Risky Bulletin: Russian hackers abuse app-specific passwords to bypass MFA - Risky Bulletin

Summary6 min read

Risky Bulletin: Russian Hackers Abuse App-Specific Passwords to Bypass MFA
Hosted by risky.biz
Release Date: June 20, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the latest developments in the cybersecurity landscape. From sophisticated hacking techniques employed by Russian cyber operatives to significant breaches affecting international corporations, this edition covers a broad spectrum of topics vital for cybersecurity professionals and enthusiasts alike.

1. Russian Hackers Exploit App-Specific Passwords to Bypass Multi-Factor Authentication (MFA)

At the outset, Claire discusses a concerning trend where Russian hacking groups are manipulating app-specific passwords to circumvent Gmail's MFA protections.

“Russian cyberspies are tricking victims into sharing app-specific passwords to bypass Gmail Multi Factor Authentication.” [00:04]

Key Points:

App-Specific Passwords: These are designed for older applications that don't support MFA, granting them access to Google services.
Social Engineering Tactics: A Russian intelligence-linked hacking group has been impersonating the U.S. State Department since April to deceive targets into revealing these passwords.
Victim Highlight: Keir Giles from Chatham House confirmed his status as a victim of this scheme.

2. Salt Typhoon's Espionage Activities and Latest Victim Viasat

Salt Typhoon, a Chinese espionage group, has intensified its cyber attacks, with U.S. satellite and wireless networking company Viasat being its tenth reported victim.

Key Points:

Previous Targets: The group has compromised major entities such as Verizon, AT&T, Comcast, and Digital Realty.
Impact: Continuous targeting underscores the persistent threat posed by state-sponsored espionage groups.

3. Predatory Sparrow's Destructive Campaign Against Iranian Crypto Exchange Nobitex

The hacktivist group Predatory Sparrow has launched a devastating attack on Iran's Nobitex crypto exchange, stealing and destroying $90 million in assets.

Key Points:

Motivation: The group claims retaliation against the Iranian government's use of Nobitex to evade sanctions and fund terrorist activities.
Collateral Damage: Following the crypto exchange breach, the same group compromised Bank Sepa, one of Iran's major banks.
Data Exposure: Predatory Sparrow leaked the exchange's source code on Telegram, amplifying the breach's severity.

4. Iranian Cyber Defenses and Satellite Signal Hijacking

In response to these cyber assaults, the Iranian government has implemented stringent measures to block potential Israeli cyber intrusions.

Key Points:

Satellite Attack: Suspected Israeli hackers hijacked satellite signals of Iran's state television, broadcasting footage of the 2022 Mahsa Amani women's protests and inciting public uprising.
Government Actions: Restrictions include blocking access to the Apple and Google app stores, alongside other Western applications. Citizens have been instructed to uninstall apps like WhatsApp and Instagram to prevent intelligence tracking.

5. Brazil's Federal Police Charges Against Former President Jair Bolsonaro

In a significant political development, Brazil's federal police have charged former President Jair Bolsonaro with unauthorized surveillance activities.

Key Points:

Allegations: Bolsonaro, along with the country's spy chief, allegedly established a covert unit within the Abin Intelligence Agency to spy on political adversaries, journalists, and environmentalists.
Tools Used: The unit reportedly utilized the First Mile mobile network surveillance tool developed by Israeli company Cognite.

6. Argentina's Crackdown on Russian Disinformation Operations

Argentina has taken decisive action against a Russian disinformation group operating within its borders.

Key Points:

Group Identified: The operatives, known as "the Company," were linked to Project Lakhta and the Internet Research Agency founded by the late Yevgeny Prigozhin.
Activities: Their mission involved disseminating Russian propaganda online and attempting to recruit Argentine citizens to their cause.

7. New Zealand Implements Minimum Cybersecurity Standards for Government Agencies

In a move to bolster national security, New Zealand has adopted new cybersecurity protocols mandatory for all government agencies.

Key Points:

Standards Enforced: Agencies must inventory their assets, apply timely patches, deploy MFA, and adhere to other cybersecurity best practices.
Effective Date: These standards are set to be in force from October 30.

8. Russia's ROSCOM NADZOR Mandates Network Infrastructure Transparency

Russia's communications regulator, ROSCOM NADZOR, has introduced stringent requirements for local telecommunications companies.

