Risky Bulletin Summary: Researcher Scores $250,000 for Chrome Bug

Podcast Information:
Title: Risky Bulletin
Host/Author: risky.biz
Description: Regular cybersecurity news updates from the Risky Business team...
Episode: Risky Bulletin: Researcher scores $250,000 for Chrome bug
Release Date: August 11, 2025

1. High-Value Bug Bounties: Google Rewards Security Researcher

In a significant win for cybersecurity researchers, Google has awarded a $250,000 bounty to a security researcher for discovering a novel sandbox escape vulnerability in Chrome. As Claire Airdrop highlights at [00:04], "Google has paid a bug hunter $250,000 for a novel sandbox escape in Chrome." This particular flaw was identified in April and promptly patched by Google the subsequent month. The vulnerability resided within Mojo, a critical Chrome component responsible for managing internal process communications. By exploiting this bug, attackers could impersonate the browser's privileged parent process, thus breaching the sandbox environment. Notably, this bounty stands as one of Google's largest, comparing to their 2022 reward of $605,000 for a single issue.

2. EU Legislation on Media Freedoms and Data Storage

The European Union has enacted the European Media Freedoms Act, aimed at restricting the use of spyware and surveillance against journalists. Introduced in 2022 and adopted in early 2024, Claire notes at [00:04], "Multiple press freedom organisations have said the legislation is ineffective as most EU governments have not begun implementing it at a national level." Additionally, the EU is set to impose a ban in September 2027 on large Russian corporations storing citizens' personal data in foreign cloud environments. This prohibition exempts small and medium-sized enterprises and individuals, reflecting a targeted approach to data security.

3. DeFi and Cryptocurrency Hacks: Credit Platform Disappears

The decentralized finance (DeFi) platform Credit has vanished from the internet following a significant hack last week. Claire details at [00:04], "The platform has deleted its social media accounts and taken down its website. Last Monday, the attacker took control of an admin wallet and stole almost $4.5 million worth of assets before it went offline." In response, Credit has pledged to reimburse its users, aiming to mitigate the impact of the breach despite the platform's sudden disappearance.

4. International Scam Operations and Law Enforcement Actions

Extradition of Ghanaian Nationals: Four individuals from Ghana have been extradited to the United States to face charges related to large-scale scam operations. According to Claire at [00:04], "They allegedly stole more than $100 million using romance and BEC scams," with potential penalties of up to 75 years in prison for each defendant.

Detention of Chinese Nationals in Thailand: Seventeen Chinese nationals operating a scam call center in Chiang Mai, Thailand, have been detained. As reported by Claire, "The call centre operated for three months from a rented house... targeting other Chinese speakers." The Bangkok Post added that all suspects attempted to flee, resulting in eight injuries from jumping out of the second floor.

Russia's First Criminal Dropper Investigation: In a pioneering move, Russian authorities have initiated the country's first criminal dropper investigation. Claire explains at [00:04], "A Moscow man was charged with paying money mules to open bank accounts that received stolen funds," highlighting the innovative approach in tracking and prosecuting financial crimes.

5. Advances in Cybersecurity Support and Competitions

FTC Reports Surge in Scams Against Elderly Americans: The Federal Trade Commission (FTC) revealed that retired and elderly Americans lost a staggering $700 million to scams in the past year, a dramatic increase from $120 million in 2022. Claire underscores, "Many of the scammers impersonate the FTC," preying on vulnerable individuals seeking to protect their funds.

DEFCON Franklin Team Volunteers to Protect Municipal Water Systems: A group of white hat hackers, known as the DEFCON Franklin team, is offering free cybersecurity support to small U.S. municipalities. Claire mentions, "The group has already deployed volunteers across four US States as part of a pilot program," providing essential services such as network mapping and OT assessments.

DARPA's AI Cyber Challenge Victory: Team Atlanta triumphed in DARPA's AI Cyber Challenge, a two-year competition culminating at the DEFCON Security Conference. Claire states, "The winning team is comprised of experts from Georgia Tech, Samsung, Pohang University, and the Korea Advanced Institute of Science and Technology," earning a $4 million prize. Security firm Trailer Bits and Theory secured second and third places with rewards of $3 million and $1.5 million, respectively.

6. Vulnerability Discoveries and Patch Releases

Microsoft's Internal Systems Breached: Security researcher Vaisha Bernard exploited an OAuth misconfiguration in Entra ID, gaining unauthorized access to over 20 Microsoft internal services, including those managing Copilot, Bing, Azure, APIs, and billing systems. Claire reports at [00:04], "He even gained access to a system that could approve his own bounty payments. Despite this, Bernard was not paid a reward," raising questions about Microsoft's vulnerability handling and bounty policies.

Tetra Communications Protocol Exploited Again: The Terrestrial Trunked Radio (TETRA) communications protocol, essential for law enforcement and military operations, has been compromised for the second time. Security firm Midnight Blue identified new vulnerabilities in Tetra's updated end-to-end encryption, which was initially designed to fix prior issues. Claire elaborates, "The latest findings include a scenario where the protocol intentionally weakens its encryption key, allowing for traffic decryption."

WinRAR Patches Zero-Day Vulnerability: WinRAR has addressed an actively exploited zero-day vulnerability involving path traversal, which allowed attackers to write files outside designated directories. Security firm ESET discovered and reported this flaw. Additionally, Russian security firm BizOne has connected the attacks to the Werewolf APT group, also known as GoFi.

7. Ransomware and Malware Threats

Embargo Ransomware Gang's Financial Impact: The Embargo ransomware group has amassed over $34 million since April, primarily targeting U.S. victims according to blockchain intelligence firm TRM Labs. Claire notes, "The group is believed to be a rebrand of the Alf V operation that was shuttered by authorities last year," indicating a continuity of malicious activities under a new guise.

Malicious Packages in RubyGems Repository: A threat actor has uploaded more than 60 malicious packages to the RubyGems repository, masquerading as automation utilities while stealing login credentials for social media and marketing tools. Claire underscores the severity, "Their campaign's been running for more than two years," with over 275,000 downloads as reported by Socket Security.

8. Social Media Security Features and Privacy

Instagram's New Location-Sharing Feature: Instagram has reintroduced a location-sharing feature, enabling users to display precise locations on a map with their posts. Claire explains at [00:04], "The feature was released last week and is turned off by default." This move echoes a similar feature from a decade ago, which was discontinued due to issues related to harassment and stalking, raising concerns about user privacy and safety.

9. Legal Actions in Software Lifecycle Management

Lawsuit Against Microsoft Over Windows 10 Discontinuation: A California man, Lawrence Klein, is suing Microsoft in response to the planned discontinuation of Windows 10 later this year. As Claire states, "Klein claims the Windows 10 end of life is part of Microsoft's plan to monopolize the generative AI market," accusing the tech giant of employing forced obsolescence to compel users to transition to Windows 11, which comes pre-installed with Microsoft's generative AI tools.

This episode of Risky Bulletin, prepared by Catalyn Kimparnu and narrated by Claire Airdrop, provides a comprehensive overview of recent cybersecurity developments, from high-stakes bug bounties and legislative changes to significant hacks and innovative defensive measures. Whether you're a seasoned professional or someone interested in the latest in cybersecurity, this bulletin offers valuable insights into the ever-evolving landscape of digital security.