Risky Bulletin: France runs phishing test on 2.5 million students - Risky Bulletin

Summary9 min read

Risky Bulletin: France Runs Phishing Test on 2.5 Million Students Hosted by risky.biz | Released on March 28, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delves into a spectrum of pressing cybersecurity issues, ranging from large-scale phishing tests to government regulations on facial recognition technology. The episode, prepared by Catalyn Kim Panu and sponsored by Sublime Security, provides a comprehensive overview of recent cyber threats, governmental actions, and significant breaches impacting various sectors globally.

Major Topics Discussed

1. France's Largest-Ever Phishing Test: Operation Cactus

Claire Aird opens the discussion with France's ambitious cybersecurity initiative, Operation Cactus.

Overview: The French government conducted a phishing test targeting 2.5 million students across middle and high schools. The aim was to assess and enhance the phishing awareness among young individuals.
Results:
- 10% Click-Through Rate: Approximately 200,000 students interacted with the phishing attempt. While this may seem alarming, security firm KnowBefore highlighted that this rate is “still much better than the average corporate click-through rate of 33%” (00:45).
Objective: The test involved sending a link that advertised cracked games and cheats. Clicking the link redirected students to a phishing awareness message, educating them on the dangers and recognizing phishing attempts.
Significance: As Operation Cactus stands as the largest known phishing test to date, it underscores the proactive measures governments are taking to bolster cyber resilience among the youth.

2. China's New Facial Recognition Regulations

The episode shifts focus to significant policy changes in China regarding facial recognition technology.

Key Points:
- Consent Requirement: Companies must obtain explicit consent before deploying facial recognition systems.
- Encryption & Security Audits: Biometric data must be encrypted, and organizations are required to undergo regular security audits to ensure data protection.
- Usage Restrictions: Facial recognition is now banned in hotel lobbies, pubs, public bathrooms, and changing rooms, minimizing intrusive surveillance in sensitive areas.
Exemptions: Notably, these rules do not apply to the Chinese government's use of facial recognition technology, maintaining state surveillance capabilities.
Implementation Date: The regulations are set to take effect in June 2025.
Claire Aird Quotes: “The rules prohibit companies from using facial recognition if other less intrusive options exist” (02:15).

3. Data Breaches Involving US Government Officials

Highlighting vulnerabilities in data protection, the podcast discusses recent breaches exposing personal information of high-profile US officials.

Affected Individuals:
- Mike Waltz, National Security Adviser
- Tulsi Gabbard, Director of National Intelligence
- Pete Hegseth, Defence Secretary
Leak Details: The German news site Der Spiegel uncovered phone numbers and email addresses linked to accounts on platforms like Dropbox, LinkedIn, Instagram, and Signal (03:30).
Implications: This breach emphasizes the continuous threat to governmental data and the importance of robust cybersecurity measures to protect sensitive information.

4. Zero-Day Exploits and Browser Security

The discussion moves to critical vulnerabilities discovered in major web browsers, impacting both users and organizations.

Google Chrome Zero-Day:
- Patch Release: Google addressed a zero-day vulnerability that was exploited in attacks against Russian media and educational institutions.
- Attack Details: According to Kaspersky, a state-sponsored APT group utilized a Chrome sandbox escape combined with a secondary exploit to deploy sophisticated malware (04:45).
Mozilla Firefox Vulnerability:
- Parallel Patch: Mozilla swiftly patched similar vulnerabilities found in Firefox's codebase, ensuring users remain protected.
Kaspersky Insights: The malware deployed via these exploits was described as “highly sophisticated”, indicating the advanced nature of the threats (05:10).

5. Facebook Blocked in Papua New Guinea

Papua New Guinea has taken decisive action against the proliferation of harmful content on Facebook.

Ban Details:
- Scope: The government temporarily blocked access to Facebook to combat hate speech, disinformation, and pornography.
- Reasoning: Authorities criticized Facebook's role in spreading disinformation that fueled civil unrest within the country (06:00).
Regulatory Response: The move was unexpected by local telecommunications regulators, and the duration of the ban remains uncertain.

6. UK Company Fined Over NHS Ransomware Attack

A significant financial penalty was imposed on the British IT firm Advanced due to a ransomware attack.