Key Points:

Network Mapping: Telcos must provide detailed and accurate maps of their network infrastructures.
Surveillance Assurance: The regulator aims to ensure all network traffic traverses through Russian surveillance equipment.
Compliance Details: Operators are required to list all devices, including their MAC and IP addresses.

9. Spain Fines Carrefour Over Security Lapses

Carrefour, the French retail giant, has been fined €3.2 million by Spain's Data Protection Agency following a significant security breach.

Key Points:

Nature of the Breach: The incident involved five separate brute force attacks compromising over 119,000 customer accounts in 2023.
Regulatory Action: The fine underscores the importance of robust security measures against such cyber threats.

10. Data Breach at Swiss Banks via IT Contractor ChainIQ

Two Swiss banks have fallen victim to data theft orchestrated through their shared IT contractor, ChainIQ.

Key Points:

Affected Parties: Swiss Financial Group's data, including details of 130,000 employees, and Pictit's supplier invoices were stolen.
ChainIQ's Role: As a major international IT provider with multiple Fortune 500 clients, the breach highlights vulnerabilities in third-party service providers.

11. UK Payments Processor Paddle Faces $5 Million Settlement

Paddle, a UK-based payments processor, has agreed to a $5 million settlement with the U.S. Federal Trade Commission (FTC) over its involvement in tech support scams.

Key Points:

Settlement Conditions: Beyond the financial penalty, Paddle must enhance client screening, obtain explicit user consent for recurring payments, and facilitate easy subscription cancellations.

12. Ukrainian Arrest in Connection with Ryuk Ransomware Attacks

Ukrainian authorities have extradited a 33-year-old man implicated in Ryuk ransomware operations.

Key Points:

Role: The suspect functioned as an initial access broker, infiltrating networks and granting access to other individuals responsible for deploying ransomware.
Extradition Date: The arrest, made in Kyiv in April, marks a significant step in combating ransomware networks.

13. Surge in Signal Jammer Seizures in the U.S.

The Department of Homeland Security (DHS) reports an 830% increase in the seizure of signal jammers entering the United States since 2021.

Key Points:

Sources: Many of these jammers are sourced from Chinese tech companies.
Misuse: These devices have been employed to disrupt emergency services, critical infrastructure, aviation, and even to impede law enforcement responses during criminal activities like bank robberies.

14. Cloudflare Mitigates Record-Breaking DDoS Attack

Internet infrastructure company Cloudflare successfully mitigated a massive Distributed Denial of Service (DDoS) attack peaking at 7.3 terabits per second.

Key Points:

Attack Details: The unprecedented assault surpassed previous DDoS records by 1 terabit per second, targeting an unnamed web hosting provider.
Duration: The attack lasted a mere 45 seconds but highlighted the escalating scale of cyber threats.

15. Emergence of "Godfather" Android Banking Trojan

A new Android malware variant, dubbed "Godfather," leverages virtualization to exfiltrate user credentials and funds.

Key Points:

Operation Mechanism: Upon launching a legitimate app, the malware runs it within a malicious virtual environment, allowing attackers to intercept sensitive information.
Targets: The Trojan is actively targeting banking, cryptocurrency, and social media applications.
Duration: It has been operational in the wild for the past eight months, posing significant risks to mobile users.

16. Beyond Trust Addresses Critical Remote Code Execution Vulnerability

Software company Beyond Trust has released patches for a severe remote code execution (RCE) vulnerability affecting its remote desktop applications.

Key Points:

Vulnerability Details: Identified by security firm Resilian, the flaw allows remote attackers to inject malicious templates, potentially compromising the server.
Affected Products: Beyond Trust's Remote Support and Privileged Remote Access solutions are impacted, necessitating immediate updates to ensure security integrity.

Conclusion

This episode of Risky Bulletin underscores the relentless evolution of cyber threats and the multifaceted strategies employed by both malicious actors and defenders. From geopolitical espionage and ransomware to the exploitation of authentication mechanisms, the landscape remains perilous. Staying informed and proactive is imperative for organizations and individuals alike to navigate these challenges effectively.

