Risky Bulletin: Predator spyware alive despite US sanctions

Podcast Title: Risky Bulletin
Host/Author: risky.biz
Release Date: June 13, 2025
Episode: Risky Bulletin: Predator Spyware Alive Despite US Sanctions

Introduction

In this episode of Risky Bulletin, hosted by Claire Aird and crafted by the dedicated team of Catalyn Kim Panu, the latest developments in the cybersecurity landscape are dissected. The episode delves into the persistence of advanced spyware despite international sanctions, recent high-profile cyberattacks, significant law enforcement actions against cybercriminals, and notable vulnerabilities discovered in widely-used software platforms.

Intellexa's Resilience Amid US Sanctions

Timestamp: [00:04]

Claire Aird opens the episode by discussing Intellexa, a formidable player in the spyware arena, which continues to thrive despite facing multiple US sanctions. According to security firm Recorded Future, Intellexa has proactively developed new customer and victim-facing infrastructures designed to evade detection.

Global Reach: Notably, half of Intellexa’s clientele is based in Africa, with Mozambique emerging as a new customer after previously utilizing platforms from the NSO Group.
Implications: This resilience highlights the challenges in curbing the proliferation of sophisticated spyware tools through sanctions alone.

Quote:
"Intellexa remains active despite multiple US sanctions," Claire Aird emphasizes, underscoring the agency's ongoing operational capabilities ([00:04]).

Paragon Solutions' Spyware Exploits

The episode transitions to alarming news from Europe, where two journalists fell victim to Paragon Solutions' graphite spyware. The targets, including Italian journalist Ciro Pellegrino and another prominent European reporter, had their iPhones compromised through a zero-click iMessage exploit—a vulnerability that Apple patched back in February.

Attribution: Citizenlab links these infections to the same Paragon customer, suggesting a targeted and persistent threat landscape.
Corporate Response: In response to previous misuse allegations, Paragon Solutions severed ties with Italy last week, aiming to mitigate reputational damage and regulatory scrutiny.

Quote:
"The attacks involved a zero-click iMessage exploit that Apple patched in February," Claire notes, highlighting the sophistication of the methods employed by Paragon Solutions ([00:04]).

Ransomware Disruption in South Korea

South Korea's largest online bookstore and ticketing agency, Yes24, has been grappling with significant operational disruptions due to a ransomware attack since Monday. The assault has incapacitated both the store and ebook platforms, as well as the event ticketing system, leading to the cancellation of numerous concerts and signing events.

Unidentified Perpetrators: No ransomware group has claimed responsibility for this incident, adding uncertainty to the motives and potential affiliations behind the attack.

Quote:
"Yes24's event ticketing system was also affected, which has led to cancelled concerts and signing events," Claire details the widespread impact of the attack ([00:04]).

Data Mishandling by Canadian Authorities

A concerning report from Canada's Privacy Watchdog reveals that the Royal Canadian Mounted Police (RCMP) lost a USB drive containing sensitive information in 2022. The unencrypted device, which was attached to a Mountie's key ring, held crucial data on informants, victims, witnesses, and RCMP employees. The device was subsequently copied and sold by criminal groups, affecting over 1,700 individuals.

Security Oversight: This incident underscores the critical need for stringent data protection measures within law enforcement agencies.

Challenges with Encrypted Communication in Law Enforcement

Europol continues to face significant obstacles in combating cybercrime, primarily due to the widespread use of end-to-end encrypted apps. The short metadata retention periods of these apps hamper Europol's efforts to map out and dismantle criminal networks.

Consistent Barrier: For the third consecutive year, Europol’s annual threat assessments have identified the broad adoption of encrypted applications as a major impediment to effective investigations.

Dutch Police Crack Down on Hacking Forums

In the Netherlands, authorities have made substantial progress against the Cracked IO hacking forum, which boasted over 4.7 million users. Dutch police have identified and contacted 126 account holders, referring eight suspects for prosecution and issuing warnings to others, including minors as young as 11 years old. The forum was notorious for selling hacking services, stolen data, and malware.

International Law Enforcement Seizes Cybercrime Infrastructure

A coordinated effort by U.S. and European law enforcement, in collaboration with Interpol and agencies from 26 countries, led to the seizure of extensive cybercrime infrastructure in January. This operation dismantled multiple infostealer operations, confiscating over 40 servers, 20,000 domains, and numerous IP addresses, alongside the arrest of 32 individuals—over half of whom were detained in Vietnam, as per security firm Group IB.

Financial Impact: The crackdown has resulted in the arrest of 1,800 individuals in Southeast Asia linked to cyber scam operations that have defrauded victims of more than $225 million.
Regional Involvement: Nations including Singapore, Hong Kong, and Thailand actively participated in this month-long operation, demonstrating a unified stance against cybercrime.

