Risky Bulletin: Hackers leak data from major bulletproof hosting provider

Summary

Hosted by risky.biz | Released on April 9, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the most recent developments in the cybersecurity landscape. Prepared by Catalyn Kimpanu, this edition covers a spectrum of incidents ranging from significant data leaks to advancements in security protocols. Below is a detailed summary of the key topics discussed.

1. Major Data Leak from Russian Bulletproof Hosting Provider MediaLand

Timestamp: [00:04]

Claire Aird opens the bulletin by reporting a significant breach where hackers leaked data from MediaLand, a prominent Russian bulletproof hosting provider. The leaked files divulge customer information, the services utilized, and the specific data housed on the platform. This incident not only exposes recent activities but also poses a threat of de-anonymizing cybercrime operators.

“A hacker has leaked files from major bulletproof hosting provider MediaLand. The files contain information on customers, the services they use, and the data they hosted on the platform.”
— Claire Aird, [00:04]

Prodaft, a threat intelligence firm, suspects that the same actor was responsible for leaking internal communications from the BlackBasta ransomware group back in February, indicating a pattern of targeting within the cybercrime ecosystem.

2. Breach of US Treasury Office Email Systems

Timestamp: [00:04]

Another alarming development is the breach of the US Treasury Office email systems, affecting approximately 100 employees. The attack, attributed to the Chinese hacking group Silk Typhoon, was carried out in June 2023 but remained undetected until January of the current year. This breach extends to the Treasury's Office of Foreign Assets Control and the Committee on Foreign Investment in the US.

“The US government blamed Chinese hacking group Silk Typhoon for those hacks.”
— Claire Aird, [00:04]

3. International Effort to Combat Spyware: Pall More Process

Timestamp: [00:04]

21 countries have joined the Pall More process, an international agreement aimed at curbing the proliferation of commercial spyware. Notably, the United States, Israel, and Macedonia abstained from participation, countries recognized for their active spyware industries. This move follows a similar US-led commitment signed by 23 nations under the Biden administration in 2023.

“21 countries have joined the Pall More process, an international agreement to combat the proliferation of commercial spyware.”
— Claire Aird, [00:04]

4. Alleged Surveillance by Elon Musk’s DOGE Team on EPA

Timestamp: [00:04]

A report from Reuters alleges that Elon Musk's DOGE team has deployed an AI tool to monitor internal communications at the Environmental Protection Agency (EPA). The tool is purportedly designed to track disloyalty and negative comments regarding Donald Trump and Musk. The EPA has neither confirmed nor denied these allegations.

“Elon Musk's DOGE team has allegedly deployed an AI tool to surveil internal communications at the Environmental Protection Agency...”
— Claire Aird, [00:04]

5. Chinese Information Operation in Canadian Elections

Timestamp: [00:04]

Ahead of Canada's upcoming federal election, a Chinese information operation is reportedly attempting to influence the Chinese diaspora within the country via WeChat. This campaign targets Canada's Liberal Party leader and current Prime Minister Mark Carney, with Canada's election task force linking the operation to the Chinese Communist Party's Central Political and Legal Affairs Commission.

“A Chinese info op is attempting to influence the Chinese diaspora in Canada ahead of the country's upcoming federal election.”
— Claire Aird, [00:04]

6. Russian Government's Potential Block of Foreign Web Hosting Providers

Timestamp: [00:04]

The Russian government is considering blocking 12 foreign web hosting providers that have failed to register within the country. RoscomNadzor, Russia's internet watchdog, has been pressuring companies to comply with local laws and integrate with its anti-DDoS system, especially following Russia's invasion of Ukraine. Last month, the agency conducted a test to block Cloudflare, resulting in significant disruptions for Russian internet users.

“The Russian Government may block 12 foreign web hosting providers for failing to register in the country.”
— Claire Aird, [00:04]

7. Australia's Crackdown on Online Scam Companies

Timestamp: [00:04]

Australia's financial regulator, ASIC, is in the process of deregistering 95 companies suspected of involvement in online investment and romance scams. These companies often operated under false information and were associated with scam-related apps and websites, providing a facade of legitimacy to illicit activities.

“Australia's financial regulator is deregistering 95 companies with suspected links to online investment and romance scams.”
— Claire Aird, [00:04]

8. Cryptocurrency Investment Scam Busted in Spain

Timestamp: [00:04]

Spain's national police have dismantled a criminal group responsible for stealing over 19 million euros through cryptocurrency investment scams. Six suspects were apprehended, including the gang leader who was preparing to flee to Dubai. The group employed AI-generated deepfake advertisements featuring Spanish celebrities to lure victims to fraudulent investment platforms.