For more insights and updates, stay tuned to Risky Bulletin by risky.biz.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Russian hackers abuse app specific passwords to bypass multi factor the 10th salt typhoon victim is identified. Predatory sparrow destroys $90 million from an Iranian crypto exchange and Argentina arrests a Russian disinfo gang this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is 20th of June and this podcast episode is brought to you by Ireland Enterprise browser company that keeps data inside organizations boundaries across the browser and beyond. Russian cyberspies are tricking victims into sharing app specific passwords to bypass Gmail. Multi Factor Authentication App specific passwords allow older applications that don't support MFA to access Google services. A hacking group linked to Russia's intelligence service has been social engineering targets to generate and hand over the passwords. The group's been impersonating the U.S. state Department department since April. Chatham House expert Keir Giles has publicly confirmed he was a victim. US satellite and wireless networking company viasat is the latest known victim of Chinese espionage group Salt Typhoon. Viasat is the group's 10th known victim since Salt Typhoon's hacking spree was uncovered last year. Previous Victims include Verizon, AT&T Comcast and data centre provider Digital Realty. Hacktivist group Predatory Sparrow has stolen and destroyed $90 million in crypto assets from Iranian exchange Nobitex. The group claimed it hacked the platform because the Iranian government used it to avoid sanctions and finance terrorist groups. Predatory Sparrow also dumped the exchange's source code on Telegram. The theft was announced one day after the same group hacked Bank Sepa, one of the country's major banks. Following the bank hack, the Iranian government restricted the country's intern in an attempt to block Israeli cyber attacks. Suspected Israeli hackers hijacked satellite signals for Iran's state television channel IRIB. The hackers aired footage of the 2022 Mahsa Amani women's protests and called for a public uprising against the regime. The attack occurred on Wednesday and the interruption lasted a few minutes. The Iranian government has blocked access to the Apple and Google app stores. Several other Western apps have also been blocked. Officials previously instructed citizens to uninstall WhatsApp and Instagram from their devices. The government warned that Israeli intelligence services were tracking and identifying targets through location data gathered from the apps. Brazil's federal police have charged former President Jair Bolsonaro with illegal spying on political rivals, journalists and environmental activists. Bolsonaro and the country's spy chief allegedly created a unit inside the Abin intelligence Agency. The unit spied on over 30 and allegedly used the First Mile mobile network surveillance tool developed by Israeli company Cognite. Argentina's intelligence service has detained a group of Russian spies who conducted disinformation campaigns against the country's government. The group called itself the Company and had ties to Project Lakhta and the late Yevgeny Prigozhin's Internet Research Agency. The company allegedly disseminated Russian propaganda online and was working to recruit Argentinian citizens. New Zealand has adopted minimum cyber security standards for government agencies. The new standards will apply to all business critical and external facing systems. Agencies will have to inventory their assets, apply timely patches, deploy MFA and other best practices. The new standards will apply from October 30. Russia's communications watchdog will require local telcos to provide accurate maps of their network infrastructure. The ROSCOM NADZOR wants to ensure all traffic passes through their network surveillance equipment. Telecom operators must provide lists of all equipment and include device characteristics such as Mac and IP addresses. Spain's data protection Agency has fined French retailer Carrefort over a security incident. The company has been ordered to pay 3.2 million euros for failing to roll out protections against brute force attacks for its customer accounts. Hackers allegedly gained access to more than 119,000 accounts through five separ brute force attacks in 2023. A hacker has stolen data from two Swiss banks after breaching their shared IT contractor ChainIQ. Swiss Financial Group had the data of 130,000 employees stolen and tens of thousands of supplier invoices were stolen from the second bank, Pictit. ChainIQ is a major international IT provider and lists multiple Fortune 500 companies as customers. UK payments processor Paddle has agreed to pay $5 million for processing payments linked to tech support scams. The settlement with the U.S. federal Trade Commission also requires PADL to implement effective client screening and monitoring. It must also get explicit user consent to set up recurrent payments and provide ways for users to cancel subscriptions. Ukrainian authorities have arrested a 33 year old man over his role in Ryuk ransomware attacks. The suspect was extradited to this month after being arrested in Kyiv in April. Ukrainian officials say the suspect worked as an initial access broker. He breached networks before passing access to other individuals to deploy ransomware. The DHS has reported an 830% increase in the seizure of signal jammers entering the US since 2021. The agency says many Chinese tech companies sell signal jammers that can disrupt emergency services, critical infrastructure and aviation. Some of the devices have been used to jam law enforcement response during bank robberies. Internet infrastructure company Cloudflare says it mitigated a 7.3 terabit per second DDoS attack. The attack beats the previous DDoS record by 1 terabit per second. The incident took place in mid May, lasted 45 seconds, and targeted an unnamed web hosting provider. An Android banking Trojan is using virtualization to steal logins and funds from mobile users. The new Godfather mal malware was spotted by mobile security firms Imperium. It instils virtualization tools on infected devices. When users start a legitimate app, the malware runs it inside the malicious virtualization, where the attacker can intercept credentials and steal funds. The Godfather malware has been active in the wild for eight months and can target banking, crypto and social media apps. And finally, software company Beyond Trust has patched a remote code execution bug in its remote desktop applications. The bug was discovered by security firm Resilian and impacts the Beyond Trust remote Support and Privileged Remote Access products. It allows remote attackers to inject malicious templates into the software, leading to compromise of the server. And that is all for this podcast edition. Today's show was brought to you by our sponsor enterprise browser maker Island. Find them@islandio. Thanks for your company, Sam.

