Risky Bulletin: New phishing technique bypasses FIDO keys - Risky Bulletin

Summary8 min read

Risky Bulletin: New Phishing Technique Bypasses FIDO Keys – July 18, 2025

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. The bulletin covers a range of topics, including sophisticated phishing techniques, ransomware attacks on major organizations, significant data breaches, governmental cybersecurity initiatives, and recent vulnerabilities discovered in widely used technologies. Below is a detailed summary of the key points discussed.

1. Sophisticated Phishing Techniques Targeting FIDO Keys

A prominent threat actor known as Poisonseed has developed a novel phishing technique capable of bypassing FIDO (Fast Identity Online) keys. According to security firm Expel, this method exploits the cross-device sign-in feature, misleading users into believing that a FIDO key is either absent or unnecessary.

Claire Aird [00:04]: "A cybercrime group is using a new phishing technique to bypass FIDO keys. It's been used by a threat actor known as Poisonseed, who's previously targeted cryptocurrency users."

This advancement poses a significant threat to authentication processes, emphasizing the need for enhanced security measures beyond traditional FIDO implementations.

2. Exploitation of SS7 Protocol for Mobile Surveillance

A vulnerability within the SS7 telecommunications protocol has been identified and exploited by a mobile surveillance vendor. This exploit allows attackers to deceive mobile operators into divulging subscriber locations—a detail typically restricted to within the operator's network.

Claire Aird [00:04]: "A vulnerability in the SS7 telecommunications protocol is being exploited by a mobile surveillance vendor. The exploit allows attackers to trick mobile operators into disclosing subscriber locations."

Telecom security firm Enia has reported that these attacks began in late 2024, leveraging ambiguities in the protocol's encoding of subscriber identifiers to bypass security restrictions.

3. Ransomware Attacks Disrupt Major Organizations

The bulletin highlights several high-profile ransomware incidents:

South Korea’s Largest Insurance Provider: Seoul Guarantee Insurance has been forced to manually process loan guarantee certificates following a ransomware attack on Monday. The company is actively working to restore its affected systems.
United Natural Foods (UNFI): A recent cyber attack has led UNFI to anticipate a loss of up to $400 million in sales for the year. The ransomware incident in June resulted in multiple system outages, severely impacting the company's ability to fulfill and distribute customer orders.
Australian Airline Qantas: Qantas secured a court order to prevent the dissemination of data stolen in a recent ransomware attack affecting nearly six customers. The interim injunction prohibits third parties from publishing or accessing the data if released by the attackers.
United Australia Party: A minor right-wing political party in Australia, along with its associated group, the Trumpeter Patriots, fell victim to a ransomware attack in late June. The breach resulted in the theft of personal information, banking records, and employee details.

Claire Aird [00:04]: "A ransomware attack has disrupted South Korea's largest insurance company... Grocery distributor United Natural Foods expects to lose up to $400 million in sales this year following a recent cyber attack."

These incidents underscore the pervasive threat of ransomware and its capacity to disrupt operations across diverse sectors.

4. Significant Data Breaches Expose Sensitive Information

Several large-scale data breaches were reported:

UK Military Data Leak: A breach has exposed the names and personal data of Afghans who assisted the UK military, along with information on UK spies, special forces, and government officials. The leak originated from an accidental email sent by a staff member at the UK Special Forces headquarters in 2022 and surfaced publicly this week.
Seychelles Commercial Bank: Customer data was stolen in a recent breach, though the bank has confirmed that no funds were taken. A hacker advertising the stolen data on an underground forum expressed frustration over the bank's lack of engagement in negotiations.
Big One Cryptocurrency Exchange: Hackers successfully stole $27 million worth of assets from Big One by targeting one of the company's hot wallets. Big One has committed to reimbursing affected users.

Claire Aird [00:04]: "Hackers have stolen $27 million worth of assets from the Big One cryptocurrency exchange. The funds were stolen from one of the company's hot wallets on Wednesday."

