Risky Bulletin: New Phishing Technique Bypasses FIDO Keys – July 18, 2025

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. The bulletin covers a range of topics, including sophisticated phishing techniques, ransomware attacks on major organizations, significant data breaches, governmental cybersecurity initiatives, and recent vulnerabilities discovered in widely used technologies. Below is a detailed summary of the key points discussed.

1. Sophisticated Phishing Techniques Targeting FIDO Keys

A prominent threat actor known as Poisonseed has developed a novel phishing technique capable of bypassing FIDO (Fast Identity Online) keys. According to security firm Expel, this method exploits the cross-device sign-in feature, misleading users into believing that a FIDO key is either absent or unnecessary.

Claire Aird [00:04]: "A cybercrime group is using a new phishing technique to bypass FIDO keys. It's been used by a threat actor known as Poisonseed, who's previously targeted cryptocurrency users."

This advancement poses a significant threat to authentication processes, emphasizing the need for enhanced security measures beyond traditional FIDO implementations.

2. Exploitation of SS7 Protocol for Mobile Surveillance

A vulnerability within the SS7 telecommunications protocol has been identified and exploited by a mobile surveillance vendor. This exploit allows attackers to deceive mobile operators into divulging subscriber locations—a detail typically restricted to within the operator's network.

Claire Aird [00:04]: "A vulnerability in the SS7 telecommunications protocol is being exploited by a mobile surveillance vendor. The exploit allows attackers to trick mobile operators into disclosing subscriber locations."

Telecom security firm Enia has reported that these attacks began in late 2024, leveraging ambiguities in the protocol's encoding of subscriber identifiers to bypass security restrictions.

3. Ransomware Attacks Disrupt Major Organizations

The bulletin highlights several high-profile ransomware incidents:

• South Korea’s Largest Insurance Provider: Seoul Guarantee Insurance has been forced to manually process loan guarantee certificates following a ransomware attack on Monday. The company is actively working to restore its affected systems.

• United Natural Foods (UNFI): A recent cyber attack has led UNFI to anticipate a loss of up to $400 million in sales for the year. The ransomware incident in June resulted in multiple system outages, severely impacting the company's ability to fulfill and distribute customer orders.

• Australian Airline Qantas: Qantas secured a court order to prevent the dissemination of data stolen in a recent ransomware attack affecting nearly six customers. The interim injunction prohibits third parties from publishing or accessing the data if released by the attackers.

• United Australia Party: A minor right-wing political party in Australia, along with its associated group, the Trumpeter Patriots, fell victim to a ransomware attack in late June. The breach resulted in the theft of personal information, banking records, and employee details.

Claire Aird [00:04]: "A ransomware attack has disrupted South Korea's largest insurance company... Grocery distributor United Natural Foods expects to lose up to $400 million in sales this year following a recent cyber attack."

These incidents underscore the pervasive threat of ransomware and its capacity to disrupt operations across diverse sectors.

4. Significant Data Breaches Expose Sensitive Information

Several large-scale data breaches were reported:

• UK Military Data Leak: A breach has exposed the names and personal data of Afghans who assisted the UK military, along with information on UK spies, special forces, and government officials. The leak originated from an accidental email sent by a staff member at the UK Special Forces headquarters in 2022 and surfaced publicly this week.

• Seychelles Commercial Bank: Customer data was stolen in a recent breach, though the bank has confirmed that no funds were taken. A hacker advertising the stolen data on an underground forum expressed frustration over the bank's lack of engagement in negotiations.

• Big One Cryptocurrency Exchange: Hackers successfully stole $27 million worth of assets from Big One by targeting one of the company's hot wallets. Big One has committed to reimbursing affected users.

Claire Aird [00:04]: "Hackers have stolen $27 million worth of assets from the Big One cryptocurrency exchange. The funds were stolen from one of the company's hot wallets on Wednesday."

These breaches highlight vulnerabilities in both financial institutions and military operations, emphasizing the need for robust data protection strategies.

5. Governmental Cybersecurity Initiatives and Regulations

• Australia's Cyber Reserves: The Australian government announced the establishment of cyber reserves within its defense force, comprising civilian cybersecurity experts tasked with protecting the nation's critical networks. The unit is slated to launch early next year.

• Russian Duma's Online Search Ban: In a move to control information flow, the Russian Duma has prohibited online searches related to extremist content, including terrorist groups, fascist ideology, and LGBTQ content. Individuals attempting to search for VPNs or other censorship evasion tools may face fines of up to $65.

Claire Aird [00:04]: "The Russian Duma has banned online searches for what it considers extremist content. Russians can be fined up to $65 for searching for terrorist groups, fascist ideology or LGBTQ content."

These regulatory actions reflect global trends towards increased governmental control over digital information and heightened investment in cybersecurity defenses.