“Spain's national police have broken up a criminal group that allegedly stole more than 19 million euros via cryptocurrency investment scams.”
— Claire Aird, [00:04]

9. Ransomware Attack on Singaporean Banks

Timestamp: [00:04]

Two Singaporean banks, DBS Bank and the Bank of China's Singapore branch, confirmed that a ransomware gang stole customer data from a printing service provider. The compromised service was used to print and dispatch letters to customers, highlighting vulnerabilities in third-party service integrations.

“Two Singaporean banks have confirmed a ransomware gang stole its customers' data from a printing service provider.”
— Claire Aird, [00:04]

10. Malicious VS Code Extensions with Crypto Miners

Timestamp: [00:04]

Security firm Extension Total has identified 10 Visual Studio Code extensions containing crypto miners within the official plugin store. These extensions, published by three separate accounts, amassed over 1 million installs, although it's suspected that the installation numbers were artificially inflated to feign popularity.

“10 VS Code extensions that contain crypto miners have been spotted in the official plugin store.”
— Claire Aird, [00:04]

11. Hellcat Hacking Group Exploits JIRA Credentials

Timestamp: [00:04]

The Hellcat hacking group is leveraging JIRA credentials obtained through InfoStealer malware to infiltrate corporate systems. By acquiring these credentials from underground markets, Hellcat gains access to sensitive corporate networks, exfiltrates data, and subsequently extorts affected companies. Notable victims include Telefonica Orange, Schneider Electric, and Jaguar Land Rover.

“The Hellcat hacking group is using JIRA credentials collected by InfoStealer malware to breach systems.”
— Claire Aird, [00:04]

12. Kill Security Exploits Zero-Day in Crush FTP

Timestamp: [00:04]

A threat actor named Kill Security has exploited a zero-day vulnerability in Crush FTP, claiming responsibility for a large-scale data theft operation and ongoing extortion of victims. Concurrently, Crush FTP has requested Mitre to invalidate the original CVE for this vulnerability and delay issuing a replacement for 90 days, prompting criticism that this maneuver aims to keep the vulnerability undisclosed.

“A threat actor named Kill Security has claimed credit for a hacking spree that used a zero day vulnerability in Crush FTP.”
— Claire Aird, [00:04]

13. ToddyCat's Exploitation of ESET Security Tool

Timestamp: [00:04]

The ToddyCat cyber espionage group is misusing an ESET security tool to escalate privileges on compromised systems. Although ESET released a security update to address this issue, the attack underscores the ongoing trend of Advanced Persistent Threat (APT) groups exploiting known vulnerabilities in security software.

“The ToddyCat cyber espionage group is abusing an ESET security tool to escalate privileges on compromised systems.”
— Claire Aird, [00:04]

14. Google's Patch of Android Zero-Days

Timestamp: [00:04]

Google has patched two critical zero-day vulnerabilities in the Android operating system. One of these patches addresses the Cellebrite exploit, which Serbian authorities allegedly used to unlock journalists' and protesters' phones, as detailed in an Amnesty International report. The second vulnerability pertains to the Android kernel USB audio driver code.

“Google has patched two Zero days in Android.”
— Claire Aird, [00:04]

15. Meta Enhances Security for Teen Accounts

Timestamp: [00:04]

Meta is expanding its security protections for teen accounts beyond Instagram to include Facebook and Facebook Messenger. This new feature restricts children under 16 from altering certain privacy settings without parental consent, such as who can contact them and the content they can access. Additionally, teens will require parental approval to engage in live streaming on Meta's platforms.

“Meta is expanding its teen account's security protections from Instagram to Facebook and Facebook Messenger accounts.”
— Claire Aird, [00:04]

16. Surge in DDoS Attacks Amid Geopolitical Conflicts

Timestamp: [00:04]

Akamai reports that four of the 10 largest DDoS attacks it has ever mitigated occurred in the past year. The frequency and magnitude of these attacks are rising, driven largely by ongoing conflicts such as the Russo-Ukrainian and Israeli-Palestinian disputes. These geopolitical tensions are contributing to the increased scale and persistence of DDoS threats.

“Akamai says that four of the 10 largest DDoS attacks it ever mitigated took place last year.”
— Claire Aird, [00:04]

Conclusion

Claire Aird concludes the bulletin by emphasizing the evolving nature of cybersecurity threats and the importance of staying informed. From data breaches and ransomware attacks to the misuse of AI tools and zero-day vulnerabilities, the landscape remains perilous. The Risky Business team continues to monitor these developments, providing essential updates to safeguard against emerging threats.

“And that is all for podcast edition thanksg company.”
— Claire Aird, [00:04]

Stay tuned to Risky Bulletin for ongoing updates and in-depth analysis of the cybersecurity world's latest happenings.

