Risky Bulletin: Hackers Leak Data from Major Bulletproof Hosting Provider
Hosted by risky.biz | Released on April 9, 2025
Introduction
In the latest episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the most recent developments in the cybersecurity landscape. Prepared by Catalyn Kimpanu, this edition covers a spectrum of incidents ranging from significant data leaks to advancements in security protocols. Below is a detailed summary of the key topics discussed.
1. Major Data Leak from Russian Bulletproof Hosting Provider MediaLand
Timestamp: [00:04]
Claire Aird opens the bulletin by reporting a significant breach where hackers leaked data from MediaLand, a prominent Russian bulletproof hosting provider. The leaked files divulge customer information, the services utilized, and the specific data housed on the platform. This incident not only exposes recent activities but also poses a threat of de-anonymizing cybercrime operators.
“A hacker has leaked files from major bulletproof hosting provider MediaLand. The files contain information on customers, the services they use, and the data they hosted on the platform.”
— Claire Aird, [00:04]
Prodaft, a threat intelligence firm, suspects that the same actor was responsible for leaking internal communications from the BlackBasta ransomware group back in February, indicating a pattern of targeting within the cybercrime ecosystem.
2. Breach of US Treasury Office Email Systems
Timestamp: [00:04]
Another alarming development is the breach of the US Treasury Office email systems, affecting approximately 100 employees. The attack, attributed to the Chinese hacking group Silk Typhoon, was carried out in June 2023 but remained undetected until January of the current year. This breach extends to the Treasury's Office of Foreign Assets Control and the Committee on Foreign Investment in the US.
“The US government blamed Chinese hacking group Silk Typhoon for those hacks.”
— Claire Aird, [00:04]
3. International Effort to Combat Spyware: Pall More Process
Timestamp: [00:04]
21 countries have joined the Pall More process, an international agreement aimed at curbing the proliferation of commercial spyware. Notably, the United States, Israel, and Macedonia abstained from participation, countries recognized for their active spyware industries. This move follows a similar US-led commitment signed by 23 nations under the Biden administration in 2023.
“21 countries have joined the Pall More process, an international agreement to combat the proliferation of commercial spyware.”
— Claire Aird, [00:04]
4. Alleged Surveillance by Elon Musk’s DOGE Team on EPA
Timestamp: [00:04]
A report from Reuters alleges that Elon Musk's DOGE team has deployed an AI tool to monitor internal communications at the Environmental Protection Agency (EPA). The tool is purportedly designed to track disloyalty and negative comments regarding Donald Trump and Musk. The EPA has neither confirmed nor denied these allegations.
“Elon Musk's DOGE team has allegedly deployed an AI tool to surveil internal communications at the Environmental Protection Agency...”
— Claire Aird, [00:04]
5. Chinese Information Operation in Canadian Elections
Timestamp: [00:04]
Ahead of Canada's upcoming federal election, a Chinese information operation is reportedly attempting to influence the Chinese diaspora within the country via WeChat. This campaign targets Canada's Liberal Party leader and current Prime Minister Mark Carney, with Canada's election task force linking the operation to the Chinese Communist Party's Central Political and Legal Affairs Commission.
“A Chinese info op is attempting to influence the Chinese diaspora in Canada ahead of the country's upcoming federal election.”
— Claire Aird, [00:04]
6. Russian Government's Potential Block of Foreign Web Hosting Providers
Timestamp: [00:04]
The Russian government is considering blocking 12 foreign web hosting providers that have failed to register within the country. RoscomNadzor, Russia's internet watchdog, has been pressuring companies to comply with local laws and integrate with its anti-DDoS system, especially following Russia's invasion of Ukraine. Last month, the agency conducted a test to block Cloudflare, resulting in significant disruptions for Russian internet users.
“The Russian Government may block 12 foreign web hosting providers for failing to register in the country.”
— Claire Aird, [00:04]
7. Australia's Crackdown on Online Scam Companies
Timestamp: [00:04]
Australia's financial regulator, ASIC, is in the process of deregistering 95 companies suspected of involvement in online investment and romance scams. These companies often operated under false information and were associated with scam-related apps and websites, providing a facade of legitimacy to illicit activities.
“Australia's financial regulator is deregistering 95 companies with suspected links to online investment and romance scams.”
— Claire Aird, [00:04]
8. Cryptocurrency Investment Scam Busted in Spain
Timestamp: [00:04]
Spain's national police have dismantled a criminal group responsible for stealing over 19 million euros through cryptocurrency investment scams. Six suspects were apprehended, including the gang leader who was preparing to flee to Dubai. The group employed AI-generated deepfake advertisements featuring Spanish celebrities to lure victims to fraudulent investment platforms.
