Summary6 min read

Risky Bulletin: Microsoft Restricts Chinese Firms’ Access to MAPP

Podcast: Risky Bulletin (Risky.biz)
Date: August 21, 2025
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Episode Overview

This episode delivers a rapid-fire rundown of the latest events and emerging stories in cybersecurity. Major headlines include Microsoft's new restrictions on Chinese firms in its MAPP program, notable zero-day exploits, an unprecedented market for mobile vulnerabilities, high-profile cybercrime convictions, and ongoing government actions in tech and security worldwide.

Key Discussion Points and Insights

Microsoft Restricts Chinese Firms’ Access to MAPP

[00:04]

Change: Chinese cybersecurity firms now face restricted access to Microsoft’s Active Protections Program (MAPP).
Reason: According to Bloomberg, the restriction applies in countries requiring firms to report vulnerabilities to their governments. Leaks, such as the recent SharePoint zero-day, are suspected to have originated from this program.
Impact: Chinese firms are the only ones affected so far. All MAPP participants will now receive only general descriptions of upcoming patches, not proof-of-concept code.

“Microsoft will also no longer provide proof of concept code for flaws. Participants in the program will only receive a general description of upcoming patches.”
— Claire Aird, [00:23]

Apple Patches Active Zero-Day

[01:14]

Vulnerability: Found in Apple’s Image IO framework and exploited via malicious media files.
Attack: Used in sophisticated, targeted operations against specific individuals.
Action: Apple has rolled out patches for iOS and macOS.

“Apple says the Zero day was used in a sophisticated attack against specific targeted individuals.”
— Claire Aird, [01:39]

Record-Setting Mobile Exploit Broker Emerges

[01:47]

New Player: Advanced Security Solutions, a broker based in the UAE, launches this month.
Bounty: Offering up to $20 million for mobile OS exploit chains ($15M for Android/iOS zero-click, $10M for Linux/Windows, $7M for macOS).
Trend: Represents the highest known open-market payouts for zero-day exploits so far.

Major Layoffs in US Intelligence

[02:18]

Scale: The Office of the Director of National Intelligence will cut 40% of its workforce to save over $700 million annually.
Critique: Director Tulsi Gabbard calls the office "inefficient" and "politicised".

“Director of National Intelligence Tulsi Gabbard claimed the office was inefficient and it politicised intelligence.”
— Claire Aird, [02:29]

Key Personnel Changes in US National Security Agencies

[02:41]

NSA: Joe Francescan selected as Deputy Director, replacing Wendy Noble (dismissed in April at the White House’s request).

Anti-Disinformation Agency Shifts in Europe

[03:04]

Move: Urwe Le Tuque leaves France's Viginum for Finnish company CheckFirst, where he’ll continue anti-disinformation work.

Major Chinese Internet Disruption

[03:24]

Incident: China’s “Great Firewall” blocked all HTTPS traffic for an hour, causing widespread disruption.
Unclear Motive: Possibly a test or accidental technical fault.

FTC Warns US Tech Companies on Encryption Weakening

[03:36]

Context: FTC responds to foreign pressures, especially from the EU and UK, to undermine encryption.
Companies Notified: Apple, Meta, Signal, Google.

Europol Denies Killin Ransomware Bounty

[03:52]

Fake Post: Reports surfaced of a $50,000 Europol bounty; confirmed to be an unofficial Telegram hoax.

“The agency told Security Week it does not have an official presence on Telegram.”
— Claire Aird, [03:59]

Telecom Data Breaches Continue

[04:09]

Orange Belgium Breach: 850,000 customers affected (names, numbers, SIM and PUK codes, subscription data stolen).
Context: Follows breaches at Orange Romania and Orange France earlier this year.

Botnet Operator Charged in Oregon

[04:31]

Suspect: Ethan Foultz, DDoS botnet (WrapperBot) operator, worked with another hacker as “Slaykings”.
Impact: Botnet infected up to 95,000 devices and targeted Pentagon networks multiple times.

Scattered Spider Member Sentenced

[04:59]

Defendant: Noah Michael Urban (“Sosa”, “King Bob”) gets 10 years in prison.
Crimes: Hacked major platforms, stole data, and used it for SIM-swapping attacks.
Restitution: Ordered to pay $13 million to victims.

“Urban used the hacker name Sosa and King Bob.”
— Claire Aird, [05:09]

Dutch Hacker Sentenced for Elderly Scams

[05:29]

Sentence: 4 years in prison for impersonation and theft campaigns targeting the elderly (€277,000 stolen since 2019).