Risky Bulletin: Russian Hackers Abuse App-Specific Passwords to Bypass MFA
Hosted by risky.biz
Release Date: June 20, 2025

Introduction

1. Russian Hackers Exploit App-Specific Passwords to Bypass Multi-Factor Authentication (MFA)

At the outset, Claire discusses a concerning trend where Russian hacking groups are manipulating app-specific passwords to circumvent Gmail's MFA protections.

“Russian cyberspies are tricking victims into sharing app-specific passwords to bypass Gmail Multi Factor Authentication.” [00:04]

Key Points:

App-Specific Passwords: These are designed for older applications that don't support MFA, granting them access to Google services.
Social Engineering Tactics: A Russian intelligence-linked hacking group has been impersonating the U.S. State Department since April to deceive targets into revealing these passwords.
Victim Highlight: Keir Giles from Chatham House confirmed his status as a victim of this scheme.

2. Salt Typhoon's Espionage Activities and Latest Victim Viasat

Salt Typhoon, a Chinese espionage group, has intensified its cyber attacks, with U.S. satellite and wireless networking company Viasat being its tenth reported victim.

Key Points:

Previous Targets: The group has compromised major entities such as Verizon, AT&T, Comcast, and Digital Realty.
Impact: Continuous targeting underscores the persistent threat posed by state-sponsored espionage groups.

3. Predatory Sparrow's Destructive Campaign Against Iranian Crypto Exchange Nobitex

The hacktivist group Predatory Sparrow has launched a devastating attack on Iran's Nobitex crypto exchange, stealing and destroying $90 million in assets.

Key Points:

Motivation: The group claims retaliation against the Iranian government's use of Nobitex to evade sanctions and fund terrorist activities.
Collateral Damage: Following the crypto exchange breach, the same group compromised Bank Sepa, one of Iran's major banks.
Data Exposure: Predatory Sparrow leaked the exchange's source code on Telegram, amplifying the breach's severity.

4. Iranian Cyber Defenses and Satellite Signal Hijacking

In response to these cyber assaults, the Iranian government has implemented stringent measures to block potential Israeli cyber intrusions.

Key Points:

Satellite Attack: Suspected Israeli hackers hijacked satellite signals of Iran's state television, broadcasting footage of the 2022 Mahsa Amani women's protests and inciting public uprising.
Government Actions: Restrictions include blocking access to the Apple and Google app stores, alongside other Western applications. Citizens have been instructed to uninstall apps like WhatsApp and Instagram to prevent intelligence tracking.

5. Brazil's Federal Police Charges Against Former President Jair Bolsonaro

In a significant political development, Brazil's federal police have charged former President Jair Bolsonaro with unauthorized surveillance activities.

Key Points:

Allegations: Bolsonaro, along with the country's spy chief, allegedly established a covert unit within the Abin Intelligence Agency to spy on political adversaries, journalists, and environmentalists.
Tools Used: The unit reportedly utilized the First Mile mobile network surveillance tool developed by Israeli company Cognite.

6. Argentina's Crackdown on Russian Disinformation Operations

Argentina has taken decisive action against a Russian disinformation group operating within its borders.

Key Points:

Group Identified: The operatives, known as "the Company," were linked to Project Lakhta and the Internet Research Agency founded by the late Yevgeny Prigozhin.
Activities: Their mission involved disseminating Russian propaganda online and attempting to recruit Argentine citizens to their cause.

