Risky Bulletin: Research turns any Bluetooth device into an AirTag - Risky Bulletin

Summary5 min read

Risky Bulletin: Research Turns Any Bluetooth Device into an AirTag
Hosted by risky.biz
Release Date: March 5, 2025

1. Turning Bluetooth Devices into AirTags: The EnRoute Tag Technique

In the opening segment, host Claire Aird delves into a groundbreaking study by U.S. academics that unveils the EnRoute tag technique. This method allows attackers to transform any Bluetooth device into an AirTag tracker. Unlike previous methods that required root-level access to impersonate an AirTag, EnRoute operates with just user-level permissions, broadening the scope of potential targets.

Claire Aird highlights, "The EnRoute tag technique could cause any Bluetooth device to impersonate an AirTag, enabling tracking even without root access" (00:45).

Apple responded by releasing security updates in December to mitigate this vulnerability. However, devices that remain unpatched continue to relay sensitive tracking information, posing ongoing security risks.

2. VMware Hypervisor Zero Days Patched by Broadcom

Broadcom has successfully patched three zero-day vulnerabilities within the VMware hypervisor. These vulnerabilities formed an exploit chain capable of breaching virtual machines and accessing the host operating system. The discovery and reporting of these flaws are credited to Microsoft's Ms. Tic security team.

Claire Aird notes, "Broadcom credited Microsoft's Ms. Tic security team with spotting the bugs in the wild and reporting them" (02:15).

3. Google Addresses Actively Exploited Android Zero Days

In its March security update, Google has patched two actively exploited zero-day vulnerabilities affecting Android devices. One of these vulnerabilities was exploited in Cellebrite's phone unlocking products. Amnesty International uncovered this zero-day while investigating spyware cases targeting anti-government dissidents in Serbia. The update addresses 30 high or critical flaws, enhancing Android's security stance.

4. Ransom Note Scams Targeting U.S. Companies

Security firm GuidePoint reports a surge in scammers sending printed ransom notes to U.S. companies, falsely claiming affiliation with the Bian Lian ransomware group. These scammers allege data theft and demand Bitcoin payments ranging from $250,000 to $350,000. The malicious letters arrived in early March, exploiting companies' fears of data breaches.

Claire Aird adds a touch of dark humor, "The scammers will be hoping they didn't leave any saliva DNA on the envelope" (05:20).

5. Arrest and Release of Black Basta Ransomware Group Leader

The suspected leader of the Black Basta ransomware group, Oleg Nefyodov, was arrested in Armenia in June. However, he was released three days later due to a technicality. Leaked internal chat logs reveal his arrogance, where he "boasted about his friends at a really high level" (07:05). Armenian authorities, acting on a U.S. arrest warrant, struggled to retain custody.

6. France's Proposal for Encrypted Communication Backdoors

The French government is considering an amendment to its narcotrafficking law, aiming to grant authorities access to encrypted communications. This proposal mirrors a similar move in Sweden but extends its reach to include VPN providers. In response, Signal, the encrypted messaging service, has threatened to withdraw from France if the law passes, reflecting growing tensions between privacy advocates and governmental surveillance efforts.

7. North Korea's Cryptocurrency Laundering Efforts

Despite a significant hack against cryptocurrency exchange Bybit, North Korea is making strides in laundering the stolen $1.5 billion. Approximately 20% of the funds have been successfully laundered and rendered untraceable. As of two weeks post-hack, Bybit has managed to recover or freeze only 3% of the stolen assets, leaving the majority still traceable—for now.

8. UK Privacy Watchdog Investigates Social Media Platforms

The UK's Information Commissioner's Office (ICO) has launched investigations into TikTok for its collection of children's data and content recommendation algorithms. Additionally, the ICO plans to scrutinize Reddit and Imgur for similar privacy concerns, signaling increased regulatory oversight of major social media platforms regarding user data protection.

9. Google's AI-Powered Scam Detection for Android

Google is enhancing security on Android devices by deploying two new AI-driven scam detection systems. These systems analyze ongoing text messages and phone calls to identify and prevent financial scams. Unlike traditional methods that focus solely on initial messages, Google's approach monitors entire conversations, aiming to intercept fraudsters who transition from friendly dialogue to scam tactics.

10. Indictment of NSO Group Executives in Catalonia

A Catalonian court has indicted three executives from the Israeli spyware company NSO Group: Shalev, Julio, Omri Lavie, and Yuval Sommek. They are accused of facilitating unlawful surveillance of 63 Catalan individuals during anti-government protests in the mid-2010s. The court also criticized the Spanish public prosecutor's office for attempting to impede the case's progress, highlighting alleged misuse of NSO's spyware against political activists.

11. US Sanctions on Iranian Dark Web Administrator

The U.S. Treasury has sanctioned Behrooz Parsarad, an Iranian national who administered the dark web marketplace Nemesis. Seized by German authorities a year prior, Nemesis launched in 2021 and boasted over 150,000 users, primarily facilitating the sale of illegal drugs. This sanction underscores the international efforts to dismantle illicit online marketplaces.

12. Emerging Cyber Espionage: Crafty Camel Targets UAE

A new cyber espionage group named Crafty Camel has emerged, specifically targeting aviation and satellite companies in the UAE. According to security firm Proofpoint, the group employs spear-phishing attacks with final payloads deploying backdoors like Sasano, which utilizes polyglot files to evade detection. This highlights the growing sophistication of state-sponsored cyber threats.