These breaches highlight vulnerabilities in both financial institutions and military operations, emphasizing the need for robust data protection strategies.

5. Governmental Cybersecurity Initiatives and Regulations

Australia's Cyber Reserves: The Australian government announced the establishment of cyber reserves within its defense force, comprising civilian cybersecurity experts tasked with protecting the nation's critical networks. The unit is slated to launch early next year.
Russian Duma's Online Search Ban: In a move to control information flow, the Russian Duma has prohibited online searches related to extremist content, including terrorist groups, fascist ideology, and LGBTQ content. Individuals attempting to search for VPNs or other censorship evasion tools may face fines of up to $65.

Claire Aird [00:04]: "The Russian Duma has banned online searches for what it considers extremist content. Russians can be fined up to $65 for searching for terrorist groups, fascist ideology or LGBTQ content."

These regulatory actions reflect global trends towards increased governmental control over digital information and heightened investment in cybersecurity defenses.

6. Law Enforcement Actions Against Cybercriminal Groups

Disruption of Pro-Kremlin DDoS Group: An international law enforcement operation successfully dismantled the pro-Kremlin activist group No Name 057. Authorities confiscated over 100 servers, detained two individuals, and issued arrest warrants for seven others. The group was responsible for thousands of DDoS attacks targeting Western nations following Russia's invasion of Ukraine.
Extradition of Armenian Nationals: Karin Serebovich Bardanyan, an Armenian national, has been extradited from Ukraine to the United States for his involvement in the Ryuk ransomware attacks, which extorted over $15 million from victims. Another Armenian member was arrested in France and is undergoing extradition, while two Ukrainian members remain at large.
Scattered Spider Group Arrests in the UK: Four members of the Scattered Spider group were released on bail in the UK. Charged with hacking major UK retailers such as Marks and Spencer, Co Op, and Harrods, their release is pending further legal proceedings.

Claire Aird [00:04]: "An Armenian national has been extradited from Ukraine to the US over his role in the Ryuk ransomware attacks. Karin Serebovich Bardanyan was a member of a group that extorted more than $15 million from victims."

These operations demonstrate the concerted efforts of international law enforcement to target and prosecute cybercriminals involved in significant ransomware activities.

7. Mass Arrests and Public Awareness Campaigns

Cambodian Cybercrime Crackdown: Cambodian authorities conducted raids across the country, arresting over 1,000 individuals linked to online scams and cybercrime operations. Prime Minister Hun Mane emphasized the government's commitment to combating cybercrime in response to international pressure. Notably, major scam operations associated with local political elites were not targeted.
Belgian Cybercrime Warnings on Bread Bags: In an innovative public awareness initiative, Belgian authorities have printed cybersecurity warnings on bread bags to educate the elderly about the dangers of scammers requesting personal information such as PINs and passwords. Over 10,000 bags have been distributed to bakeries in the Pajotenland region.

Claire Aird [00:04]: "Belgian authorities are printing cybercrime warnings on bread bags to alert the elderly to the risks. Police have distributed more than 10,000 bags to bakers across the Pajotenland region."

These measures reflect proactive strategies to both dismantle cybercriminal networks and educate the public on safeguarding against cyber threats.

8. Legal Actions and Litigation in Cybersecurity

Google vs. Bad Box Botnet Operators: Google has initiated a lawsuit against the operators of the Bad Box Botnet, which infects over 10 million Android-based smart TV devices with ad fraud malware. The malware is often pre-installed at the factory or during initial device setup. Google is seeking damages and a permanent injunction to disassemble the botnet's infrastructure.
Hacking Group Targeting SonicWall SMA VPNs: A ransomware-linked hacking group is exploiting previously stolen credentials and one-time password seeds to access fully patched SonicWall SMA VPN devices. The attackers deploy a backdoor and user mode rootkit, associated with the Abyss ransomware. Google has responded by patching the actively exploited Chrome Zero Day vulnerability exploited in conjunction with this attack.