6. Law Enforcement Actions Against Cybercriminal Groups

• Disruption of Pro-Kremlin DDoS Group: An international law enforcement operation successfully dismantled the pro-Kremlin activist group No Name 057. Authorities confiscated over 100 servers, detained two individuals, and issued arrest warrants for seven others. The group was responsible for thousands of DDoS attacks targeting Western nations following Russia's invasion of Ukraine.

• Extradition of Armenian Nationals: Karin Serebovich Bardanyan, an Armenian national, has been extradited from Ukraine to the United States for his involvement in the Ryuk ransomware attacks, which extorted over $15 million from victims. Another Armenian member was arrested in France and is undergoing extradition, while two Ukrainian members remain at large.

• Scattered Spider Group Arrests in the UK: Four members of the Scattered Spider group were released on bail in the UK. Charged with hacking major UK retailers such as Marks and Spencer, Co Op, and Harrods, their release is pending further legal proceedings.

Claire Aird [00:04]: "An Armenian national has been extradited from Ukraine to the US over his role in the Ryuk ransomware attacks. Karin Serebovich Bardanyan was a member of a group that extorted more than $15 million from victims."

These operations demonstrate the concerted efforts of international law enforcement to target and prosecute cybercriminals involved in significant ransomware activities.

7. Mass Arrests and Public Awareness Campaigns

• Cambodian Cybercrime Crackdown: Cambodian authorities conducted raids across the country, arresting over 1,000 individuals linked to online scams and cybercrime operations. Prime Minister Hun Mane emphasized the government's commitment to combating cybercrime in response to international pressure. Notably, major scam operations associated with local political elites were not targeted.

• Belgian Cybercrime Warnings on Bread Bags: In an innovative public awareness initiative, Belgian authorities have printed cybersecurity warnings on bread bags to educate the elderly about the dangers of scammers requesting personal information such as PINs and passwords. Over 10,000 bags have been distributed to bakeries in the Pajotenland region.

Claire Aird [00:04]: "Belgian authorities are printing cybercrime warnings on bread bags to alert the elderly to the risks. Police have distributed more than 10,000 bags to bakers across the Pajotenland region."

These measures reflect proactive strategies to both dismantle cybercriminal networks and educate the public on safeguarding against cyber threats.

8. Legal Actions and Litigation in Cybersecurity

• Google vs. Bad Box Botnet Operators: Google has initiated a lawsuit against the operators of the Bad Box Botnet, which infects over 10 million Android-based smart TV devices with ad fraud malware. The malware is often pre-installed at the factory or during initial device setup. Google is seeking damages and a permanent injunction to disassemble the botnet's infrastructure.

• Hacking Group Targeting SonicWall SMA VPNs: A ransomware-linked hacking group is exploiting previously stolen credentials and one-time password seeds to access fully patched SonicWall SMA VPN devices. The attackers deploy a backdoor and user mode rootkit, associated with the Abyss ransomware. Google has responded by patching the actively exploited Chrome Zero Day vulnerability exploited in conjunction with this attack.

Claire Aird [00:04]: "Google is suing the operators of the Bad Box Botnet. The group infects Android based smart TV devices with ad fraud malware."

These legal and technical responses illustrate the ongoing battle between major tech companies and cybercriminal organizations aiming to exploit vulnerabilities for malicious gain.

9. Emerging Vulnerabilities in Technology Infrastructure

• Chrome Zero Day Patch: Google has addressed an actively exploited zero-day vulnerability in Chrome, involving a sandbox escape via an exploit in the browser's WebGL and GPU components. This marks the fifth such patch released by Google in the current year, highlighting the persistent challenges in maintaining secure software environments.

• Nvidia Container Toolkit Vulnerability: A critical flaw was discovered in the Nvidia container toolkit—a sandboxing technology for Nvidia GPUs on Linux used by multiple cloud AI platforms. The vulnerability allows malicious containers to escape isolation and gain root access to host machines, as reported by security firm Wiz.

• Aton KVM Switches Flaws: Three vulnerabilities have been identified in Aton KVM switches, which provide network access to the screens and keyboards of remote servers. Russian security firm Positive Technologies uncovered these flaws, which enable attackers to take control of connected servers.

Claire Aird [00:04]: "A container escape vulnerability has been discovered in the Nvidia container toolkit... three vulnerabilities have been found in Aton KVM switches. The devices are used for network access to the screens and keyboards of remote servers."

These findings emphasize the need for continuous security assessments and prompt patching of critical infrastructure components to mitigate potential exploitation by threat actors.

Conclusion

The Risky Bulletin episode on July 18, 2025, underscores the evolving and multifaceted nature of cybersecurity threats. From innovative phishing techniques and ransomware attacks targeting major organizations to significant data breaches and vulnerabilities in key technologies, the landscape remains highly dynamic. Additionally, governmental initiatives and international law enforcement efforts reflect a global commitment to enhancing cybersecurity defenses and prosecuting cybercriminals. Staying informed and vigilant is imperative for individuals and organizations alike to navigate these challenges effectively.

Note: All quotes are attributed to Claire Aird and correspond to the timestamp [00:04] in the transcript.