risky Bulletin (Risky Business Media)
Episode Date: May 11, 2026
Host: Claire Airdrop (prepared by Catalyn Kim Panu)
Episode Focus:
An incisive roundup of the week’s most important cybersecurity news, ranging from regulatory updates (notably the FCC’s router ruling), high-profile breaches and cybercrime, to notable vulnerabilities in open source systems and global law enforcement actions.

1. Main Theme

The episode’s central theme is the evolving cyber risk landscape, with a primary focus on the FCC’s relaxation of its foreign router security patch ban—an unexpected regulatory shift with major security implications for U.S. infrastructure and consumers. The discussion also covers a sweep of critical incidents, newly revealed vulnerabilities, and actions taken by tech companies and law enforcement worldwide.

2. Key Discussion Points & Insights

FCC Update: Foreign Router Security Patch Ban

FCC Action:
- The FCC is allowing extended security updates for foreign-made routers and drones until 2029.
- Original plan would have banned router makers from shipping security updates starting March 2027.
- Insight: The extension enables critical devices already in circulation to remain secure for the next few years, mitigating “orphaned” hardware risks.
Additional Proposal:
- U.S. mobile operators may soon need to verify customer identity rigorously (real name, address, government ID) before activating or renewing service ([00:47]).
- Aim: To reduce robocalls through enforced “know your customer” measures.
- Quote:
  
  "Telcos will be required to implement strong know your customer measures going forward." — Claire Airdrop [01:04]

Major Cybersecurity Incidents

Instructure Canvas Breach ([01:28]):
- Shiny Hunters hacking group defaced the widely used education platform after ransom demands weren’t met.
- Led to maintenance mode and exam-time disruptions in impacted schools.
- Quote:
  
  "The defacement prevented some schools from accessing the platform during end of year exams." — Claire Airdrop [01:51]
Disinformation & Political Intrigue ([02:02]):
- Hondurascate DDoSed after releasing tapes on alleged state-backed plan to destabilize left-wing LatAm governments (Argentina, Israel, U.S. implicated).
- Argentinian President Xavier Milli linked to alleged $350,000 contribution.
- Russian national Dmitry Novikov (La Campania) deported from Argentina and DR for managing fake news efforts targeting Latin American governments supportive of Ukraine ([02:58]).
AI-Assisted Attack on Mexican Infrastructure ([03:30]):
- Hackers used AI coding assistants to breach Mexican water utility, electoral commission, and state governments over three months.
- Customized offensive security tools enabled deep penetration.
- Insight: Growing sophistication and accessibility with AI tools.

Data Protection Fines and Sanctions

Yango Fined €100M ([04:16]):
- Dutch DPA penalizes the Russian-owned ride-hailing app for storing Dutch user data in Russia.
- Builds on previous warnings from Finnish and Norwegian authorities.
New Zealand Sanctions Russian Cyber Actors ([04:38]):
- Companies and individuals targeted for cyber operations supporting Russia’s war in Ukraine.

Law Enforcement and Legal Actions

Peter Williams (Trenchant/L3Harris Case) ([05:34]):
- Former exec sentenced and ordered to pay $11.3M restitution for selling zero-days to Russian buyers.
French Probe into X (formerly Twitter), Musk & Yaccarino ([05:03]):
- Formal criminal investigation over CSAM and deepfake porn.
- French authorities raided X’s Paris office; both executives skipped hearings.
High-Profile Arrests:
- French cybersecurity exec Samuel Asseen accused of buying CSAM on the dark web ([05:57]).
- Sohab Akhtar, Virginia man, pleaded guilty to deleting ~100 government databases after layoff ([06:36]):
  
  "The brothers allegedly asked an AI chatbot how to remove logs of their actions." — Claire Airdrop [06:54]
- Alan Bill (Kingdom Market): Slovakian sentenced to 16 years for dark web admin work ([07:18]); German authorities arrest relauncher on Majorca ([07:47]).

Tech Sector News

Meta Bans 9,400 WhatsApp Accounts ([08:04]):
- For impersonating authorities, orchestrating “digital arrest scams” from Cambodian compounds.
Cloudflare Layoffs ([08:29]):
- Cutting 1,100 staff (~20% workforce) as AI tool integration accelerates; shares react negatively in the short term.

Security Vulnerabilities in Open-Source & Infrastructure

FreeBSD RCE Patched After 21 Years ([09:13]):
- Remote code execution via malicious DHCP responses—impacts all versions since 2005; attackers can get root without interaction.
Linux ‘Dirty Frag’ Privilege Escalation ([09:41]):
- Details and PoC leaked after embargo breach; affects all distros since 2017.
- New “kill switch” feature under review for Linux kernel, to mitigate botched disclosures ([10:13]):
  
  "Admins would be able to use killswitch to disable vulnerable kernel features until patches are available." — Claire Airdrop [10:21]
Light LLM AI SQLi Vulnerability ([10:31]):
- Unauthenticated attackers could access/alter server databases; patched after Tencent disclosure.
JDownloader Supply-Chain Attack ([03:59]):
- Installers for Windows/Linux tainted to distribute RAT; only new installs from May 6-7 affected.
Jenkins Botnet Surge ([11:04]):
- Ongoing attacks using exposed Jenkins scripting interfaces to install DDoS malware, targeting gaming servers.

