Summary4 min read

Risky Bulletin: Microsoft Takes Down Crime SaaS Used by Ransomware Gangs

Podcast: Risky Bulletin
Host: Risky Business Media
Date: May 20, 2026

Episode Overview

This fast-paced episode provides the latest cybersecurity news, focusing on Microsoft’s takedown of a major malware signing service used by ransomware gangs, high-profile cloud credential leaks, evolving cyber threats like vulnerability exploitation, and important updates on major platforms such as Drupal. The coverage is global and brisk, touching on law enforcement activities, major breaches, regulatory moves, and notable incidents shaping today’s cybersecurity landscape.

Key Discussion Points & Insights

1. Microsoft Shuts Down Russian Malware Signing Service

[00:04]

SignSpace Cloud: Russian-operated SaaS that obtained code signing certificates by exploiting Microsoft’s artifact signing service, using hundreds of fake accounts.
Certificates were resold to cybercrime groups for use in malware and ransomware, including Ryseda Inc., Qilin, and Akira.
Financial Impact: Microsoft estimates SignSpace Cloud generated millions of US dollars before the takedown.
Quote:
“Microsoft has seized domains and server infrastructure belonging to the Russian cybercrime service SignSpace Cloud. The service sold code signing certificates that it obtained by using hundreds of fake accounts on Microsoft's artifact signing service.” (Claire, 00:04)

2. CISA Contractor Credentials Leak

[01:04]

A contractor leaked admin credentials for CISA's AWS GovCloud platform via a public GitHub repository.
Exposed at least three admin accounts used for managing internal systems; credentials were revoked over the weekend.

3. FBI Pursuit of Mass Surveillance

[01:24]

FBI seeks to buy access to automated license plate readers nationwide for up to $36 million/year.
Enables warrantless tracking of cars across the US.

4. Political Cyber Espionage & AI Translation

[01:44]

A group planning a Romanian military coup used ChatGPT to translate sensitive communications with Russia’s FSB.
The coup was intended to help Kalyn Giorgescu rise to power after annulled presidential elections.

5. Wave of Major Data Breaches

[02:04]

French Booking Sites Hacked: Three sites—Pierre y Vacance, Bilambra, and Jide du France—breached, with data sold by hacker "Chimeraz".
Post Luxembourg Breach: Zero-day exploit in Huawei routers led to internet outages; details remain undisclosed.
RxNT Healthcare Breach: Hackers compromised drug prescription platform, affecting U.S. congresspeople.

6. Global Law Enforcement Actions

MENA Cybercrime arrests (over 200 suspects in 13 countries for cyber scams, phishing, malware)
South Korea arrests 36 suspects over a 580-million-message SMS spam operation involving fraudulent bank messages.

7. Large Scale Ad Fraud Campaigns

Malicious Android Apps: Over 24 million installs and 659 million daily ad displays via “trapdoor” schemes; original apps on Google Play are clean, but post-install trick users into harmful updates.

8. First Access Vectors Shift: Vulnerability Exploitation

[07:24]

Verizon Data Breach Investigations Report: Vulnerability exploitation overtakes phishing as the primary initial access method, accounting for a third of breaches in 2025.

9. NPM Supply Chain Compromise

Over 300 packages affected by the Shai Hulud worm, spreading via hijacked Alibaba’s Ant Feed project credentials.

10. Linux Kernel’s Stance on AI-Reported Bugs

[08:24]

Linus Torvalds: AI-found bugs “are usually duplicates that are a waste of time”—will no longer handle such reports through the private Linux security list.

