Risky Bulletin: Predator Spyware Alive Despite US Sanctions

Podcast Title: Risky Bulletin
Host/Author: risky.biz
Release Date: June 13, 2025
Episode: Risky Bulletin: Predator Spyware Alive Despite US Sanctions

Introduction

In this episode of Risky Bulletin, hosted by Claire Aird and crafted by the dedicated team of Catalyn Kim Panu, the latest developments in the cybersecurity landscape are dissected. The episode delves into the persistence of advanced spyware despite international sanctions, recent high-profile cyberattacks, significant law enforcement actions against cybercriminals, and notable vulnerabilities discovered in widely-used software platforms.

Intellexa's Resilience Amid US Sanctions

Timestamp: [00:04]

Claire Aird opens the episode by discussing Intellexa, a formidable player in the spyware arena, which continues to thrive despite facing multiple US sanctions. According to security firm Recorded Future, Intellexa has proactively developed new customer and victim-facing infrastructures designed to evade detection.

• Global Reach: Notably, half of Intellexa’s clientele is based in Africa, with Mozambique emerging as a new customer after previously utilizing platforms from the NSO Group.

• Implications: This resilience highlights the challenges in curbing the proliferation of sophisticated spyware tools through sanctions alone.

Quote:
"Intellexa remains active despite multiple US sanctions," Claire Aird emphasizes, underscoring the agency's ongoing operational capabilities ([00:04]).

Paragon Solutions' Spyware Exploits

The episode transitions to alarming news from Europe, where two journalists fell victim to Paragon Solutions' graphite spyware. The targets, including Italian journalist Ciro Pellegrino and another prominent European reporter, had their iPhones compromised through a zero-click iMessage exploit—a vulnerability that Apple patched back in February.

• Attribution: Citizenlab links these infections to the same Paragon customer, suggesting a targeted and persistent threat landscape.

• Corporate Response: In response to previous misuse allegations, Paragon Solutions severed ties with Italy last week, aiming to mitigate reputational damage and regulatory scrutiny.

Quote:
"The attacks involved a zero-click iMessage exploit that Apple patched in February," Claire notes, highlighting the sophistication of the methods employed by Paragon Solutions ([00:04]).

Ransomware Disruption in South Korea

South Korea's largest online bookstore and ticketing agency, Yes24, has been grappling with significant operational disruptions due to a ransomware attack since Monday. The assault has incapacitated both the store and ebook platforms, as well as the event ticketing system, leading to the cancellation of numerous concerts and signing events.

• Unidentified Perpetrators: No ransomware group has claimed responsibility for this incident, adding uncertainty to the motives and potential affiliations behind the attack.

Quote:
"Yes24's event ticketing system was also affected, which has led to cancelled concerts and signing events," Claire details the widespread impact of the attack ([00:04]).

Data Mishandling by Canadian Authorities

A concerning report from Canada's Privacy Watchdog reveals that the Royal Canadian Mounted Police (RCMP) lost a USB drive containing sensitive information in 2022. The unencrypted device, which was attached to a Mountie's key ring, held crucial data on informants, victims, witnesses, and RCMP employees. The device was subsequently copied and sold by criminal groups, affecting over 1,700 individuals.

• Security Oversight: This incident underscores the critical need for stringent data protection measures within law enforcement agencies.

Challenges with Encrypted Communication in Law Enforcement

Europol continues to face significant obstacles in combating cybercrime, primarily due to the widespread use of end-to-end encrypted apps. The short metadata retention periods of these apps hamper Europol's efforts to map out and dismantle criminal networks.

• Consistent Barrier: For the third consecutive year, Europol’s annual threat assessments have identified the broad adoption of encrypted applications as a major impediment to effective investigations.

Dutch Police Crack Down on Hacking Forums

In the Netherlands, authorities have made substantial progress against the Cracked IO hacking forum, which boasted over 4.7 million users. Dutch police have identified and contacted 126 account holders, referring eight suspects for prosecution and issuing warnings to others, including minors as young as 11 years old. The forum was notorious for selling hacking services, stolen data, and malware.

International Law Enforcement Seizes Cybercrime Infrastructure

A coordinated effort by U.S. and European law enforcement, in collaboration with Interpol and agencies from 26 countries, led to the seizure of extensive cybercrime infrastructure in January. This operation dismantled multiple infostealer operations, confiscating over 40 servers, 20,000 domains, and numerous IP addresses, alongside the arrest of 32 individuals—over half of whom were detained in Vietnam, as per security firm Group IB.

