Risky Bulletin: Iranian security firm behind airline hacking spree - Risky Bulletin

Summary7 min read

Risky Bulletin: Iranian Security Firm Behind Airline Hacking Spree – Detailed Summary

Podcast Information:

Title: Risky Bulletin
Host/Author: risky.biz
Description: Regular cybersecurity news updates from the Risky Business team.
Episode: Risky Bulletin: Iranian Security Firm Behind Airline Hacking Spree
Release Date: July 21, 2025

Introduction

In the July 21, 2025 episode of Risky Bulletin, host Claire Aird delves into a series of critical cybersecurity incidents impacting global infrastructure, state-sponsored hacking activities, emerging vulnerabilities, and significant developments in ransomware mitigation. This summary encapsulates the episode's key discussions, insights, and conclusions, providing a comprehensive overview for those who haven't tuned in.

Iranian Security Firm Amanban Linked to Global Airline Hacking Campaign

At the outset of the episode, Claire Aird highlights a disturbing trend in state-sponsored cyberattacks targeting the aviation sector.

“A hacking campaign targeting global airlines has been attributed to an Iranian security firm,” Claire Aird announces [00:04].

Perpetrator: The firm Amanban is alleged to be the contractor behind the Iranian hacking group APT39.
Targets: Beyond airlines, Amanban has also targeted freight and logistics companies, indicating a broader strategy to disrupt global supply chains.
Evidence: The operations of Amanban came to light through a leak of internal documents, meticulously analyzed by Iranian security researcher Nariman Harib.
Implications: This breach underscores the evolving sophistication of state-sponsored cyber threats and their potential to disrupt critical global infrastructure.

Chinese Hackers Breach Singapore's Critical Infrastructure

Claire shifts focus to Southeast Asia, where Singapore faces renewed cyber threats.

“Singapore has detected Chinese hackers in its critical infrastructure,” Claire Aird reports [00:04].

Hacker Group: The intrusions have been attributed to UNC3886, a group notorious for exploiting vulnerabilities in unpatched network devices.
Methodology: UNC3886 leverages exploits to target systems with outdated security patches, emphasizing the importance of regular updates and patch management.
Impact: The breach poses significant risks to Singapore’s national security and economic stability, prompting increased vigilance from cybersecurity agencies.

Dutch Public Prosecution Office Responds to Citrix Vulnerability Exploit

The Netherlands grapples with vulnerabilities in widely-used software, affecting governmental operations.

“The Citrix Bleed 2 info leak vulnerability is currently being exploited in the wild,” Claire Aird informs listeners [00:04].

Incident: The Dutch public prosecution office severed its internal network from the Internet after falling victim to a hack.
Vulnerability: The breach exploited weaknesses in Citrix NetScaler appliances, specifically the Citrix Bleed 2 vulnerability.
Response: Immediate disconnection was necessary to contain the breach, highlighting the critical need for securing enterprise-grade software against known vulnerabilities.

Ransomware Disrupts Russia's Largest Alcohol Retailer, NovaBev Group

Ransomware continues to wreak havoc across industries, with significant repercussions in the retail sector.

“One of Russia's largest alcohol retailers closed more than 2,000 stores following a ransomware attack,” Claire Aird states [00:04].

Target: NovaBev Group, a major player in the Russian alcohol market, experienced widespread operational disruptions.
Attack Impact: The ransomware impeded both online and physical store operations, leading to substantial economic losses.
Response: Demonstrating resilience, NovaBev refused to pay the ransom and successfully restored its operations, underscoring the potential for recovery without capitulating to cyber extortion.

Ukraine's Military Intelligence Claims Cyber Attack on Gazprom

Geopolitical tensions manifest in sophisticated cyberattacks targeting energy sectors.

“Ukraine's military intelligence service claims to have hacked Russia's largest gas producer,” Claire Aird relays [00:04].

Alleged Attack: Gazprom officials report that servers were wiped, over 20,000 workstations disabled, and backups deleted.
Scope: The attack affected nearly 390 subsidiaries, indicating a highly coordinated and extensive operation.
Current Status: While Gazprom has yet to confirm the breach officially, the company's website remains down, suggesting significant operational impact.
Legal Actions: Russian authorities have charged seven suspects linked to government data leaks, with potential sentences of up to 10 years in prison. These individuals are associated with the Ministry of Internal Affairs Analytical and Data Department or IT providers.

UK Government Sanctions on Russian Military Intelligence Units

In response to ongoing cyber aggressions, the UK takes decisive action against Russian entities.

“The UK government has sanctioned three units of the Russian Military Intelligence Service and 18 of their officers,” Claire Aird notes [00:04].