11. Drupal Critical Vulnerability Patch

Drupal CMS will release highly critical security updates; developers expect exploitation to begin within hours of the patch’s release.
“Fixes have been prepared for all current Drupal releases, as well as some end of life versions. No details have been shared about the vulnerability type.” (Claire, 09:04)

Other Noteworthy Updates

SGLang Server: Popular AI server repeatedly fails to patch RCE and path traversal flaws.
Bitcoin Depot Bankruptcy: US’s largest bitcoin ATM operator files due to rising costs and regulatory pressure.
Telcos Launch C2.ISAC: 8 major US telcos (including AT&T, T-Mobile, Verizon) create a cybersecurity info-sharing group following mass hacks.
Red Hat Hardened Images: Secure containers, updated with SBOMs, now freely available.
Discord Adds Encryption: E2E encrypted voice & video calls rolling out on the new Dave protocol.
X Limits Posts: Non-paying users limited to 50 posts and 200 replies daily, down from 2,400.
Elon Musk v. OpenAI Lawsuit: Musk loses, with jury deciding he waited too long; sought $130 billion and leadership ouster.

Memorable Quotes & Moments

On Microsoft’s Impact:
“Microsoft has seized domains and server infrastructure belonging to the Russian cybercrime service SignSpace Cloud.” (Claire, 00:04)
On Linux Kernel and AI bug reports:
“Linus Torvalds says AI found bugs are usually duplicates that are a waste of time. He says AI reports have made the Linux security list almost entirely unmanageable.” (Claire, 08:24)

Timestamps for Key Segments

[00:04] Microsoft shuts down SignSpace Cloud malware signing service
[01:04] CISA contractor leaks AWS GovCloud admin credentials
[01:24] FBI seeks nationwide ALPR data access
[01:44] Romanian coup plotters use ChatGPT with Russia’s FSB
[02:04] Multiple holiday sites breached, Luxembourg telco hack, RxNT patient data stolen
[04:04] Interpol-led MENA cybercrime crackdown, South Korean SMS fraud arrests
[05:04] Android ad fraud affecting millions of users
[07:24] Verizon: Vulnerability exploitation becomes dominant breach vector
[08:04] NPM supply chain attack spreads via Ant Feed compromise
[08:24] Linus Torvalds on AI bug report problems
[09:04] Drupal gears up for rapid response to critical security vulnerability

This episode is a must-listen for cybersecurity professionals and keen observers, providing concise, timely updates and expert synthesis on the threats, incidents, and industry reactions shaping the current landscape.

