Risky Bulletin: Iranian Security Firm Behind Airline Hacking Spree – Detailed Summary

Podcast Information:

• Title: Risky Bulletin
• Host/Author: risky.biz
• Description: Regular cybersecurity news updates from the Risky Business team.
• Episode: Risky Bulletin: Iranian Security Firm Behind Airline Hacking Spree
• Release Date: July 21, 2025

Introduction

In the July 21, 2025 episode of Risky Bulletin, host Claire Aird delves into a series of critical cybersecurity incidents impacting global infrastructure, state-sponsored hacking activities, emerging vulnerabilities, and significant developments in ransomware mitigation. This summary encapsulates the episode's key discussions, insights, and conclusions, providing a comprehensive overview for those who haven't tuned in.

Iranian Security Firm Amanban Linked to Global Airline Hacking Campaign

At the outset of the episode, Claire Aird highlights a disturbing trend in state-sponsored cyberattacks targeting the aviation sector.

“A hacking campaign targeting global airlines has been attributed to an Iranian security firm,” Claire Aird announces [00:04].

• Perpetrator: The firm Amanban is alleged to be the contractor behind the Iranian hacking group APT39.
• Targets: Beyond airlines, Amanban has also targeted freight and logistics companies, indicating a broader strategy to disrupt global supply chains.
• Evidence: The operations of Amanban came to light through a leak of internal documents, meticulously analyzed by Iranian security researcher Nariman Harib.
• Implications: This breach underscores the evolving sophistication of state-sponsored cyber threats and their potential to disrupt critical global infrastructure.

Chinese Hackers Breach Singapore's Critical Infrastructure

Claire shifts focus to Southeast Asia, where Singapore faces renewed cyber threats.

“Singapore has detected Chinese hackers in its critical infrastructure,” Claire Aird reports [00:04].

• Hacker Group: The intrusions have been attributed to UNC3886, a group notorious for exploiting vulnerabilities in unpatched network devices.
• Methodology: UNC3886 leverages exploits to target systems with outdated security patches, emphasizing the importance of regular updates and patch management.
• Impact: The breach poses significant risks to Singapore’s national security and economic stability, prompting increased vigilance from cybersecurity agencies.

Dutch Public Prosecution Office Responds to Citrix Vulnerability Exploit

The Netherlands grapples with vulnerabilities in widely-used software, affecting governmental operations.

“The Citrix Bleed 2 info leak vulnerability is currently being exploited in the wild,” Claire Aird informs listeners [00:04].

• Incident: The Dutch public prosecution office severed its internal network from the Internet after falling victim to a hack.
• Vulnerability: The breach exploited weaknesses in Citrix NetScaler appliances, specifically the Citrix Bleed 2 vulnerability.
• Response: Immediate disconnection was necessary to contain the breach, highlighting the critical need for securing enterprise-grade software against known vulnerabilities.

Ransomware Disrupts Russia's Largest Alcohol Retailer, NovaBev Group

Ransomware continues to wreak havoc across industries, with significant repercussions in the retail sector.

“One of Russia's largest alcohol retailers closed more than 2,000 stores following a ransomware attack,” Claire Aird states [00:04].

• Target: NovaBev Group, a major player in the Russian alcohol market, experienced widespread operational disruptions.
• Attack Impact: The ransomware impeded both online and physical store operations, leading to substantial economic losses.
• Response: Demonstrating resilience, NovaBev refused to pay the ransom and successfully restored its operations, underscoring the potential for recovery without capitulating to cyber extortion.

Ukraine's Military Intelligence Claims Cyber Attack on Gazprom

Geopolitical tensions manifest in sophisticated cyberattacks targeting energy sectors.

“Ukraine's military intelligence service claims to have hacked Russia's largest gas producer,” Claire Aird relays [00:04].

• Alleged Attack: Gazprom officials report that servers were wiped, over 20,000 workstations disabled, and backups deleted.
• Scope: The attack affected nearly 390 subsidiaries, indicating a highly coordinated and extensive operation.
• Current Status: While Gazprom has yet to confirm the breach officially, the company's website remains down, suggesting significant operational impact.
• Legal Actions: Russian authorities have charged seven suspects linked to government data leaks, with potential sentences of up to 10 years in prison. These individuals are associated with the Ministry of Internal Affairs Analytical and Data Department or IT providers.

UK Government Sanctions on Russian Military Intelligence Units

In response to ongoing cyber aggressions, the UK takes decisive action against Russian entities.

“The UK government has sanctioned three units of the Russian Military Intelligence Service and 18 of their officers,” Claire Aird notes [00:04].

• Sanctioned Entities: The targeted GRU units have been implicated in cyber campaigns and influence operations aimed at destabilizing the UK, Ukraine, and NATO.
• Notable Operations:
  • Mariupol Theatre Attack (2022): Facilitated online reconnaissance that contributed to a missile strike killing hundreds of civilians.
  • Skripil Poisonings: Utilized malware to support the poisoning of Sergei and Yulia Skripil.
• Additional Measures: Three GRU officers operating a social media content mill from West Africa have also been sanctioned, highlighting the global reach of their cyber influence operations.