Sanctioned Entities: The targeted GRU units have been implicated in cyber campaigns and influence operations aimed at destabilizing the UK, Ukraine, and NATO.
Notable Operations:
- Mariupol Theatre Attack (2022): Facilitated online reconnaissance that contributed to a missile strike killing hundreds of civilians.
- Skripil Poisonings: Utilized malware to support the poisoning of Sergei and Yulia Skripil.
Additional Measures: Three GRU officers operating a social media content mill from West Africa have also been sanctioned, highlighting the global reach of their cyber influence operations.

Arrest of Venezuelan Nationals in ATM Jackpotting Scheme

Cybercriminal activities transcend national boundaries, with inventive methods employed to execute financial theft.

“US Authorities have arrested two Venezuelan nationals for stealing more than $100,000 through ATM jackpotting,” Claire Aird explains [00:04].

Modus Operandi:
- Infiltration: The perpetrators used electric scooters to quickly access ATMs and cover sensor glue.
- Execution: They returned shortly after to install malware that emptied the cash hoppers.
Investigation: Authorities employed facial recognition technology and cross-referenced Facebook photos to identify and confirm the suspects’ identities.
Takeaway: This case exemplifies the blend of physical and cyber tactics in modern financial crimes, underscoring the need for robust ATM security measures.

Emerging Zero-Day Vulnerabilities in Microsoft SharePoint and Crush FTP

The cybersecurity landscape continues to evolve with the discovery of new vulnerabilities.

Microsoft SharePoint Zero-Day Exploit

“A new zero day vulnerability is being exploited in on-premise Microsoft SharePoint servers,” Claire Aird reports [00:04].

Details: This vulnerability is a variant of an older bug that facilitates remote code execution attacks.
Origin: The zero-day is based on an exploit showcased at the Pwn2Own Hacking Contest in February.
Availability: An exploit is already circulating online, posing immediate threats to unpatched SharePoint servers.
Vendor Response: Microsoft is actively developing a patch but has not specified a release timeline, urging organizations to stay vigilant.

Crush FTP Zero-Day Exploit

“Hackers are exploiting a Crush FTP zero day to take over unpatched servers,” Claire Aird continues [00:04].

Mechanism: Attackers reverse-engineered a recent patch to uncover another vulnerability, enabling them to seize control of the Crush FTP admin interface.
Impact: The flaw affects servers that have not applied the latest updates, allowing malicious actors to manipulate administrative controls.
Mitigation: Crush FTP has addressed the bug in versions released this month, emphasizing the importance of timely updates to safeguard against such exploits.

Malware Injection in NPM Packages

Supply chain attacks remain a persistent threat, with malicious code infiltrating widely-used software repositories.

“Hackers have added malware to five popular NPM packages,” Claire Aird informs [00:04].

Target Platforms: The malicious code specifically targets Windows systems, compromising a broad user base.
Attack Vector: The attackers phished the maintainer of one library last week, gaining unauthorized access to inject malware.
Scope: The five affected NPM packages collectively enjoy over 95 million weekly downloads and are embedded in thousands of downstream packages, amplifying the potential impact.
Response: Developers are urged to verify the integrity of dependencies and monitor for unusual activities within their projects.

Arch Linux Removes Malicious Packages from AUR Repository

Open-source ecosystems are not immune to security breaches, necessitating proactive measures from maintainers.

“The Arch Linux team has removed three malicious packages from the AUR repository,” Claire Aird announces [00:04].

Nature of Packages: Initially appearing as benign browser modifications, the packages were discovered to install Trojans upon execution.
Timeline: The malicious packages were available for only two days before being detected and removed.
Community Action: This incident underscores the critical role of vigilant maintainers and the community in ensuring the security of open-source repositories.

Japanese Authorities Release Free Decryptors for Phobos and 8base Ransomware

In a significant stride against ransomware, authorities have developed tools to aid victims.

“Japanese authorities have released free decryptors for the Phobos and 8base ransomware,” Claire Aird conveys [00:04].

Development: The decryptors were created following the arrests of the administrators behind both ransomware variants.
Ransomware Profiles:
- Phobos: Operating as a ransomware-as-a-service (RaaS) model since 2018.
- 8base: Emerged in 2023, leveraging leaked Phobos code to launch attacks.
Impact: The availability of these decryptors provides relief to numerous victims, enabling data recovery without succumbing to ransom demands.

Upcoming Bitcoin Protocol Change to Mitigate Quantum Threats

The intersection of cryptocurrency and emerging technologies brings new challenges to digital security.

“An upcoming change to Bitcoin will prevent the use of funds secured with outdated encryption,” Claire Aird concludes [00:04].

Reasoning: The Bitcoin development team acknowledges quantum computing as an existential threat to the cryptocurrency’s security framework.
Implementation: Bitcoin wallets and exchanges will be mandated to adopt quantum-resistant cryptographic algorithms.
Timeline: The migration process is estimated to span at least five years, providing ample time for the ecosystem to adapt.
Consequences: Assets secured with outdated encryption methods will be frozen on the blockchain, urging stakeholders to upgrade their security protocols proactively.