Incident Overview:
- Attack Details: In 2022, Lockbit Group targeted Advanced, leading to disruptions in NHS IT platforms and the non-emergency phone service.
Penalties:
- Fine Imposed: Advanced is required to pay over £3 million for failing to implement adequate security measures such as multi-factor authentication, vulnerability scanning, and timely patch application (07:30).
Regulatory Standpoint: The privacy regulator's decision underscores the critical need for robust cybersecurity protocols, especially in healthcare services.

7. T-Mobile Settlements Over SIM Swapping Incidents

T-Mobile faces significant settlements following incidents of SIM swapping leading to cryptocurrency theft.

Case Details:
- Amount: T-Mobile agreed to pay $33 million to a victim who lost $38 million in cryptocurrency in 2020 due to SIM swapping.
Previous Settlements: The company also settled with the FTC for $31.5 million the previous year over similar incidents.
Impact: These cases highlight the severe financial repercussions of inadequate security measures in protecting user accounts from SIM swapping attacks (08:45).

8. Data Exposure by an Australian Tool Retailer

A significant data breach exposed the personal information of millions through an open internet database.

Breach Details:
- Affected Data: Over 34 million orders were compromised, including employee salaries, customer personal information, and purchase details.
- Storage Method: The data was stored in an instance of Clickhouse, an open-source database, similar to exposure methods used by Chinese AI firm Deepseek.
Consequences: The breach underscores the vulnerabilities inherent in open-source database management systems when not properly secured.

9. Cryptocurrency Theft from Abracadabra Finance

A severe attack targeted a DeFi lending platform, resulting in substantial cryptocurrency losses.

Attack Overview:
- Stolen Amount: $13 million worth of crypto assets were illicitly withdrawn from Abracadabra Finance's lending pools.
Response: The platform acted swiftly, refunding half of the stolen assets within two days and planning to return the remaining funds by mid-year (09:50).
Significance: This incident highlights the ongoing security challenges within the decentralized finance sector and the need for enhanced protective measures.

10. Belarusian Hacktivist Group Targets Government Websites

A group of Belarusian hacktivists launched a significant cyber attack against the country's certification website.

Attack Details:
- Data Leaked: The source code and database of Belarus' certification website were compromised and publicly released.
- Timing: The data was leaked on Belarus Freedom Day (March 25), symbolizing a protest against governmental control.
Government Response: Russian authorities have since arrested three men suspected of developing the Mammont Android banking trojan, linked to over 300 infections (10:30).

11. Russian Fake Anti-War Websites Collecting Personal Information

An emerging threat involves fake websites masquerading as reputable anti-war platforms to harvest personal data.

Operation Details:
- Impersonated Entities: The fake sites imitate organizations like the CIA, Russian Volunteer Corps, Legion Liberty, and the Ukrainian portal Hoshuzhit.
- Data Collection Methods: Personal information is gathered through web forms or Telegram channels.
- Visibility: While these sites rank deep in Google's search results, they top the charts in Russia's Yandex search engine, increasing their reach and potential impact (11:20).
Silent Push’s Report: Security firm Silent Push attributes the network of fake portals to Russian intelligence services, aiming to collect sensitive visitor information.

12. Redcurl’s New Ransomware Strain: Qwcrypt

The hacker group Redcurl has escalated their operations by deploying a new ransomware variant.

Ransomware Details:
- Name: Qwcrypt
- Targets: Designed to infect Windows systems and Hyper V virtual machines.
- Background: Active since 2018, Redcurl had previously been observed stealing data without a clear monetization strategy. The introduction of Qwcrypt marks their shift towards ransom-based attacks (12:15).
Impact on Rivals: The group has actively targeted competing ransomware groups like Blacklock and Mamona, defacing their infrastructures and leaking sensitive data, indicating intra-hacker conflicts (12:50).

13. Esri Patches Critical Vulnerability in ArcGIS

A major vulnerability was discovered and addressed in Esri's widely-used geospatial platform.

Vulnerability Details:
- Severity Rating: 9.8 out of 10, indicating a critical threat level.
- Affected Systems: Over 1,000 systems were exposed online, compromising the management and visualization of geospatial data by various government agencies.
Technical Aspects: The vulnerability related to an authentication flaw within the ArcGIS platform, necessitating immediate patching to prevent exploitation (13:25).

14. Solar Inverter Vulnerabilities Exposed

Forescout researchers identified multiple vulnerabilities in popular solar inverters, posing risks to national power grids.

