Risky Bulletin: Russian Hackers Abuse App-Specific Passwords to Bypass MFA
Hosted by risky.biz
Release Date: June 20, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. From sophisticated hacking techniques employed by Russian cyber operatives to significant breaches affecting international corporations, this edition covers a broad spectrum of topics vital for cybersecurity professionals and enthusiasts alike.

1. Russian Hackers Exploit App-Specific Passwords to Bypass Multi-Factor Authentication (MFA)

At the outset, Claire discusses a concerning trend where Russian hacking groups are manipulating app-specific passwords to circumvent Gmail's MFA protections.

“Russian cyberspies are tricking victims into sharing app-specific passwords to bypass Gmail Multi Factor Authentication.” [00:04]

Key Points:

• App-Specific Passwords: These are designed for older applications that don't support MFA, granting them access to Google services.
• Social Engineering Tactics: A Russian intelligence-linked hacking group has been impersonating the U.S. State Department since April to deceive targets into revealing these passwords.
• Victim Highlight: Keir Giles from Chatham House confirmed his status as a victim of this scheme.

2. Salt Typhoon's Espionage Activities and Latest Victim Viasat

Salt Typhoon, a Chinese espionage group, has intensified its cyber attacks, with U.S. satellite and wireless networking company Viasat being its tenth reported victim.

Key Points:

• Previous Targets: The group has compromised major entities such as Verizon, AT&T, Comcast, and Digital Realty.
• Impact: Continuous targeting underscores the persistent threat posed by state-sponsored espionage groups.

3. Predatory Sparrow's Destructive Campaign Against Iranian Crypto Exchange Nobitex

The hacktivist group Predatory Sparrow has launched a devastating attack on Iran's Nobitex crypto exchange, stealing and destroying $90 million in assets.

Key Points:

• Motivation: The group claims retaliation against the Iranian government's use of Nobitex to evade sanctions and fund terrorist activities.
• Collateral Damage: Following the crypto exchange breach, the same group compromised Bank Sepa, one of Iran's major banks.
• Data Exposure: Predatory Sparrow leaked the exchange's source code on Telegram, amplifying the breach's severity.

4. Iranian Cyber Defenses and Satellite Signal Hijacking

In response to these cyber assaults, the Iranian government has implemented stringent measures to block potential Israeli cyber intrusions.

Key Points:

• Satellite Attack: Suspected Israeli hackers hijacked satellite signals of Iran's state television, broadcasting footage of the 2022 Mahsa Amani women's protests and inciting public uprising.
• Government Actions: Restrictions include blocking access to the Apple and Google app stores, alongside other Western applications. Citizens have been instructed to uninstall apps like WhatsApp and Instagram to prevent intelligence tracking.

5. Brazil's Federal Police Charges Against Former President Jair Bolsonaro

In a significant political development, Brazil's federal police have charged former President Jair Bolsonaro with unauthorized surveillance activities.

Key Points:

• Allegations: Bolsonaro, along with the country's spy chief, allegedly established a covert unit within the Abin Intelligence Agency to spy on political adversaries, journalists, and environmentalists.
• Tools Used: The unit reportedly utilized the First Mile mobile network surveillance tool developed by Israeli company Cognite.

6. Argentina's Crackdown on Russian Disinformation Operations

Argentina has taken decisive action against a Russian disinformation group operating within its borders.

Key Points:

• Group Identified: The operatives, known as "the Company," were linked to Project Lakhta and the Internet Research Agency founded by the late Yevgeny Prigozhin.
• Activities: Their mission involved disseminating Russian propaganda online and attempting to recruit Argentine citizens to their cause.

7. New Zealand Implements Minimum Cybersecurity Standards for Government Agencies

In a move to bolster national security, New Zealand has adopted new cybersecurity protocols mandatory for all government agencies.

Key Points:

• Standards Enforced: Agencies must inventory their assets, apply timely patches, deploy MFA, and adhere to other cybersecurity best practices.
• Effective Date: These standards are set to be in force from October 30.

8. Russia's ROSCOM NADZOR Mandates Network Infrastructure Transparency

Russia's communications regulator, ROSCOM NADZOR, has introduced stringent requirements for local telecommunications companies.