Arrest of Venezuelan Nationals in ATM Jackpotting Scheme

Cybercriminal activities transcend national boundaries, with inventive methods employed to execute financial theft.

“US Authorities have arrested two Venezuelan nationals for stealing more than $100,000 through ATM jackpotting,” Claire Aird explains [00:04].

• Modus Operandi:
  • Infiltration: The perpetrators used electric scooters to quickly access ATMs and cover sensor glue.
  • Execution: They returned shortly after to install malware that emptied the cash hoppers.
• Investigation: Authorities employed facial recognition technology and cross-referenced Facebook photos to identify and confirm the suspects’ identities.
• Takeaway: This case exemplifies the blend of physical and cyber tactics in modern financial crimes, underscoring the need for robust ATM security measures.

Emerging Zero-Day Vulnerabilities in Microsoft SharePoint and Crush FTP

The cybersecurity landscape continues to evolve with the discovery of new vulnerabilities.

Microsoft SharePoint Zero-Day Exploit

“A new zero day vulnerability is being exploited in on-premise Microsoft SharePoint servers,” Claire Aird reports [00:04].

• Details: This vulnerability is a variant of an older bug that facilitates remote code execution attacks.
• Origin: The zero-day is based on an exploit showcased at the Pwn2Own Hacking Contest in February.
• Availability: An exploit is already circulating online, posing immediate threats to unpatched SharePoint servers.
• Vendor Response: Microsoft is actively developing a patch but has not specified a release timeline, urging organizations to stay vigilant.

Crush FTP Zero-Day Exploit

“Hackers are exploiting a Crush FTP zero day to take over unpatched servers,” Claire Aird continues [00:04].

• Mechanism: Attackers reverse-engineered a recent patch to uncover another vulnerability, enabling them to seize control of the Crush FTP admin interface.
• Impact: The flaw affects servers that have not applied the latest updates, allowing malicious actors to manipulate administrative controls.
• Mitigation: Crush FTP has addressed the bug in versions released this month, emphasizing the importance of timely updates to safeguard against such exploits.

Malware Injection in NPM Packages

Supply chain attacks remain a persistent threat, with malicious code infiltrating widely-used software repositories.

“Hackers have added malware to five popular NPM packages,” Claire Aird informs [00:04].

• Target Platforms: The malicious code specifically targets Windows systems, compromising a broad user base.
• Attack Vector: The attackers phished the maintainer of one library last week, gaining unauthorized access to inject malware.
• Scope: The five affected NPM packages collectively enjoy over 95 million weekly downloads and are embedded in thousands of downstream packages, amplifying the potential impact.
• Response: Developers are urged to verify the integrity of dependencies and monitor for unusual activities within their projects.

Arch Linux Removes Malicious Packages from AUR Repository

Open-source ecosystems are not immune to security breaches, necessitating proactive measures from maintainers.

“The Arch Linux team has removed three malicious packages from the AUR repository,” Claire Aird announces [00:04].

• Nature of Packages: Initially appearing as benign browser modifications, the packages were discovered to install Trojans upon execution.
• Timeline: The malicious packages were available for only two days before being detected and removed.
• Community Action: This incident underscores the critical role of vigilant maintainers and the community in ensuring the security of open-source repositories.

Japanese Authorities Release Free Decryptors for Phobos and 8base Ransomware

In a significant stride against ransomware, authorities have developed tools to aid victims.

“Japanese authorities have released free decryptors for the Phobos and 8base ransomware,” Claire Aird conveys [00:04].

• Development: The decryptors were created following the arrests of the administrators behind both ransomware variants.
• Ransomware Profiles:
  • Phobos: Operating as a ransomware-as-a-service (RaaS) model since 2018.
  • 8base: Emerged in 2023, leveraging leaked Phobos code to launch attacks.
• Impact: The availability of these decryptors provides relief to numerous victims, enabling data recovery without succumbing to ransom demands.

Upcoming Bitcoin Protocol Change to Mitigate Quantum Threats

The intersection of cryptocurrency and emerging technologies brings new challenges to digital security.

“An upcoming change to Bitcoin will prevent the use of funds secured with outdated encryption,” Claire Aird concludes [00:04].

• Reasoning: The Bitcoin development team acknowledges quantum computing as an existential threat to the cryptocurrency’s security framework.
• Implementation: Bitcoin wallets and exchanges will be mandated to adopt quantum-resistant cryptographic algorithms.
• Timeline: The migration process is estimated to span at least five years, providing ample time for the ecosystem to adapt.
• Consequences: Assets secured with outdated encryption methods will be frozen on the blockchain, urging stakeholders to upgrade their security protocols proactively.

Conclusion

The July 21, 2025 episode of Risky Bulletin presents a comprehensive overview of the dynamic and often perilous landscape of cybersecurity. From state-sponsored hacking campaigns and sophisticated ransomware attacks to emerging vulnerabilities and proactive defense mechanisms, the episode underscores the critical importance of continuous vigilance, timely updates, and collaborative efforts in safeguarding digital infrastructure.

For further details and ongoing updates, listeners are encouraged to subscribe to Risky Bulletin and stay informed about the latest in cybersecurity news and insights.