7. New Zealand Implements Minimum Cybersecurity Standards for Government Agencies

In a move to bolster national security, New Zealand has adopted new cybersecurity protocols mandatory for all government agencies.

Key Points:

Standards Enforced: Agencies must inventory their assets, apply timely patches, deploy MFA, and adhere to other cybersecurity best practices.
Effective Date: These standards are set to be in force from October 30.

8. Russia's ROSCOM NADZOR Mandates Network Infrastructure Transparency

Russia's communications regulator, ROSCOM NADZOR, has introduced stringent requirements for local telecommunications companies.

Key Points:

Network Mapping: Telcos must provide detailed and accurate maps of their network infrastructures.
Surveillance Assurance: The regulator aims to ensure all network traffic traverses through Russian surveillance equipment.
Compliance Details: Operators are required to list all devices, including their MAC and IP addresses.

9. Spain Fines Carrefour Over Security Lapses

Carrefour, the French retail giant, has been fined €3.2 million by Spain's Data Protection Agency following a significant security breach.

Key Points:

Nature of the Breach: The incident involved five separate brute force attacks compromising over 119,000 customer accounts in 2023.
Regulatory Action: The fine underscores the importance of robust security measures against such cyber threats.

10. Data Breach at Swiss Banks via IT Contractor ChainIQ

Two Swiss banks have fallen victim to data theft orchestrated through their shared IT contractor, ChainIQ.

Key Points:

Affected Parties: Swiss Financial Group's data, including details of 130,000 employees, and Pictit's supplier invoices were stolen.
ChainIQ's Role: As a major international IT provider with multiple Fortune 500 clients, the breach highlights vulnerabilities in third-party service providers.

11. UK Payments Processor Paddle Faces $5 Million Settlement

Paddle, a UK-based payments processor, has agreed to a $5 million settlement with the U.S. Federal Trade Commission (FTC) over its involvement in tech support scams.

Key Points:

Settlement Conditions: Beyond the financial penalty, Paddle must enhance client screening, obtain explicit user consent for recurring payments, and facilitate easy subscription cancellations.

12. Ukrainian Arrest in Connection with Ryuk Ransomware Attacks

Ukrainian authorities have extradited a 33-year-old man implicated in Ryuk ransomware operations.

Key Points:

Role: The suspect functioned as an initial access broker, infiltrating networks and granting access to other individuals responsible for deploying ransomware.
Extradition Date: The arrest, made in Kyiv in April, marks a significant step in combating ransomware networks.

13. Surge in Signal Jammer Seizures in the U.S.

The Department of Homeland Security (DHS) reports an 830% increase in the seizure of signal jammers entering the United States since 2021.

Key Points:

Sources: Many of these jammers are sourced from Chinese tech companies.
Misuse: These devices have been employed to disrupt emergency services, critical infrastructure, aviation, and even to impede law enforcement responses during criminal activities like bank robberies.

14. Cloudflare Mitigates Record-Breaking DDoS Attack

Internet infrastructure company Cloudflare successfully mitigated a massive Distributed Denial of Service (DDoS) attack peaking at 7.3 terabits per second.

Key Points:

Attack Details: The unprecedented assault surpassed previous DDoS records by 1 terabit per second, targeting an unnamed web hosting provider.
Duration: The attack lasted a mere 45 seconds but highlighted the escalating scale of cyber threats.

15. Emergence of "Godfather" Android Banking Trojan

A new Android malware variant, dubbed "Godfather," leverages virtualization to exfiltrate user credentials and funds.

Key Points:

Operation Mechanism: Upon launching a legitimate app, the malware runs it within a malicious virtual environment, allowing attackers to intercept sensitive information.
Targets: The Trojan is actively targeting banking, cryptocurrency, and social media applications.
Duration: It has been operational in the wild for the past eight months, posing significant risks to mobile users.

16. Beyond Trust Addresses Critical Remote Code Execution Vulnerability

Software company Beyond Trust has released patches for a severe remote code execution (RCE) vulnerability affecting its remote desktop applications.

Key Points:

Vulnerability Details: Identified by security firm Resilian, the flaw allows remote attackers to inject malicious templates, potentially compromising the server.
Affected Products: Beyond Trust's Remote Support and Privileged Remote Access solutions are impacted, necessitating immediate updates to ensure security integrity.

Conclusion

For more insights and updates, stay tuned to Risky Bulletin by risky.biz.