Risky Bulletin: Law Enforcement Takes Down AVCheck – Detailed Summary

Podcast Information

• Title: Risky Bulletin
• Host/Author: risky.biz
• Episode: Risky Bulletin: Law enforcement takes down AVCheck
• Release Date: June 2, 2025

Hosts:

• Catalyn Kimpanu: Prepared the bulletin
• Claire Aird: Narrator

Seizure of AVCheck and Related Cybercrime Services

Timestamp: [00:04]

The episode opens with significant news about the takedown of AVCheck, a notorious cybercrime service that had been operational for over a decade. AVCheck specialized in testing malware against various antivirus software, allowing cybercriminals to refine their malicious code before launching attacks.

Key Points:

• Operation Endgame: A multinational effort involving law enforcement agencies from Finland, the Netherlands, and the United States led to the seizure of AVCheck.
• Additional Services: Alongside AVCheck, a malware obfuscation service managed by the same team was also taken down.
• Legal Proceedings: As of the episode's release, no charges have been announced against the individuals involved.

Notable Quote:

"The seizure was part of multinational Operation Endgame," Claire Aird explains, highlighting the collaborative international effort behind the operation. [00:04]

Senators Advocate for Cyber Safety Review Board Reinstatement

Timestamp: [00:04]

In a move to bolster national cybersecurity oversight, four Democratic senators have formally requested the reinstatement of the Cyber Safety Review Board.

Key Points:

• Background: Established in 2022, the board was responsible for investigating significant cybersecurity breaches and providing recommendations to both government bodies and the private sector.
• Disbandment: The board was dissolved following President Donald Trump's inauguration in January.
• Urgent Appeal: The senators addressed Homeland Security Secretary Kristi Noem, urging the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate in reinstating the board immediately.

Notable Quote:

"The board was established to investigate serious cybersecurity breaches and make crucial recommendations," Claire Aird notes, emphasizing the board's vital role. [00:04]

Breach of White House Chief of Staff’s Phone Contacts

Timestamp: [00:04]

A concerning security breach has targeted the phone contacts of the White House Chief of Staff, leading to attackers utilizing deepfakes to impersonate her.

Key Points:

• Impersonation Tactics: The attackers assumed the identities of individuals like Susie Wiles to reach out to Republican lawmakers.
• Method of Breach: It remains unclear whether the breach occurred through the Chief of Staff's phone or an associated online account.
• Investigation Findings: Federal investigators informed the Wall Street Journal that they do not suspect involvement from a foreign nation.

Notable Quote:

"Attackers have used deepfakes to impersonate her," Claire Aird reports, underscoring the sophistication of the breach. [00:04]

EU’s New Age Verification App Launch

Timestamp: [00:04]

The European Union is set to introduce a New Age Verification App in July, aiming to balance user privacy with age verification needs.

Key Points:

• Functionality: The app will confirm users' ages without disclosing personal details to technology platforms.
• Motivation: This initiative responds to growing concerns among member states advocating for a unified EU-wide age limit on social media platforms.

Notable Quote:

"The EU will launch a new age verification app to confirm users' ages without disclosing personal details," Claire Aird explains. [00:04]

Israel Thwarts Iranian Cyber Operations

Timestamp: [00:04]

Israel's intelligence agency, Shin Bet, has successfully foiled 85 Iranian cyber operations aimed at gathering intelligence for potential assassinations.

Key Points:

• Targets: The operations targeted senior Israeli security officials, politicians, journalists, and academics.
• Tactics: Iranian agents attempted to extract sensitive information through Google Meet invitations, seeking details like home addresses and daily routines.
• Outcome: The gathered information was intended to aid operatives on the ground in Israel.

Notable Quote:

"The Shin Bet agency says the cyber attacks sought to gather data on senior Israeli officials," Claire Aird summarizes. [00:04]

Identification of Trickbot Gang Leader

Timestamp: [00:04]

German authorities have pinpointed the leader of the infamous Trickbot gang—Vitaly Nikolaevich Kovalyov, a 36-year-old Russian national.

Key Points:

• Aliases: Kovalyov operated under the pseudonyms Bentley and Stern within the gang.
• Previous Actions: He was previously charged and sanctioned by the US in 2023 for his involvement with Trickbot but was not identified as the main administrator until now.
• Gang's History: Trickbot was first dismantled in 2020 and again in 2024, indicating its resilience and continued threat.

Notable Quote:

"German authorities have identified the leader of the Trickbot cybercrime gang as Vitaly Nikolaevich Kovalyov," Claire Aird states, revealing the breakthrough in the investigation. [00:04]

Llama Stealer Malware Attempts Recovery

Timestamp: [00:04]

Developers behind the Llama Stealer malware are reportedly striving to restore their servers after a significant portion of their infrastructure was seized by law enforcement in late May.

Key Points:

• Operational Downtime: The malware has been inactive since the seizure.
• Research Insights: Checkpoint researchers indicate that the operation has suffered reputational damage, which may hinder future activities.