Loading summary

Transcript1 lines

[00:04]
A
Microsoft disrupts the malware signing service used by ransomware gangs A CISA contractor leaks sensitive Gov cloud keys vulnerability exploitation is now the dominant network entry vector and Drupal readies security updates for a highly critical vulnerability. This is the risky bulletin prepared by Katalin Kimpanu and read by me Claire Claire aired today is the 20th of May and this podcast episode is brought to you by Push Security. In today's top story, Microsoft has seized domains and server infrastructure belonging to the Russian cybercrime service SignSpace Cloud. The service sold code signing certificates that it obtained by using hundreds of fake accounts on Microsoft's artifact signing service. It resold them to cybercrime groups involved in malware distribution. Code customers included ransomware gangs like Ryseda Inc. Qilin and Akira. Microsoft estimates the service made millions of US dollars before it was shut down. In other news, a CISA contractor has leaked credentials for CISA cloud accounts via a public GitHub repository. The credentials granted access to at least three admin accounts on the agency's AWS GovCloud platform. The accounts are being used to manage CISA's internal systems. The the credentials were revoked over the weekend. The FBI is seeking to buy access to automated license plate readers nationwide. The agency is willing to pay up to $36 million per year to access data from the readers. Access to an ALPR network will allow the agency to track the movements of cars in the US without obtaining a warrant. A group that was planning a military coup In Romania used ChatGPT to translate its communications with Russia's FSB intelligence service. The group worked directly with FSB director Alexander Bortnikov. The group was one of two that were meant to help Kalyn Giorgescu take power in Romania after the country's Supreme Court cancelled a first round of presidential elections. 3 French holiday booking sites have been hacked and their data sold online. Breaches have been reported at Pierre y Vacance, Bilambra and Jide du France. The hacks have all been claimed by an individual using the handle Chimeraz. A zero day vulnerability in Huawei enterprise routers was allegedly used to break into Post Luxembourg last year, according to original reporting from the record. The July hack of the state owned telecom and postal operator led to extended Internet outages in the country nine months later. Details about the zero day have yet to be publicly disclosed by either the Telco or or Huawei hackers have stolen patient data stolen from healthcare software company RxNT. The American based software handles drug prescriptions and was hacked in March. U.S. congresspeople are among those affected by the breach. More than 200 people have been arrested over involvement in cybercrime operations across the MENA regions. The operation involved Interpol and law enforcement agencies from 13 countries. The suspects are accused of cyber scams, phishing and malware operations. South Korean Authorities have arrested 36 suspects linked to a large scale SMS spam operation. Among those arrested are the CEO and employees of a bulk SMS messaging business. The company is accused of working with an employee of a mobile virtual network operator to make spam SMS messages appear to come from legitimate financial institutions. The group sent more than 580 million fraudulent text messages in 15 months. More than 24 million users have downloaded malicious apps that load ads in hidden containers to perform ad fraud. The trapdoor scheme has seen more than 450 Android apps serving 659 million ads every day. The original apps are clean, allowing them to be available on the official Google Play Store. Once installed, they trick users into installing third party updates that perform a type of ad fraud known as task touch fraud. Vulnerability exploitation was the most common initial access vector for last year's data breaches. According to Verizon's Yearly Data Breach Investigations Report, Vulnerabilities accounted for one third of all breaches. The number of software vulnerabilities also increased last year. More than 300 npm packages have been compromised in the most recent wave of the Shai Hulud NPM worm. The incident appears to have originated from Alibaba's Ant Feed data Visualisation project account. A threat actor compromised the Ant V account and deployed the Shai Hulud worm via updates to existing libraries. The worm quickly spread to other packages. The Shai Hulud source code was published online last week. The Linux kernel project will treat AI found bugs as public and will not handle reports through its private mailing list. Linux creator Linus Torvalds says AI found bugs are usually duplicates that are a waste of time. He says AI reports have made the Linux security list almost entirely unmanageable. The Drupal CMS has announced its May 20 security updates will patch a critical security bug. Drupal developers expect exploitation to start within hours or days of the patch. Fixes have been prepared for all current Drupal releases, as well as some end of life versions. No details have been shared about the vulnerability type. Drupal is the Internet's second most used CMS after WordPress. A popular AI server has once again failed to patch major security flaws. Three vulnerabilities in the SGLang server allow path traversal and remote code execution attacks. Late last month, the project also failed to patch another RCE bug. The largest bitcoin ATM operator in the US has filed for voluntary bankruptcy. Bitcoin Depot cited increasing costs and complexity related to the rollout of anti fraud measures, customer lawsuits and and the regulatory environment. At least two US states have banned crypto ATMs. A similar ban is also being prepared in Canada. According to the FBI, Americans lost more than $388 million to scams involving cryptocurrency ATMs and kiosks in 2025. Eight of the largest US telcos have formed a new group for sharing intel on cyber attacks. The Communications Cybersecurity Information Sharing and analysis Centre, or C2. ISAC aims to prevent another SALT typhoon telco mass hacking campaign. Founding members include AT&T Comcast, Lumen, T Mobile, Verizon and Zayo. Red Hat has announced the general availability of Hardened Images, a collection of secure container images. The containers come with SBOMs and are constantly updated with the latest security patches. The new hardened images are available for free. Discord is rolling out support for end to end encrypted voice and video calls. The feature runs on Discord's in house Dave protocol which the company's been testing for two years. Encrypted calls will default for Discord users after the change. X is limiting non paying customers to 50 posts and 200 replies a day. The previous limit was 2,400 posts per day. The company claims the limit is intended to fight spam and bot activity. There's no word on how it intends to fight spam from verified accounts. And finally, Elon Musk has lost his lawsuit against OpenAI and two of its executives. In his lawsuit against the AI company, Musk claimed he was misled when investing in the non profit which later became a commercial entity. The jury decided Musk waited to too long to sue the company. Musk sought $130 billion in damages, the removal of Sam Altman and Greg Brockman from the company and the dismantling of the for profit entity. And that is all for this podcast edition. Today's show was brought to you by our sponsor Push Security. Find them@pushsecurity.com thanks to your.