Claire Aird [00:04]: "Google is suing the operators of the Bad Box Botnet. The group infects Android based smart TV devices with ad fraud malware."

These legal and technical responses illustrate the ongoing battle between major tech companies and cybercriminal organizations aiming to exploit vulnerabilities for malicious gain.

9. Emerging Vulnerabilities in Technology Infrastructure

Chrome Zero Day Patch: Google has addressed an actively exploited zero-day vulnerability in Chrome, involving a sandbox escape via an exploit in the browser's WebGL and GPU components. This marks the fifth such patch released by Google in the current year, highlighting the persistent challenges in maintaining secure software environments.
Nvidia Container Toolkit Vulnerability: A critical flaw was discovered in the Nvidia container toolkit—a sandboxing technology for Nvidia GPUs on Linux used by multiple cloud AI platforms. The vulnerability allows malicious containers to escape isolation and gain root access to host machines, as reported by security firm Wiz.
Aton KVM Switches Flaws: Three vulnerabilities have been identified in Aton KVM switches, which provide network access to the screens and keyboards of remote servers. Russian security firm Positive Technologies uncovered these flaws, which enable attackers to take control of connected servers.

Claire Aird [00:04]: "A container escape vulnerability has been discovered in the Nvidia container toolkit... three vulnerabilities have been found in Aton KVM switches. The devices are used for network access to the screens and keyboards of remote servers."

These findings emphasize the need for continuous security assessments and prompt patching of critical infrastructure components to mitigate potential exploitation by threat actors.

Conclusion

The Risky Bulletin episode on July 18, 2025, underscores the evolving and multifaceted nature of cybersecurity threats. From innovative phishing techniques and ransomware attacks targeting major organizations to significant data breaches and vulnerabilities in key technologies, the landscape remains highly dynamic. Additionally, governmental initiatives and international law enforcement efforts reflect a global commitment to enhancing cybersecurity defenses and prosecuting cybercriminals. Staying informed and vigilant is imperative for individuals and organizations alike to navigate these challenges effectively.

Note: All quotes are attributed to Claire Aird and correspond to the timestamp [00:04] in the transcript.