Vulnerable Products:
- Manufacturers: GrowWatt, SMA, and Sungrown.
Potential Exploits: The 46 discovered vulnerabilities could allow attackers to take over solar devices and their associated cloud management platforms.
National Security Concerns: Experts warn that mass hacks of solar equipment could have cascading effects on national power infrastructures, highlighting the intersection of cybersecurity and energy security (14:10).

15. Google's Shift in Android Development Model

Google has announced changes to its Android operating system development and source sharing practices.

New Approach:
- Private Development: Android will now be developed internally with the source code shared only after each major release.
- Simplification: This strategy aims to simplify the development process and enhance control over the operating system’s evolution.
- Dual Maintenance: Google maintains both the internal version and a separate public open-source project simultaneously (15:00).

16. Mozilla Seeks Donations Amid Funding Cuts

Mozilla faces financial challenges following reduced US government funding.

Funding Impact:
- Loss: Firefox has confirmed a loss of $2.5 million in US federal aid, with a potential additional $1 million at risk.
- Revenue Breakdown: In 2023, Mozilla reported $3.5 million in total US aid funding, a small fraction of its $500 million revenue largely derived from search engine placement deals.
Call to Action: In response, Mozilla is seeking donations from Firefox users to sustain its operations and continue providing free, open-source browsing solutions (16:20).

17. U.S. Commerce Department's New Export Restrictions

The U.S. Commerce Department has expanded its export restrictions, adding 80 foreign companies to its list.

Affected Regions:
- Primary Focus: 50 companies are based in China, with others in Taiwan, Iran, Pakistan, South Africa, and the UAE.
Technology Sectors: The restricted companies are linked to advancements in AI, high-performance computing, and quantum technologies, areas critical to national security and economic competitiveness.
Implications: This move aims to curb the proliferation of technologies that could bolster military capabilities or pose strategic threats, reflecting the escalating tech rivalry on the global stage (17:05).

Conclusion

Today's episode of Risky Bulletin covered a diverse range of cybersecurity topics, highlighting both the evolving threats in the digital landscape and the proactive measures governments and organizations are implementing to mitigate risks. From massive phishing tests in France to stringent facial recognition laws in China, the episode underscores the global efforts to enhance cybersecurity resilience. Additionally, the discussions on significant data breaches, ransomware attacks, and vulnerabilities in widely-used technologies emphasize the persistent challenges faced by individuals and institutions alike. As cyber threats become increasingly sophisticated, the insights shared in this episode serve as a crucial guide for staying informed and prepared in the dynamic realm of cybersecurity.

Notable Quotes:

Claire Aird: “The rules prohibit companies from using facial recognition if other less intrusive options exist” (02:15).
Security firm KnowBefore: “10% is still much better than the average corporate click-through rate of 33%” (01:10).