3. Notable Quotes & Memorable Moments

FCC Security Updates Change:

“The extension for security updates will also apply to foreign made drones.” — Claire Airdrop [00:29]
AI-Assisted Hackers Exploiting Mexican Govt:

“The hackers used the AI tools to adapt publicly available offensive security tools and turn them into a custom hacking framework.” — Claire Airdrop [03:40]
Dark Web Admin Sentencing:

"Bill was arrested in the US in December 2020, three days before German authorities seized the site." — Claire Airdrop [07:32]
On Cloudflare Layoffs:

“Cloudflare will lay off more than 1,100 employees as it incorporates AI tooling into its processes.” — Claire Airdrop [08:29]
Linux Kill Switch Proposal:

“A new Kill Switch feature was proposed following the recent botched disclosures… admins would be able to use Kill Switch to disable vulnerable kernel features until patches are available.” — Claire Airdrop [10:13]

4. Important Segment Timestamps

FCC router/drone security update policy: [00:04–00:44]
Telco customer ID proposal: [00:44–01:14]
Instructure (Canvas) breach: [01:28–01:58]
Hondurascate disinformation exposé: [02:02–03:08]
AI-powered Mexican government breaches: [03:30–03:57]
JDownloader RAT supply-chain hack: [03:59–04:16]
Yango fined for Russian data transfers: [04:16–04:38]
French X (Twitter) probe: [05:03–05:34]
Major legal/cybercrime actions (including dark web markets): [05:34–08:04]
Cloudflare layoffs: [08:29–08:49]
FreeBSD RCE bug: [09:13–09:41]
Linux ‘Dirty Frag’, kill switch news: [09:41–10:31]
Jenkins botnet campaign: [11:04–11:25]

5. Conclusion

This episode delivers a focused snapshot of global cyber risk, regulatory change, and technical challenges—a must-listen for professionals tracking legislative, criminal, and open source security developments. The FCC’s shift on router patches stands out for its immediate practical significance, while the sweeping coverage of vulnerabilities and AI-fueled threat maturity reveals the fiercely dynamic nature of today’s threat environment.

For anyone who missed the episode, this summary preserves the breadth and directness of the Risky Bulletin—sharp, rapid-fire, and essential for any serious infosec watchlist.