Turkish Authorities Target Cybercriminals

Turkish law enforcement has detained 423 suspects on cybercrime charges following extensive raids across the country. The detainees are accused of orchestrating phishing operations aimed at stealing money from bank accounts or facilitating fraudulent online bets. Additionally, some suspects have ties to cryptocurrency and investment scams, with authorities seizing assets valued at over $125 million.

Sextortion Scheme Leading to Tragic Outcomes

A poignant case discussed involves a Nigerian national who has pleaded guilty in the U.S. to charges related to a sextortion scheme that tragically resulted in the death of 20-year-old Samuel Olasen Kanmi. The individual, Abiodun, was one of three Nigerians charged with harassing Jack Sullivan, a Pennsylvania resident. Sullivan had paid the extortionists three times but ultimately took his own life after they demanded more money.

Proxy Providers and DDoS Attacks on News Outlets

Independent news outlets in Peru and Venezuela have been targeted by recent DDoS attacks, traced back to proxy providers like Qurium and Packet Express. Despite hosting provider Pegtech shutting down Packet Express's infrastructure, Mozilla faced challenges as Qurium declined to provide further details, leaving the true extent and motive behind these attacks somewhat obscured.

Exploitation of Microsoft Entra ID and Exchange Servers

A sophisticated hacking group, tracked by Proofpoint as “Sneaky Strike,” has exploited vulnerabilities to compromise Microsoft Entra ID accounts and Exchange servers:

Entra ID Attacks: Beginning last December, the group targeted over 80,000 accounts across hundreds of organizations using the pen-testing tool Team Filtration to enumerate entries and execute password spraying attacks.
Exchange Server Compromises: Utilizing the proxy shell vulnerability, the hackers deployed key loggers on multiple Exchange Server login pages. Positive Technologies identified 65 victims across 26 countries, with a third being government systems. These attacks are believed to be linked to espionage activities.

Vulnerabilities in AI and Email Clients

Microsoft 365 Copilot: Researchers uncovered a vulnerability in the AI assistant Copilot, capable of leaking data from user inboxes through concealed prompts in emails. This exploit activates when users request Copilot to perform inbox-related tasks without requiring any direct user interaction.
Mozilla Thunderbird: A security flaw in the Thunderbird email client was patched by Mozilla, addressing a vulnerability that could have allowed attackers to leak Windows credentials via crafted emails exploiting the handling of mailbox links.

Adobe and Cybersecurity Updates

Adobe has issued an urgent advisory for customers to update the Magento E-Commerce platform by the week's end. The critical bug, a combination of cache poisoning and cross-site scripting, enables attackers to inject malicious code into the admin menu, posing significant security risks. Sansec reports that the bug is actively being exploited in the wild.

Denmark’s Shift to Open Source Software

The Danish Ministry of Digital Affairs has announced plans to transition from Microsoft Office to LibreOffice, with a goal to migrate all staff to open-source software by year-end. This move aligns with similar strategies by Denmark's largest cities, Copenhagen and Aarhus, which also intend to phase out Microsoft software and cloud services. The initiative follows the Trump administration's directive for U.S. intelligence agencies to increase surveillance on Greenland and Danish citizens, hinting at underlying geopolitical motivations.

Meta’s Legal Action Against Crush AI Nudify App

Meta has filed a lawsuit against Joy Timeline HK, the developer behind the Crush AI Nudify app. The lawsuit alleges that Crush AI violated Meta's terms of service by leveraging Facebook and Instagram ads to drive traffic to the app, which enables users to transform regular photos into nude images. This legal action underscores ongoing tensions between major tech companies and developers over platform policies and content moderation.

Conclusion

Today's Risky Bulletin episode paints a comprehensive picture of the evolving cybersecurity threats and the multifaceted responses required to combat them. From the resilience of sophisticated spyware operations to significant law enforcement victories against cybercriminals, the landscape remains dynamic and challenging. Additionally, vulnerabilities in major software platforms and shifting policies towards open-source solutions reflect the broader efforts to enhance digital security and privacy.

Quote:
"The use of end to end encrypted apps remains an obstacle to Europol's investigations," Claire summarizes, highlighting a recurring theme in cybersecurity challenges ([00:04]).

This episode was brought to you by Push Security. For more information, visit PushSecurity.com.

Transcript

Claire Aird (0:04)