For more detailed cybersecurity news and updates, subscribe to Risky Bulletin and stay informed about the latest threats and protective measures in the digital world.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
France runs a phishing test on two and a half million students. Google fixes a Chrome zero day abuse for espionage, China publishes new facial recognition rules and the Dragon Force ransomware group hacks2 Rivals. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is March 28th and this podcast episode is brought to you by Sublime Security, an email security platform that not a black box in today's top story, the French government has conducted a large scale fishing test on more than two and a half million students. Almost 10% took the bait. More than 200,000 middle and high school students clicked a link advertising cracked games and cheats. The link redirected students to a phishing awareness message. Operation Cactus is to our knowledge the largest phishing test known to date. Security firm KnowBefore points out that 10% is still still much better than the average corporate click through rate of 33%. In other news, the Chinese government has banned the use of facial recognition technology without consent. The rules prohibit companies from using facial recognition if other less intrusive options exist. If organisations do use facial recognition, they're required to obtain consent, encrypt biometric data and go through regular security audits. Facial recognition technology will also be banned in some places such as hotel lobbies, pub, public bathrooms and changing rooms. The rules will take effect in June and obviously don't apply to the Chinese government's use of facial recognition. US government officials, personal data, phone numbers and passwords have been found in past data breaches. German news site Der Spiegel reported that it found data on National Security Adviser Mike Waltz, Director of National Intelligence Tulsi Gabbard and Defence Secretary Pete Hegseth. Der Spiegel says some of the phone numbers and email addresses were linked to Dropbox, LinkedIn, Instagram and Signal accounts. Google has patched a Chrome zero day that was used in recent attacks against Russian media outlets and educational institutions. Kaspersky says the attacks were the work of a state sponsored APT group. The Zero day is a Chrome sandbox escape and was used with a second exploit to deploy malware on targets computers. Kaspersky described the malware as highly sophisticated. Mozilla also patched Firefox after finding similar vulnerable code in its browser. Papua New guinea has blocked access to Facebook in what it says is a test. The ban aims to counter increased hate speech, disinformation and pornography. The nation's government has been critical of the platform's role in spreading disinformation related to civil unrest in the country. The ban ordered by the police minister appeared to be a surprise to local telecommunication regulators. It's unclear how long the ban will last. British IT company Advanced has been ordered to pay more than 3 million pounds over a 2022 ransomware attack that impacted national healthcare Services. The attack by the Lockbit Group crippled multiple NHS IT platforms and its non emergency phone service. The privacy regulator fined the company for failing to use multi factor authentication, scan for vulnerabilities and apply patches. T Mobile has agreed to pay $33 million to a man who was SIM swapped and had his cryptocurrency stolen. The victim lost $38 million in cryptocurrency in 2020. That crypto would now be worth more than $165 million. T Mobile also settled with the FTC last year for $31.5 million over similar SIM swapping incidents. An Australian tool retailer exposed a database on the Internet containing details of more than 34 million orders. The Sydney Tools database contained employee salaries as well as customers, personal information and purchase details. The data was stored in an instance of Clickhouse, an open source database. If this all sounds familiar, Chinese AI firm Deepseek also left its data exposed the same way. Earlier this year, a hacker has stolen $13 million worth of crypto assets from Defi lending platform Abracadabra Finance. The attack targeted the platform's lending pools, where the company aggregates customer funds. Abracadabra refunded half the stolen assets to the lending pools within two days and expects to return the rest by mid year. A Belarusian hacktivist group has hacked and released the source code and database of the country's cert website. The cyber partisans leaked the data on Belarus Freedom day, which is March 25. Russian authorities have arrested three men suspected of developing the Mammont Android banking trojan. The suspects were detained in Russia's Saratov region near the Kazakhstan border. Officials said they received more than 300 complaints linked to infections with the Mammont malware. Russian intelligence services are likely behind a network of fake anti war websites that collect visitors personal information. The websites pretend to belong to the CIA, the Russian volunteer Corps, the Legion Liberty and a Ukrainian portal, Hoshuzhit security firm. Silent Push says the fake portals collect personal information via web forms or telegram channels. The sites are buried deep in Google's results but rank first in Russia's Yandex search engine. Hacker group Redcurl has developed and started using its own strain of ransomware. Qwcrypt can target Windows systems and Hyper V virtual machines. Redcurl has been active since 2018, but hasn't carried out ransomware attacks until now. Now, previous reports have observed the group stealing data, but with no obvious business model to monetise it. The Dragon Force ransomware group has hacked and defaced the infrastructure of rival group Blacklock. Dragon Force also dumped configuration files for Blacklock's backend and Data Lake site. Blacklock has yet to restore its website. Cyber intel firm Resecurity says Blacklock's systems were not well secured and one of its analysts had also managed to gain access to its backend. Dragonforce also hacked another rival, Mamona, earlier this month. Software company Esri has patched an authentication vulnerability in its ArcGIS platform. The vulnerability has a severity rating of 9.8 out of 10. The ArcGIS platform is widely used to manage and visualise geospatial data by government agencies. There are currently more than 1,000 systems exposed on the Internet. 46 vulnerabilities have been discovered in three popular solar inverters. The vulnerabilities discovered by Forescout can be used to take over the solar devices and their cloud management platforms. Impacted vendors include GrowWatt, SMA and Sungrown. Academics have previously suggested that mass hacks of solar equipment could impact national power grids. Google will develop the Android operating system in private and only share its source code after each major release. The company says it's changed its model to simplify the development process. Google currently maintains the internal version and a public open source project. Simultaneously. The company will share its internal branch with smartphone makers before public release. Mozilla is seeking donations from Firefox users after its US government funding was cut. Firefox has confirmed it lost $2.5 million in US aid funding. Another million may also be on the chopping block. The US aid funding was a small part of Mozilla's revenue in 2023, it reported million in revenue. Almost 500 million came from its search engine placement deals. And finally, the U.S. commerce Department has added 80 foreign companies to its export restrictions list. Fifty companies are based in China. The others are in Taiwan, Iran, Pakistan, South Africa and the uae. The companies are linked to AI, high performance computing and quantum technologies. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Sublime Security. Find them at Sublime Security. Thanks to your company.