Loading summary

Transcript1 lines

[00:04]
A
The FCC relaxes its foreign router ban to allow for security updates the Shiny Hunters group disrupts schools across The Globe, a 21 year old remote code execution bug turns up in free BSD and another Linux privilege escalation bug was disclosed without a patch. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Airdrop. Today is the 11th of May and this podcast episode is brought to you by Knock Knock, which has built and shipped a grey noise integration. More details are in this week's sponsor interview. In today's top story, the U.S. federal Communications Commission has updated its foreign router ban to allow for extended security updates. The agency will allow vendors to ship security updates for existing devices until 2029. The FCC initially planned to ban router makers from shipping security updates to customers from March next year. The extension for security updates will also apply to foreign made drones. The FCC banned the import of foreign drones in December and foreign routers in March. Meantime, the FCC has also announced it wants American mobile operators to verify the identities of customers before activating their services or renewing their contracts. Under a new proposed rule, telcos will be required to implement strong know your customer measures going forward. The measure is intended to reduce the number of robocalls. Customers will need to provide a real name and address along with a copy of a government issued id. The proposed rule has entered a public comments stage. In other news Hackers have breached and defaced the student management platform of Edtech company Instructure. The company placed the canvas platform in maintenance mode last week and after the hackers posted ransom notes on the login screens of some schools. The initial breach took place last month, but the Shiny Hunters group defaced the login portals after Instructure failed to pay a ransom. The defacement prevented some schools from accessing the platform during end of year exams. The Hondurascate website has faced waves of DDoS attacks after it released audio recordings of a multinational plot to destabilise liberal democracies across Latin America. The recordings exposed a secret planning backed by the governments of Argentina, Israel and the US to fund a platform that would publish fake news and misinformation to destabilise the left wing governments of Brazil, Colombia and Mexico. Argentinian President Xavier Milli has allegedly pledged to contribute $350,000 to the effort. The platform received the blessing of Donald Trump and would have been coordinated by former Honduran President Juan Orlando Hernandez. Meanwhile, Argentina has arrested and deported a Russian national linked to a Kremlin disinformation network. Dmitry Novikov, 26 years old, was one of the managers of a group known as La Campania that used fake news and disinformation to attack Latin American governments that support Ukraine. Novikov was also arrested and deported from the Dominican Republic for the same reason. Last September, hackers using anthropic and OpenAI coding assistants breached a water utility in Mexico. The breach took place in February and was part of a larger AI assisted campaign that targeted the Mexican government for more than three months. The hackers used the AI tools to adapt publicly available offensive security tools and turn them into a custom hacking framework. The same campaign also breached the Mexican National Electoral Institute and and three state governments. The website of the J Downloader Download Manager was hacked and modified to distribute a Remote access Trojan. Hackers inserted malware in the app's Windows and Linux installers. The incident took place last week and the malicious installers were live on May 6 and 7. The attackers didn't ship malicious updates, so only new installs should be affected. The Dutch Data Protection Authority has fined Ride hailing app Yango 100 million euros for storing the data of Dutch citizens on servers in Russia. The App launched in 2018 and was developed by the former Yandex Taxi team. Finnish and Norwegian authorities previously warned the company in 2023 to stop processing the data of their citizens in Russia. The New Zealand government imposed sanctions on several Russian cyber actors that support Russia's war in Ukraine. Sanctions were levied against Structura and the Social Design Agency, two companies involved in influence operations. Sanctions were also levied against three bulletproof hosting providers, the IEASA Group, Medialand and MLCloud. The sanctions targeted the companies as well as their executives. They echo similar sanctions imposed by the us, the eu, the UK and Australia. French prosecutors have opened a formal criminal probe into social media company X, major shareholder Elon Musk and former CEO Linda Yaccarino. The Paris public prosecutor office is investigating the company for spreading child sexual abuse images and generating pornographic deepfakes. French authorities raided X's Paris offices in February. Both Musk and Yaccarino declined to show up for voluntary hearings. X is also under investigation in multiple other countries after its GROK AI generated nude images, including of children last year. Former Trenchant executive Peter Williams has been ordered to pay $10 million in restitution to his former employer and its parent company, L3Harris. Williams was sentenced to 87 months in prison earlier this year for selling Trenchant's exploits to a Russian company. The initial sentence also carried a $1.3 million restitution, bringing Williams total owed to $11.3 million. Trenchant and L3Harris initially asked the court to approve a $35 million payout. French authorities have arrested a cyber security executive for allegedly buying child sexual abuse material from the D Web. FiliGreen founder Samuel Asseen is one of 232 individuals identified by police as alleged buyers on the Alice with Violence CP portal. Asene was supposed to travel to Japan and South Korea as part of the French delegation for Emmanuel Macron's official visit. A 34 year old man from Virginia has pleaded guilty to deleting almost 100 government databases. Sohab Akhtar, together with his twin brother, stole data and deleted databases minutes after they were both fired from their government contractor roles. The incident impacted multiple government agencies, including the IRS and the dhs. The brothers allegedly asked an AI chatbot how to remove logs of their actions. Akhtar will be sentenced in September. He faces up to 21 years in prison. A Slovakian national has been sentenced to 16 years and eight months in prison for running the Kingdom Dark Web Marketplace Place 33 year old Alan Bill was one of the site's admins. He managed the Kingdom's web portals and promoted its products on Reddit and on Criminal Forum Dredd. Bill was arrested in the US in December 2020 three days before German authorities seized the site. Meantime, German authorities have arrested a 35 year old man who tried to relaunch the crime network Dark Web Marketplace. The original platform was seized and shut down by authorities in late 2024. The new platform launched last year and amassed than 22,000 users before being seized as well. The site's admin was detained at his home on the island of Majorca in Spain. Meta has banned 9,400 WhatsApp accounts that posed as government and law enforcement agencies. The accounts were involved in digital arrest scams. They contacted victims and requested payment for the release of family members. Most of the accounts were being run from Cambodian scam compounds. Cloudflare will lay off more than 1,100 employees as it incorporates AI tooling into its processes. The layoffs will take place during the second quarter and cover almost a fifth of the company's total workforce. Cloudflare shares dropped 19% last week, but they're up 30% this year. The FreeBSD team has patched a remote code execution in its operating system that impacts all all versions released since 2005. The vulnerability resides in the FreeBSD DHCP client threat Actors on the same LAN can use maliciously crafted DHCP responses to run code on the OS using root privileges. Exploitation doesn't require any user interaction Linux distros are rushing to patch the so called dirty frag vulnerability, which was disclosed last week. Details and proof of concept code for the bug were leaked when an embargo was broken on Thursday. The vulnerability is a privilege escalation bug that can allow attackers with access to a system to run malicious code as root dirty frag impacts all Linux distros released since 2017. Meantime, the Linux kernel team is reviewing a proposed security feature that would temporarily disable kernel functions. The new Kill Switch feature was proposed following the recent botched disclosures of the copy fail and dirty frag vulnerabilities, and admins would be able to use killswitch to disable vulnerable kernel features until patches are available. Hackers are exploiting a recent SQL injection vulnerability to take over Light LLM AI servers. The vulnerability allows unauthenticated attackers to read or write to the server's database. Exploitation is simple and only requires that attackers use a specially crafted authorization header when interacting with the Light LLM server. The issue was found by Tencent and patched last month. And finally, a new botnet operation is hacking into Jenkins servers to deploy DDoS malware that attacks game servers. The botnet is targeting Jenkins servers that have left their scripting interface exposed to the Internet. The attacks target Jenkins servers running on both Linux and Windows. And that is all for this podcast edition. Today's show is brought to you by Knock Knock. That's Knoc Knoc IO Thanksg company.