“Spain's national police have broken up a criminal group that allegedly stole more than 19 million euros via cryptocurrency investment scams.”
— Claire Aird, [00:04]
9. Ransomware Attack on Singaporean Banks
Timestamp: [00:04]
Two Singaporean banks, DBS Bank and the Bank of China's Singapore branch, confirmed that a ransomware gang stole customer data from a printing service provider. The compromised service was used to print and dispatch letters to customers, highlighting vulnerabilities in third-party service integrations.
“Two Singaporean banks have confirmed a ransomware gang stole its customers' data from a printing service provider.”
— Claire Aird, [00:04]
10. Malicious VS Code Extensions with Crypto Miners
Timestamp: [00:04]
Security firm Extension Total has identified 10 Visual Studio Code extensions containing crypto miners within the official plugin store. These extensions, published by three separate accounts, amassed over 1 million installs, although it's suspected that the installation numbers were artificially inflated to feign popularity.
“10 VS Code extensions that contain crypto miners have been spotted in the official plugin store.”
— Claire Aird, [00:04]
11. Hellcat Hacking Group Exploits JIRA Credentials
Timestamp: [00:04]
The Hellcat hacking group is leveraging JIRA credentials obtained through InfoStealer malware to infiltrate corporate systems. By acquiring these credentials from underground markets, Hellcat gains access to sensitive corporate networks, exfiltrates data, and subsequently extorts affected companies. Notable victims include Telefonica Orange, Schneider Electric, and Jaguar Land Rover.
“The Hellcat hacking group is using JIRA credentials collected by InfoStealer malware to breach systems.”
— Claire Aird, [00:04]
12. Kill Security Exploits Zero-Day in Crush FTP
Timestamp: [00:04]
A threat actor named Kill Security has exploited a zero-day vulnerability in Crush FTP, claiming responsibility for a large-scale data theft operation and ongoing extortion of victims. Concurrently, Crush FTP has requested Mitre to invalidate the original CVE for this vulnerability and delay issuing a replacement for 90 days, prompting criticism that this maneuver aims to keep the vulnerability undisclosed.
“A threat actor named Kill Security has claimed credit for a hacking spree that used a zero day vulnerability in Crush FTP.”
— Claire Aird, [00:04]
13. ToddyCat's Exploitation of ESET Security Tool
Timestamp: [00:04]
The ToddyCat cyber espionage group is misusing an ESET security tool to escalate privileges on compromised systems. Although ESET released a security update to address this issue, the attack underscores the ongoing trend of Advanced Persistent Threat (APT) groups exploiting known vulnerabilities in security software.
“The ToddyCat cyber espionage group is abusing an ESET security tool to escalate privileges on compromised systems.”
— Claire Aird, [00:04]
14. Google's Patch of Android Zero-Days
Timestamp: [00:04]
Google has patched two critical zero-day vulnerabilities in the Android operating system. One of these patches addresses the Cellebrite exploit, which Serbian authorities allegedly used to unlock journalists' and protesters' phones, as detailed in an Amnesty International report. The second vulnerability pertains to the Android kernel USB audio driver code.
“Google has patched two Zero days in Android.”
— Claire Aird, [00:04]
15. Meta Enhances Security for Teen Accounts
Timestamp: [00:04]
Meta is expanding its security protections for teen accounts beyond Instagram to include Facebook and Facebook Messenger. This new feature restricts children under 16 from altering certain privacy settings without parental consent, such as who can contact them and the content they can access. Additionally, teens will require parental approval to engage in live streaming on Meta's platforms.
“Meta is expanding its teen account's security protections from Instagram to Facebook and Facebook Messenger accounts.”
— Claire Aird, [00:04]
16. Surge in DDoS Attacks Amid Geopolitical Conflicts
Timestamp: [00:04]
Akamai reports that four of the 10 largest DDoS attacks it has ever mitigated occurred in the past year. The frequency and magnitude of these attacks are rising, driven largely by ongoing conflicts such as the Russo-Ukrainian and Israeli-Palestinian disputes. These geopolitical tensions are contributing to the increased scale and persistence of DDoS threats.
“Akamai says that four of the 10 largest DDoS attacks it ever mitigated took place last year.”
— Claire Aird, [00:04]
Conclusion
Claire Aird concludes the bulletin by emphasizing the evolving nature of cybersecurity threats and the importance of staying informed. From data breaches and ransomware attacks to the misuse of AI tools and zero-day vulnerabilities, the landscape remains perilous. The Risky Business team continues to monitor these developments, providing essential updates to safeguard against emerging threats.
“And that is all for podcast edition thanksg company.”
— Claire Aird, [00:04]
Stay tuned to Risky Bulletin for ongoing updates and in-depth analysis of the cybersecurity world's latest happenings.