Loading summary

Transcript1 lines

[00:04]
A
Hackers bypass Fido keys with a new phishing technique A mobile surveillance Vendor deploys an SS7 exploit ransomware hits South Korea's largest insurance provider and law enforcement agencies Dismantle a Pro Kremlin DDoS group this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 18th of July and this podcast episode is brought to you by Zero Networks. A cybercrime group is using a new phishing technique to bypass Fido keys. It's been used by a threat actor known as Poisonseed, who's previously targeted cryptocurrency users. According to security firm Expel, the technique abuses the cross device sign in feature to make it appear that a Fido key is not present or needed. In other news, A vulnerability in the SS7 telecommunications protocol is being exploited by a mobile surveillance vendor. The exploit allows attackers to trick mobile operators into to disclosing subscriber locations. Requests for location details are not usually permitted from outside the operator's network. The attack bypasses that restriction by leveraging confusion in the protocol's encoding of subscriber identifiers. Telco security firm Enia saw attacks Starting in late 2024 a ransomware attack has disrupted South Korea's largest insurance company. Seoul Guarantee Insurance has been handwriting its loan guarantee certificates since Monday's incident. The company is working to restore affected systems. Grocery distributor United Natural Foods expects to lose up to $400 million in sales this year following a recent cyber attack. Multiple systems were taken offline for days while the company recovered from the ransomware attack in June. The company's ability to fulfil and distribute customer orders was affected. Australian airline Qantas has obtained a court order to prevent the use of data stolen in a recent ransomware attack. Almost six customers were affected in last month's breach. The interim injunction prevents third parties from publishing, viewing or accessing the data if it's released by the attackers. No ransomware group has taken credit for the incident yet. A minor right wing political party in Australia has suffered a ransomware attack, the United Australia Party. An associated group, the Trumpeter Patriots, confirmed that hackers stole data from their servers in late June. They the data includes personal information, banking records and employee details. Both groups are controlled by Australian mining magnate Clive Palmer. A data breach exposing the names of Afghans who helped the UK military is larger than previously reported, new reporting has revealed. The leak also exposed personal data of UK spies and special forces, as well as some military and government officials, according to the BBC. The breach occurred when a staff member at the headquarters of the UK Special forces inadvertently emailed the data. The incident took place in 2022 but was made public this week. Hackers have stolen customer data from the Seychelles Commercial Bank. The bank notified customers last Friday. It said no money was stolen. A hacker advertising the data for sale on an underground forum has has complained that the bank has not yet engaged in negotiations. Hackers have stolen $27 million worth of assets from the Big One cryptocurrency exchange. The funds were stolen from one of the company's hot wallets on Wednesday. Big One has said it will reimburse any affected users. The Australian government will establish cyber reserves within its defence force. The new unit will be comprised of civilian cybersecurity experts. It'll be tasked with defending Australia's critical networks. It's expected to launch early next year. The Russian Duma has banned online searches for what it considers extremist content. Russians can be fined up to $65 for searching for terrorist groups, fascist ideology or LGBTQ content. Users searching for VPNs and other censorship evasion technology can also be fined. An international law enforcement operation has disrupted the activity of pro Kremlin activist group no Name 057. Authorities seized over 100 servers and detained two people. Arrest warrants have been issued for seven other individuals. The group launched following Russia's invasion of Ukraine and has carried out thousands of DDoS attacks against Western countries. An Armenian national has been extradited from Ukraine to the US over his role in the Ryuk ransomware attacks. Karin Serebovich Bardanyan was a member of a group that extorted more than $15 million from victims. Another Armenian member of the group was arrested in France and is undergoing extradition proceedings. The group also included two Ukrainians who've not yet been arrested. Four members of the Scattered Spider group have been released on bail in the uk. They were arrested last week and have been charged with hacking UK retailers Marks and Spencer, Co Op and Harrods. Cambodian authorities have arrested more than 1,000 suspects linked to online scams and cybercrime operations. Police raids took place across the country. Prime Minister Hun Mane ordered government bodies to crack down on cybercrime following international pressure, according to Cambodia News. Major scam compounds connected to local political elites were not included in the raids. Belgian authorities are printing cybercrime warnings on bread bags to alert the elderly to the risks. Police have distributed more than 10,000 bags to bakers across the Pajotenland region. The bread bags are printed with advice for dealing with scammers who request pins and passwords. Google is suing the operators of the Bad Box Botnet. The group infects Android based smart TV devices with ad fraud malware. It's believed to have infected over 10 million devices. Devices often come pre installed with the malware from the factory or have it installed during initial setup, according to Bleeping Computer. Google is seeking damages and a permanent injunction to dismantle the malware's infrastructure. A hacking group with links to Ransomware is targeting SonicWall SMA VPNs. Google said the group uses previously stolen credentials and one time password seeds to gain access to fully patched devices. The attackers deploy a backdoor and user mode rootkit. The group was previously linked to attacks with the Abyss ransomware. Google has patched an actively exploited Chrome Zero Day. The vulnerability is a sandbox escape via an exploit in Chrome's WebGL and GPU components. It was discovered by Google's security team and appears to be chained with another exploit patched earlier this month. This is the fifth Chrome Zero Day patch this year. A container escape vulnerability has been discovered in the Nvidia container toolkit. The toolkit is a sandboxing technology for Nvidia GPUs on Linux and is used by multiple cloud AI platforms. According to Wiz, the vulnerability allows a malicious container to escape isolation and gain root access to the host machine. And finally, three vulnerabilities have been found in Aton KVM switches. The devices are used for network access to the screens and keyboards of remote servers. The vulnerabilities allow attackers to take control of the connected servers. The flaws were discovered by Russian security firm Positive Technologies and that is all for this podcast edition. Today's show was brought to you by Xero Networks. Find them@zeronetworks.com thanks to your company.