Transcript

Claire Aird (0:04)

Hackers leaked data from a major Russian bulletproof hosting provider Australia deregisters 95 companies linked to cyber scams, the US treasury gets hacked again and Meta expands teen accounts to Facebook and Facebook Messenger. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 9th of April. A hacker has leaked files from major bulletproof hosting provider media. The files contain information on customers, the services they use and the data they hosted on the platform. The leak includes recent data and could help de anonymize cybercrime operators threat. Intel firm Prodaft believes the same actor also leaked internal chats from the BlackBasta ransomware group in February. Medialand is a Russia registered company that has been active for more than a decade. In other news, hackers have breached US Treasury Office email systems and intercepted around 100 employees emails. The breach occurred in June 2023 and was discovered by CISA in January this year. The Treasury's Office of Foreign Assets Control and the Committee on Foreign Investment in the US were also breached earlier this year. The US government blamed Chinese hacking group Silk Typhoon for those hacks. 21 countries have joined the Pall More process, an international agreement to combat the proliferation of commercial spyware. The U.S. israel and Macedonia did not participate. Coincidentally, those countries are well known for their spyware industries. A similar U S led commitment was signed by 23 countries in 2023 under the Biden administration. Elon Musk's DOGE team has allegedly deployed an AI tool to surveil internal communications at the Environmental Protection Agen Agency, according to a report from Reuters. The tool is designed to monitor chats for disloyalty and negative comments about Donald Trump and Musk. The EPA did not confirm or deny the story when it was approached by Reuters. A Chinese info op is attempting to influence the Chinese diaspora in Canada ahead of the country's upcoming federal election. The campaign is taking place on WeChat, an app commonly used by Chinese speakers everywhere. The info op is attacking Canada's Liberal Party leader and current Prime Minister Mark Carney. Canada's election task force has linked the campaign to the Chinese Communist Party's Central Political and Legal Affairs Commission. The Russian Government may block 12 Foreign web hosting providers for failing to register in the country. The country's Internet watchdog says companies must comply with local laws and integrate with its anti DDoS system. The Roscom Nadzor has been threatening to block foreign web and cloud providers since Russia invaded Ukraine. The agency ran a test last month to see if it could block access to Cloudflare, which caused significant disruption to Russian Internet users. Australia's financial regulator is deregistering 95 companies with suspected links to online investment and romance scams. Most of the companies had been registered with false information and many were associated with apps and websites used in the scams. ASIC says the companies were set up to give the scams a veneer of credibility. Spain's national police have broken up a criminal group that allegedly stole more than 19 million euros via cryptocurrency investment scams. Six suspects were detained in Spain, including the gang's leader, who was preparing to travel to Dubai. The group allegedly used AI to create deepfake ads of Spanish celebrities luring victims to fake investment portals. Two Singaporean banks have confirmed a ransomware gang stole its customers data from a printing service provider. The incident impacted DBS bank and the bank of China's Singapore branch. The banks used the service to print and send letters to its customers. 10 VS code extensions that contain crypto miners have been spotted in the official plugin store. The extensions were published by three accounts and appear to have accumulated over 1 million installs. But security firm Extension Total says the installation numbers were artificially inflated to make the extensions appear popular. The Hellcat hacking group is using JIRA credentials collected by InfoStealer malware to breach systems. The group acquires the credentials from underground markets, accesses corporate networks, steals sensitive data and then extorts the companies. Hellcat's hacking spree has been going on for over a month and has hit dozens of companies. The most well known victims include Telefonica Orange, Schneider Electric and Jaguar Land Rover. A threat actor named Kill Security has claimed credit for a hacking spree that used a zero day vulnerability in Crush FTP. The group claims it stole significant volumes of data and is now extorting victims. In the meantime, Crush FTP is dealing with drama of its own after it asked Mitre to invalidate the original CVE for the vulnerability and not issue a replacement one for 90 days. Critics have claimed this was to help them keep the vulnerability quiet. The toddycat cyber espionage group is abusing an ESET security tool to escalate privileges on compromised systems. ESET released a security update last week to fix the issue, which is in its command line scanner. The attack is another example of APT groups using the bring your own vulnerable driver technique. Google has patched two Zero days in Android. One of the fixes is a patch for cellebrite exploit used by Serbian authorities to unlock the phones of journalists and anti government protesters. The exploit and the HAC were first detailed in an Amnesty International report in February. There are no details on the second zero day, which impacts the Android kernel USB audio driver code. This is the third month in a row that Google has fixed zero days in the Android os. Meta is expanding its teen account's security protections from Instagram to Facebook and Facebook messenger accounts. The feature prevents children under the age of 16 from modifying a series of privacy settings on their accounts without a parent parents approval. This includes settings related to who can contact the account and what content they can see on the site. Meta is also expanding these restrictions and teens won't be able to live stream on their sites without a parent's approval. And finally, akamai says that four of the 10 largest DDoS attacks it ever mitigated took place last year. Overall, DDoS attacks are getting longer and larger with each quarter. Much of the recent rise was driven by the recent Russo Ukrainian and Israeli Palestine conflicts. And that is all for podcast edition thanksg company.

Summary