Arrests in Southeast Asian SMS Spam Operations

[05:46]

Details: Two men (South Korean and Vietnamese) arrested in Bangkok and Ho Chi Minh City for “driving SMS blasters”—vehicles equipped to send mass spam.

Malicious Google Chrome Extension Exposed

[06:03]

Extension: VPN1, installed by over 100,000.
Action: Secretly took screenshots of every visited webpage and sent them, along with device/geolocation data, to remote servers.
Status: Still available in Chrome Web Store, despite the July 17 update introducing malicious activity.

Russian Cyber-Espionage Continues Targeting Cisco

[06:38]

Attackers: Russian FSB-linked group still exploiting a bug patched in Cisco routers in 2018.
Tool: Sinful Knock firmware backdoor deployed; FBI and Cisco urge immediate patching.

Threat Actor Hijacking GeoServer Bandwidth

[07:07]

Tactic: Hackers compromise outdated GeoServer instances and conscript them into proxy networks.
Timeline: Ongoing since March, per Palo Alto Networks.

Silent Patch for Microsoft Copilot AI Vulnerability

[07:25]

Flaw: Allowed attackers to make Copilot access files without logging activity.
Response: Security firm Pistachio reports Microsoft quietly patched the issue this week without public CVE or notice.

Microsoft’s Quantum-Safe Encryption Timeline

[07:45]

Plan: Quantum-resistant encryption to be the default in all Microsoft products by 2029.
Migration: Starts with core services next year and completes by 2033.

Mozilla Launching Hosted Email in Germany

[08:00]

Service: Thunderbird “Thundermail” webmail, hosted in Germany, launching as a paid subscription later in 2025.

Notable Quotes and Memorable Moments

“Only Chinese companies have been restricted so far. Microsoft will also no longer provide proof of concept code for flaws.” ([00:18])
“Apple says the Zero day was used in a sophisticated attack against specific targeted individuals.” ([01:39])
“Director of National Intelligence Tulsi Gabbard claimed the office was inefficient and it politicised intelligence.” ([02:29])
“Urban used the hacker name Sosa and King Bob.” ([05:09])
“The extension is still live on the Chrome Web Store, where it was once featured as a recommended extension.” ([06:23])

Important Timestamps

[00:04] – Microsoft MAPP restrictions for China
[01:14] – Apple patches in-the-wild zero-day
[01:47] – UAE zero-day exploit broker offers record bounties
[02:18] – Major US intelligence layoffs and NSA personnel changes
[03:24] – China’s Great Firewall blocks HTTPS
[03:36] – FTC encryption warning to tech sector
[03:52] – Europol telegram scam
[04:09] – Orange Belgium breach
[04:31] – WrapperBot botnet indictment
[04:59] – Scattered Spider sentencing
[05:29] – Dutch elderly scammer sentenced
[06:03] – Malicious Chrome extension exposed
[06:38] – Russian cyber-espionage, Cisco routers
[07:25] – Copilot AI vulnerability quietly patched
[07:45] – Microsoft quantum-safe encryption plans
[08:00] – Mozilla launching webmail

Summary:
This Risky Bulletin episode is a whirlwind tour through today’s most pressing and unusual cybersecurity news. From policy shifts at tech giants and alarming vulnerabilities, to lucrative exploit marketplaces and aggressive cybercrime crackdowns, the episode delivers crucial updates for security professionals and policy watchers alike—always in Risky.biz’s factual, punchy tone.