Conclusion

The July 21, 2025 episode of Risky Bulletin presents a comprehensive overview of the dynamic and often perilous landscape of cybersecurity. From state-sponsored hacking campaigns and sophisticated ransomware attacks to emerging vulnerabilities and proactive defense mechanisms, the episode underscores the critical importance of continuous vigilance, timely updates, and collaborative efforts in safeguarding digital infrastructure.

For further details and ongoing updates, listeners are encouraged to subscribe to Risky Bulletin and stay informed about the latest in cybersecurity news and insights.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
An Iranian security firm is behind an airline hacking spree Chinese hackers breach Singapore's critical infrastructure, new SharePoint and Crush FTP zero days are being used in the wild and Japan releases free ransomware decryptors. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 21st of July and and this podcast episode is brought to you by thinkst, the makers of the much loved thinxt Canary. A hacking campaign targeting global airlines has been attributed to an Iranian security firm. The company Amanban is allegedly a contractor behind the Iranian hacking group APT39. The company also targeted freight and logistics firms. Its operations were revealed in a leak of internal documents obtained by Iranian security researcher Nariman Harib. In other news, Singapore has detected Chinese hackers in its critical infrastructure. The country's cybersecurity agency has attributed the intrusions to a group tracked as UNC3886. The group is known for using exploits to target unpatched network equipment. The Dutch public prosecution office disconnected its internal network from the Internet on Friday. The Ministry of Justice said the office was likely hacked via a vulnerability in its Citrix data netscaler appliances. The Citrix Bleed 2 info leak vulnerability is currently being exploited in the wild. One of Russia's largest alcohol retailers closed more than 2,000 stores following a ransomware attack. The NovaBev group said the attack last week impacted its ability to process orders at its physical stores as well as online. The company has refused to pay the ransom and has since restored operations. Ukraine's military intelligence service claims to have hacked Russia's largest gas producer. Gazprom officials claim to have wiped servers, disabled over 20,000 workstations and deleted backups. The hack allegedly impacted almost 390 Gazprom subsidiaries. Gazprom has not confirmed the attack, but its website is down. Russian authorities have charged seven suspects with leaking government data. Two individuals remain in police custody and the rest are under house arrest. All seven are employees at either the Ministry of Internal Affairs Analytical and Data Department or IT providers. If found guilty, they could face up to 10 years in prison. The UK government has sanctioned three units of the Russian Military Intelligence Service and 18 of their officers. The GRU used cyber campaigns and influence operations to destabilise the uk, Ukraine and NATO. The sanctioned units conducted online reconnaissance to help target missile strike attacks, including one that killed hundreds of civilians at the Mariupol Theatre in 2022. They also used malware to support the poisonings of Sergei and Yulia Skripil. The sanctions also hit three GRU officers who run a social media content mill operating out of West Africa. US Authorities have arrested two Venezuelan nationals for stealing more than $100,000 through ATM jackpotting. The two allegedly used electric scooters to drive to the ATMs and cover sensor glue. They returned hours later, opened the ATMs and installed malware that emptied the cash hoppers. Authorities used facial recognition to identify one of the suspects and confirmed his identity using Facebook photos. A new zero day vulnerability is being exploited in on premise Microsoft SharePoint servers. It's a variant of an older bug that allows for remote code execution attacks. The Zero day is based on an exploit used at the pwn to Own Hacking contest in February. An exploit is already available online. Microsoft says it's working on a patch but has not provided a deadline. Hackers are exploiting a Crush FTP zero day to take over unpatched servers, Crush FTP said. The hackers reverse engineered a recent patch and discovered another bug. The flaw allows attackers to take over the Crush FTP admin interface. The bug's been fixed in versions of Crush FTP released this month. Hackers have added malware to five popular NPM packages. The malicious code specifically targets Windows systems. The attackers phished the library's maintainer last week to gain access. The five affected packages collectively have over 95 million weekly downloads. The libraries are also used in thousands of other downstream packages. The Arch Linux team has removed three malicious packages from the AUR repository. The packages appeared to be browser modifications but installed a Trojan. The packages were for two days before they were removed. Japanese authorities have released free decryptors for the Phobos and 8base ransomware. The decryptor was developed after the arrests of the admins of both ransomware variants. The Phobos ransomware as a service has operated since 2018. The eight base group launched in 2023 on a leaked version of the Phobos code. And finally, an upcoming change to Bitcoin will prevent the use of funds secured with outdated encryption. Bitcoin wallets and exchanges will have to quantum resistant cryptography or owners assets will be frozen on the blockchain. The Bitcoin team says quantum computing is an existential threat to the currency. It estimates the migration will take at least five years. And that is all for this podcast edition. Today's show was brought to you by our sponsor thinxt, the makers of the much loved thinxt Canary. Find them at Canary Tools. Thanks for your company.