Notable Quote:

"The developers of the Llama Stealer malware say they're making significant efforts to restore servers," Claire Aird notes, highlighting the malware's resilience. [00:04]

Cryptocurrency Mining Attacks on South Korean Internet Cafes

Timestamp: [00:04]

South Korean internet cafes have fallen victim to cryptocurrency miner infections, with hackers leveraging the cafes' management platforms to deploy the T Rex crypto miner.

Key Points:

• Attack Vector: The exact method of gaining necessary access remains unclear.
• Threat Actor: ARM Lab, a security firm, reports that the attacker has been active for three years, indicating a sustained and sophisticated threat.

Notable Quote:

"Hackers are using the cafe's management platform to spread the T Rex crypto miner," Claire Aird explains, shedding light on the attack mechanism. [00:04]

BitMEX Thwarts Lazarus Group Intrusion

Timestamp: [00:04]

The BitMEX cryptocurrency exchange successfully repelled an intrusion attempt by the notorious North Korean hacking group, Lazarus.

Key Points:

• Tracing the Attack: BitMEX's security team accessed one of Lazarus's servers, tracing an operator back to Jiaxing, China.
• Attack Method: The attempt was detected when a Lazarus operator tried to entice a BitMEX developer into executing a malicious GitHub project.

Notable Quote:

"BitMEX's security team gained access to one of the group's servers," Claire Aird reveals, emphasizing the proactive defense measures taken. [00:04]

ChatGPT and the Reproduction of Russian Propaganda

Timestamp: [00:04]

Recent observations indicate that ChatGPT has been inadvertently reproducing Russian propaganda disseminated by the pro-Kremlin network, Pravda.

Key Points:

• Propagation Method: Pravda has been distributing large volumes of English-language fake news on the Russian social media platform VK.
• AI Involvement: These fake news pieces are being ingested by AI training systems, leading to their replication by ChatGPT.
• Research Findings: Last week, researchers warned that Pravda is preparing to have its propaganda indexed by AI assistance, potentially amplifying misinformation.

Notable Quote:

"ChatGPT has been observed reproducing Russian propaganda from the pro-Kremlin network Pravda," Claire Aird notes, highlighting the unintended consequences of AI training data. [00:04]

Vulnerability in AI Platform Lovable Exposes Sensitive Data

Timestamp: [00:04]

A critical vulnerability in the AI-based Vicod platform Lovable has been discovered, allowing attackers to access sensitive customer information, including user data and API keys.

Key Points:

• Exploitation Method: Attackers can craft specific requests to expose the content of customer databases.
• Discovery: Engineers from two separate companies independently identified the issue and accessed data from applications developed with Lovable.
• Public Disclosure: The bug was made public last week after Lovable failed to patch it for over two months.

Notable Quote:

"Attackers can craft requests that expose the content of some customer databases," Claire Aird explains, underscoring the severity of the vulnerability. [00:04]

Exploitation of Vulnerabilities in V Bulletin Forums

Timestamp: [00:04]

Hackers are actively exploiting two recently disclosed vulnerabilities to commandeer V Bulletin forums.

Key Points:

• Vulnerability History: The bugs were originally patched in April of the previous year.
• Re-emergence: Attacks resumed last week following security researcher Egidio Romano's publication of proof-of-concept code, facilitating malicious exploitation.

Notable Quote:

"Hackers are exploiting two recently disclosed vulnerabilities to take over V Bulletin forums," Claire Aird reports, highlighting the ongoing security challenges despite previous patches. [00:04]

Linux Kernel Enhances Cryptographic Key Security

Timestamp: [00:04]

The Linux kernel has introduced support for a new mechanism aimed at securely storing cryptographic keys, enhancing system security.

Key Points:

• Feature Details: The hardware-wrapped inline encryption keys are stored within a secure enclave, preventing them from being accessible in system memory in an unencrypted form.
• Origin: Initially developed for Android devices to mitigate cold boot attacks, this feature is now part of the Linux kernel 6.16 release.

Notable Quote:

"The Linux kernel has added support for a new mechanism to securely store cryptographic keys," Claire Aird details the technical advancement. [00:04]

Google Distrusts Certificates from Chinese and Hungarian Firms

Timestamp: [00:04]

In a significant security move, Google has declared that it will no longer trust certificates issued by Tsunghua Telecom (a Chinese telco) and Netlock (a Hungarian firm).

Key Points:

• Action Plan: The root certificates from these companies will be removed from Chrome and Chrome OS in version 139, scheduled for release at the end of July.
• Reasoning: Google cited a loss of confidence in the security practices of both Tsunghua Telecom and Netlock, prompting this decisive action.

Notable Quote:

"Google will no longer trust certificates issued by Chinese telco Tsunghua Telecom and Hungarian firm Netlock," Claire Aird announces, highlighting the trust breach. [00:04]

This episode of Risky Bulletin, prepared by Catalyn Kimpanu and narrated by Claire Aird, delivers a comprehensive overview of the latest developments in the cybersecurity landscape as of June 2, 2025. From significant law enforcement actions against cybercrime operations like AVCheck and Trickbot to legislative efforts to reinstate crucial cybersecurity oversight bodies, the bulletin underscores the multifaceted efforts to combat evolving cyber threats. Additionally, technological advancements and vulnerabilities in AI platforms and cryptographic systems are addressed, reflecting the ongoing challenges in maintaining digital security.