Intellexa is alive and well despite US sanctions paragon spyware used a zero click iMessage exploit South Korea's largest online bookstore gets ransomware'd and law enforcement takes down several cybercrime operations. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 13th of June and this podcast episode is brought to you by Push Security Predator spyware maker Intellexa remains active despite multiple US sanctions. Security firm Recorded Future says the company has built new customer and victim facing infrastructure with systems designed to avoid detection. Half of Intellexa customers are believed to be based in Africa. Recorded futures research suggests that Mozambique is now also a customer. The country previously used NSO Group's platform. In other news, two European journalists have had their iPhones hacked by Paragon Solutions graphite spyware. The victims were Italian journalist Ciro Pellegrino and an unnamed prominent European reporter. The attacks involved a zero click iMessage exploit that Apple patched in February. Citizenlab has linked the infections to the same Paragon customer. Last week, Paragon cut ties with Italy after accusations that the government misused its software. A ransomware attack is disrupting the operations of South Korean online bookstore and ticketing agent yes 24. The company's store and ebook platform have both been down since Monday. Yes24's event ticketing system was also affected, which has led to cancelled concerts and signing events. No ransomware group has taken credit for the attack. A report from Canada's Privacy Watchdog details how the Royal Canadian Mounted Police lost a USB drive containing sensitive information. The unencrypted device was attached to a Mountie's Key ring when it was lost in 2022. It contained data about informants, victims, witnesses and its own employees. It was later copied and sold by criminal groups. The incident impacted more than 1,700 individuals, according to the report. The use of end to end encrypted apps remains an obstacle to Europol's investigations. The agency also says that short metadata retention periods for the apps impact its ability to map out criminal networks. This is the third consecut year that Europol's annual threat assessments have said broad adoption of encrypted apps is a major barrier to investigations. Dutch police have identified and contacted 126 account holders on the Cracked IO hacking forum. Authorities have referred eight suspects for prosecution and have issued warnings to the rest. The youngest person to be contacted was 11 years old. The forum had more than 4.7 million users and sold hacking services, stolen Data and malware. U.S. and European law enforcement agencies seized cracked in January along With hacking forum nulld, Interpol and law enforcement agencies from 26 countries have seized infrastructure linked to multiple infostealer operations. Authorities seized over 40 servers, 20,000 domains and IP addresses and arrested 32 individuals. More than half of the suspects were detained in Vietnam, according to security firm Group ib. The seized servers were linked to Lumma rise Pro and Metasteela. 1,800 people have been arrested in Southeast Asia over links to cyber scam operations. The suspects were linked to a variety of online scams that stole more than $225 million. Nine countries including Singapore, Hong Kong and Thailand took part in the month long operation. Turkish law enforcement has detained 423 suspects on cybercrime charges following raids across the country. The individuals are accused of running phishing operations targeted bank accounts to steal money or place online bets. Some suspects have also been linked to crypto and investment scams. Authorities confiscated assets worth more than $125 million. A Nigerian national has pleaded guilty in the US to charges related to a sextortion scheme that led to the Death of a 20 year old Samuel Olasen Kanmi Abiodun was one of three Nigerians charged with the harassment and 2023 death of Pennsylvania resident Jack Sullivan. Sullivan paid the group three but took his own life after they demanded more money. Recent DDoS attacks against independent news outlets in Peru and Venezuela have been linked to a proxy provider, Qurium. Researchers linked the attacks to proxy service Packet Express. Hosting provider pegtech shut down Packet Express's infrastructure but refused to give Quirium further details. A hacking group has used an open source tool to take over Microsoft Entra ID accounts. The attacks began last December and targeted over 80,000 accounts at hundreds of organisations. Attackers use the pen testing tool Team Filtration to enumerate enter accounts and launch password spraying attacks. Proofpoint tracks the attackers as sneaky strike A hacking group has deployed key loggers on login pages of multiple exchange servers. Security firm Positive technologies has identified 65 victims in 26 countries. A third of the victims appear to be government systems. The hackers are using the proxy shell vulnerability to deploy a keylogger collects user logins. The attacks are believed to be espionage related. Researchers have discovered a vulnerability in the Microsoft 365 Copilot AI assistant that can leak data from user inboxes. The attack relies on an email with hidden prompts for the AI and doesn't require user interaction. The exploit runs when users ask Copilot to perform an Inbox related task, Mozilla has patched a security flaw in the Thunderbird email client that could leak Windows credentials. The vulnerability was Thunderbird's hand handling of Mailbox links. Mozilla says attackers could have crafted emails that would leak NetNtlm hashes to attackers. The bug could also be used to save malicious files to disk or exhaust the available storage. Adobe has urged customers to install a critical update for the Magento E Commerce platform by the end of the week. The company expects the bug to be exploited in the wild. According to security firm Sansec, the bug is a combination of cache poisoning and cross site scripting that lets attackers replace the admin menu with malicious code. The Danish Ministry of Digital affairs will phase out Microsoft Office in favour of LibreOffice. The ministry plans to move all staff to open source software by the end of the year. Denmark's largest cities, Copenhagen and Aarhus, have also announced plans to phase out Microsoft software and cloud services. The move comes a month after the Trump administration ordered U.S. intelligence agencies to step up spying on Greenland and Danish citizens. And finally, Meta has filed a lawsuit against the developer of the Crush AI Nudify app. The company says Crush AI violated Meta's terms of service by using Facebook and Instagram ads to drive traffic to the app. The app is developed by Hong Kong company Joy Timeline HK and allows users to create nude images from regular photos. And that is all for this podcast edition. Today's show is brought to you by our sponsor, Push Security. Find them@PushSecurity.com thanks for your company.