Key Points:

• Network Mapping: Telcos must provide detailed and accurate maps of their network infrastructures.
• Surveillance Assurance: The regulator aims to ensure all network traffic traverses through Russian surveillance equipment.
• Compliance Details: Operators are required to list all devices, including their MAC and IP addresses.

9. Spain Fines Carrefour Over Security Lapses

Carrefour, the French retail giant, has been fined €3.2 million by Spain's Data Protection Agency following a significant security breach.

Key Points:

• Nature of the Breach: The incident involved five separate brute force attacks compromising over 119,000 customer accounts in 2023.
• Regulatory Action: The fine underscores the importance of robust security measures against such cyber threats.

10. Data Breach at Swiss Banks via IT Contractor ChainIQ

Two Swiss banks have fallen victim to data theft orchestrated through their shared IT contractor, ChainIQ.

Key Points:

• Affected Parties: Swiss Financial Group's data, including details of 130,000 employees, and Pictit's supplier invoices were stolen.
• ChainIQ's Role: As a major international IT provider with multiple Fortune 500 clients, the breach highlights vulnerabilities in third-party service providers.

11. UK Payments Processor Paddle Faces $5 Million Settlement

Paddle, a UK-based payments processor, has agreed to a $5 million settlement with the U.S. Federal Trade Commission (FTC) over its involvement in tech support scams.

Key Points:

• Settlement Conditions: Beyond the financial penalty, Paddle must enhance client screening, obtain explicit user consent for recurring payments, and facilitate easy subscription cancellations.

12. Ukrainian Arrest in Connection with Ryuk Ransomware Attacks

Ukrainian authorities have extradited a 33-year-old man implicated in Ryuk ransomware operations.

Key Points:

• Role: The suspect functioned as an initial access broker, infiltrating networks and granting access to other individuals responsible for deploying ransomware.
• Extradition Date: The arrest, made in Kyiv in April, marks a significant step in combating ransomware networks.

13. Surge in Signal Jammer Seizures in the U.S.

The Department of Homeland Security (DHS) reports an 830% increase in the seizure of signal jammers entering the United States since 2021.

Key Points:

• Sources: Many of these jammers are sourced from Chinese tech companies.
• Misuse: These devices have been employed to disrupt emergency services, critical infrastructure, aviation, and even to impede law enforcement responses during criminal activities like bank robberies.

14. Cloudflare Mitigates Record-Breaking DDoS Attack

Internet infrastructure company Cloudflare successfully mitigated a massive Distributed Denial of Service (DDoS) attack peaking at 7.3 terabits per second.

Key Points:

• Attack Details: The unprecedented assault surpassed previous DDoS records by 1 terabit per second, targeting an unnamed web hosting provider.
• Duration: The attack lasted a mere 45 seconds but highlighted the escalating scale of cyber threats.

15. Emergence of "Godfather" Android Banking Trojan

A new Android malware variant, dubbed "Godfather," leverages virtualization to exfiltrate user credentials and funds.

Key Points:

• Operation Mechanism: Upon launching a legitimate app, the malware runs it within a malicious virtual environment, allowing attackers to intercept sensitive information.
• Targets: The Trojan is actively targeting banking, cryptocurrency, and social media applications.
• Duration: It has been operational in the wild for the past eight months, posing significant risks to mobile users.

16. Beyond Trust Addresses Critical Remote Code Execution Vulnerability

Software company Beyond Trust has released patches for a severe remote code execution (RCE) vulnerability affecting its remote desktop applications.

Key Points:

• Vulnerability Details: Identified by security firm Resilian, the flaw allows remote attackers to inject malicious templates, potentially compromising the server.
• Affected Products: Beyond Trust's Remote Support and Privileged Remote Access solutions are impacted, necessitating immediate updates to ensure security integrity.

Conclusion

This episode of Risky Bulletin underscores the relentless evolution of cyber threats and the multifaceted strategies employed by both malicious actors and defenders. From geopolitical espionage and ransomware to the exploitation of authentication mechanisms, the landscape remains perilous. Staying informed and proactive is imperative for organizations and individuals alike to navigate these challenges effectively.

For more insights and updates, stay tuned to Risky Bulletin by risky.biz.