Loading summary

Transcript1 lines

[00:04]
A
Microsoft restricts Chinese firms access to its map program Apple patches zero day used in the wild, a scattered spider member gets 10 years in prison and a new exploit broker pops up in the uae. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 22nd of August and this podcast episode is brought to you by Kroll by find them@kroll.com Cyber Chinese security firms will have restricted access to Microsoft's Active protections program. According to Bloomberg, MAP access will be limited in countries where security firms have to report vulnerabilities to their governments. Only Chinese companies have been restricted so far. Microsoft will also no longer provide proof of concept code for flaws. Participants in the program will only receive a general description of upcoming patches. The changes follow suspicions that a recent SharePoint zero day leaked out of Map. Apple has patched an actively exploited zero day in iOS and macros. The vulnerability is located in Apple's image processing framework, Image IO. Apple says attackers can abuse malicious media files for memory corruption. The company says the Zero day was used in a sophisticated attack against specific targeted individuals. A new exploit broker is offering rewards of up to $20 million for exploit chains in mobile operating systems. The broker, Advanced Security Solutions, launched this month and operates out of the uae. The company is offering the highest prices seen in the open market for zero day exploits. It's also offering $15 million for Android and iOS, zero click exploits, $10 million for both Linux and Windows and and $7 million for macOS. The Office of the Director of National intelligence will fire 40% of its workforce. The agency hopes to cut its annual budget by more than $700 million. Director of National Intelligence Tulsi Gabbard claimed the office was inefficient and it politicised intelligence. The Trump administration has selected Joe Francescan to become the next NSA Deputy director. Francis Franceskin will replace former Deputy director Wendy Noble. She was fired by the White House in April following a request by far right activist Laura Loomer. Franceskin served in the Department of Defence and National Security Council during the first Trump administration. The head of operations at France's anti disinformation agency Vigenoum has left for the private sector. According to Intelligence Online, Urwe Le Tuque will join Finnish anti disinformation company Czech first. Le Tuku has led Vijinum since the agency was established three years ago. China's Great Firewall blocked all HTTPs traffic for one hour on Wednesday. The incident caused significant Internet disruptions in China. It's unclear if this was an intentional test or a technical fault. The US Federal Trade Commission has warned US tech companies against weakening encryption at the request of foreign governments. The FTC specifically mentions the EU's Digital Services act and the UK's Online Safety Act. The commission sent letters to several companies, including Apple, Meta Signal and Google. Europol says it has not offered a reward for information about Killin Ransomware group members. This week it was reported that the agency advertised a $50,000 reward. The offer was posted on a Europol themed Telegram channel. The agency told Security Week it does not have an official presence on Telegram. Hackers have stolen customer data from Orange Telecom in Belgium. The hack occurred at the end of July and impact impacted 850,000 people. Stolen data includes names, telephone numbers, SIM card numbers, puck codes and subscription details. Orange Romania and Orange France also disclosed breaches this year. An Oregon man has been charged with building and operating the WrapperBot DDoS botnet. Ethan Foultz managed the botnet as a DDoS for hire operation. He worked with another individual going by the hacker name of Slaykings. The botnet had been infecting home routers and DVRs since 2021. It had as many as 95,000 infected devices before the FBI took it offline earlier this year, according to court documents. Faltz was identified after he used his PayPal account to pay for command and control servers. The botnet was also used to target Pentagon networks on at least three occasions. A member of the Scattered Spider group has been sentenced in the US to 10 years in prison. Who Noah Michael Urban hacked into major online services, stole customer data and then used the information for sim swapping attacks. Urban used the hacker name Sosa and King Bob. He's one of five Scattered Spider members detained last year. The sentence also included an order to pay $13 million in restitution to past victims. A 26 year old man has been sentenced to four years in a Dutch prison for scams targeting the elderly. He stole €277,000 using sites that impersonated banks and government services. The hacking spree started in 2019 and he was arrested in 2024. Thai and Vietnamese authorities have detained two people accused of driving with SMS blasters. A 35 year old South Korean man was arrested in Bangkok. The second individual was detained in Ho Chi Minh City. Both were paid to drive around and send SMS spam to users who connected to their fake base station. A popular Google Chrome extension is silently taking screenshots of every page its users Visit. The the VPN1 extension has been installed by more than 100,000 users. It does not disclose the behaviour. Once pages are loaded, screenshots are sent to a remote server. Device details and geolocation data are also collected. According to COI Security. The malicious behaviour was added in an update on July 17. The extension is still live on the Chrome Web Store, where it was once featured as a recommended extension. A Russian cyber espionage group is still exploiting a Cisco router vulnerability that was patched in 2018. The bug allows attackers to take over devices and deploy a firmware backdoor known as sinful knock. Cisco and the FBI have urged companies to install patches and mitigations. Attacks have been linked to a cyber unit of the Russian FSB intelligence agency. A threat actor is hacking geospatial database servers to hijack their bandwidth. The hackers target unpatched geoserver systems and add the servers to proxy networks, according to Palo Alto Networks. The attacks have been ongoing since March. Microsoft has silently patched a vulnerability in its Copilot AI agent. It allowed malicious users to instruct Copilot to access files without leaving traces in activity logs. Security firm Pistachio says Microsoft patched the bug this week, but did not disclose it notify customers or issue a cve. Microsoft aims to ship quantum safe encryption algorithms in all products. By 2029, the algorithms will become defaults. By 2033, the migration to quantum safe algorithms will begin with core services next year and finally, Mozilla will host its upcoming thundermail webmail service in Germany. This is Mozilla's first foray into the hosted email business. It's expected to launch later this year as a paid subscript service. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Kroll Cyber. Find them@kroll.com cyber thanks for your company.