• Financial Impact: The crackdown has resulted in the arrest of 1,800 individuals in Southeast Asia linked to cyber scam operations that have defrauded victims of more than $225 million.

• Regional Involvement: Nations including Singapore, Hong Kong, and Thailand actively participated in this month-long operation, demonstrating a unified stance against cybercrime.

Turkish Authorities Target Cybercriminals

Turkish law enforcement has detained 423 suspects on cybercrime charges following extensive raids across the country. The detainees are accused of orchestrating phishing operations aimed at stealing money from bank accounts or facilitating fraudulent online bets. Additionally, some suspects have ties to cryptocurrency and investment scams, with authorities seizing assets valued at over $125 million.

Sextortion Scheme Leading to Tragic Outcomes

A poignant case discussed involves a Nigerian national who has pleaded guilty in the U.S. to charges related to a sextortion scheme that tragically resulted in the death of 20-year-old Samuel Olasen Kanmi. The individual, Abiodun, was one of three Nigerians charged with harassing Jack Sullivan, a Pennsylvania resident. Sullivan had paid the extortionists three times but ultimately took his own life after they demanded more money.

Proxy Providers and DDoS Attacks on News Outlets

Independent news outlets in Peru and Venezuela have been targeted by recent DDoS attacks, traced back to proxy providers like Qurium and Packet Express. Despite hosting provider Pegtech shutting down Packet Express's infrastructure, Mozilla faced challenges as Qurium declined to provide further details, leaving the true extent and motive behind these attacks somewhat obscured.

Exploitation of Microsoft Entra ID and Exchange Servers

A sophisticated hacking group, tracked by Proofpoint as “Sneaky Strike,” has exploited vulnerabilities to compromise Microsoft Entra ID accounts and Exchange servers:

• Entra ID Attacks: Beginning last December, the group targeted over 80,000 accounts across hundreds of organizations using the pen-testing tool Team Filtration to enumerate entries and execute password spraying attacks.

• Exchange Server Compromises: Utilizing the proxy shell vulnerability, the hackers deployed key loggers on multiple Exchange Server login pages. Positive Technologies identified 65 victims across 26 countries, with a third being government systems. These attacks are believed to be linked to espionage activities.

Vulnerabilities in AI and Email Clients

• Microsoft 365 Copilot: Researchers uncovered a vulnerability in the AI assistant Copilot, capable of leaking data from user inboxes through concealed prompts in emails. This exploit activates when users request Copilot to perform inbox-related tasks without requiring any direct user interaction.

• Mozilla Thunderbird: A security flaw in the Thunderbird email client was patched by Mozilla, addressing a vulnerability that could have allowed attackers to leak Windows credentials via crafted emails exploiting the handling of mailbox links.

Adobe and Cybersecurity Updates

Adobe has issued an urgent advisory for customers to update the Magento E-Commerce platform by the week's end. The critical bug, a combination of cache poisoning and cross-site scripting, enables attackers to inject malicious code into the admin menu, posing significant security risks. Sansec reports that the bug is actively being exploited in the wild.

Denmark’s Shift to Open Source Software

The Danish Ministry of Digital Affairs has announced plans to transition from Microsoft Office to LibreOffice, with a goal to migrate all staff to open-source software by year-end. This move aligns with similar strategies by Denmark's largest cities, Copenhagen and Aarhus, which also intend to phase out Microsoft software and cloud services. The initiative follows the Trump administration's directive for U.S. intelligence agencies to increase surveillance on Greenland and Danish citizens, hinting at underlying geopolitical motivations.

Meta’s Legal Action Against Crush AI Nudify App

Meta has filed a lawsuit against Joy Timeline HK, the developer behind the Crush AI Nudify app. The lawsuit alleges that Crush AI violated Meta's terms of service by leveraging Facebook and Instagram ads to drive traffic to the app, which enables users to transform regular photos into nude images. This legal action underscores ongoing tensions between major tech companies and developers over platform policies and content moderation.

Conclusion

Today's Risky Bulletin episode paints a comprehensive picture of the evolving cybersecurity threats and the multifaceted responses required to combat them. From the resilience of sophisticated spyware operations to significant law enforcement victories against cybercriminals, the landscape remains dynamic and challenging. Additionally, vulnerabilities in major software platforms and shifting policies towards open-source solutions reflect the broader efforts to enhance digital security and privacy.

Quote:
"The use of end to end encrypted apps remains an obstacle to Europol's investigations," Claire summarizes, highlighting a recurring theme in cybersecurity challenges ([00:04]).

This episode was brought to you by Push Security. For more information, visit PushSecurity.com.