13. Leaked API Keys and Passwords in Open Source Datasets

Security researchers have discovered nearly 12,000 live API keys and passwords within an open-source dataset used for training AI models, specifically the 400-terabyte Common Crawl database. Services like Deepseek have utilized this data, which includes 219 different types of secrets. Notably, AWS root keys are the most prevalent, raising significant security concerns about the inadvertent exposure of sensitive credentials.

Conclusion

This episode of Risky Bulletin underscores a dynamic and evolving cybersecurity landscape, marked by innovative attack techniques, significant vulnerability patches, and heightened regulatory actions. From the alarming capability to turn everyday Bluetooth devices into trackers to the sophisticated maneuvers of ransomware and espionage groups, the threats are both diverse and persistent. Additionally, the proactive steps by major tech companies and governments highlight the ongoing battle to safeguard digital infrastructures and user privacy.

Notable Quotes:

"The EnRoute tag technique could cause any Bluetooth device to impersonate an AirTag, enabling tracking even without root access" — Claire Aird (00:45)
"Broadcom credited Microsoft's Ms. Tic security team with spotting the bugs in the wild and reporting them" — Claire Aird (02:15)
"The scammers will be hoping they didn't leave any saliva DNA on the envelope" — Claire Aird (05:20)
"Boasted about his friends at a really high level" — Claire Aird (07:05)

This summary is based on the transcript of the Risky Bulletin podcast episode released on March 5, 2025.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Researchers turn any Bluetooth device into an AirTag tracker VMware patches three ESXi zero days France debates, encryption backdoors and a fifth of the Bybit stolen funds are now untraceable. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 5th of March and this podcast episode is brought to you by cloud security company Prowler. A flaw in Apple's Find My feature let attackers track Bluetooth devices they could get malware onto. Discovered by a team of US academics, the EnRoute tag technique could cause any Bluetooth device to impersonate an airtag. It's previously been possible to impersonate an airtag with software running as root on a device, but this technique allows an attacker to track a targeted device even if they only have user level access. Apple released security updates last December to prevent the technique unpatch patched Apple devices will still relay this tracking information. Broadcom has patched three zero day vulnerabilities in the VMware hypervisor. The zero days look like they form an exploit chain that can escape from a virtual machine into the host operating system. Broadcom credited Microsoft's Ms. Tic security team with spotting the bugs in the wild and reporting them. Google has also patched two actively exploited Zero days in its March Android security update. One of the Zero Days was used in cellebrite phone unlocking products. Amnesty International researchers found the zero day while investigating cases of spyware on the phones of anti government dissidents in Serbia. The update patched 30 flaws that were rated high or critical. Scammers are mailing printed ransom notes to US Companies posing as the Bian Lian ransomware group. The scammers claim to have stolen the company's data and demand payment via Bitcoin security firm GuidePoint as executives received the letters in early March. The ransom Demands ranged from 250,000 to $350,000. The scammers will be hoping they didn't leave any saliva DNA on the envelope. The suspected leader of the Black Basta ransomware group was arrested in Armenia last June, according to leaked internal chat logs. Oleg Nefyodov was released three days after his arrest on a technicality. In the leaked chats, he boasted about his friends at a really high level. Armenian officials Det. Nefudof Based on an international arrest warrant issued by the US The French government has proposed an amendment to its narco trafficking law that would give authorities access to encrypted communications. The move is similar to a proposed law in Sweden, but extends beyond instant messaging to include VPN providers. Signal threatened to withdraw service from Sweden if the law passed and is likely to do the same in France. North Korea is making Progress laundering the $1.5 billion it stole from cryptocurrency exchange Bybit. 20% of the funds has been successfully laundered and are now untraceable. Two weeks on from the hack, Bybit has recovered or frozen just 3% of the stolen funds. The rest is still traceable. For now. The UK's privacy watchdog is investigating TikTok's collection of children's data. The ICO will also review how TikTok recommends content to children. The agency says it will conduct similar investigations into Reddit and image sharing site Imgur. Google is rolling out two AI powered scam detection systems for Android devices. The new systems analyse ongoing texts and phone calls for signs of financial scams. The system is designed to stop fraudsters initiating friendly conversations and then moving on to a scam. Most scam detection systems only assess the initial messages in a conversation. A Catalonian court has approved the indictment of three executives at Israeli spyware maker NSO Group. The court found that Shalev, Julio, Omri Lavie and Yuval Sommek should be investigated for facilitating the unlawful surveillance of 63 Catalans following anti government protests in the mid 2010s. The court also found the Spanish public prosecutor's office had attempted to block the case from progressing. Spanish authorities are believed to have used NSOs spyware against Catalonian independence activists. The US treasury has imposed sanctions on Iranian national Behrooz Parsarad. Parsarad was the administrator of the dark web marketplace Nemesis, which was seized by German authorities a year ago. The site launched in 2021 and had more than 150,000 users. It was primarily known for selling illegal drugs. A new cyber espionage group named Crafty Camel is targeting aviation and satellite companies in the uae. Proofpoint says the group's operations spear phishing attacks targeting a handful of victims. The final payload is a backdoor named Sasano that uses polyglot files to avoid detection. And finally, security researchers have found almost 12,000 live API keys and passwords inside an open source dataset used to train AI models. The 400 terabyte common crawl database has been used to train services like Deepseek. Truffle Security says it detected 219 different types of secrets in Common Crawl with AWS root keys the most common. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Prowler. Find them@prowler.com thanks for your company.