Risky Bulletin: Russia's war on foreign software continues

Host: Claire Aird
Release Date: August 6, 2025
Podcast: Risky Bulletin by risky.biz

Introduction

In this episode of Risky Bulletin, Claire Aird delves into the latest cybersecurity developments, ranging from international software regulations to significant data breaches affecting major corporations. The episode, released on August 6, 2025, provides a comprehensive overview of the evolving cyber threat landscape and the responses from both governmental bodies and private enterprises.

1. Russia Mandates Migration to Domestic ERP Systems

Russian authorities have enacted a new law requiring companies to transition to domestically produced Enterprise Resource Planning (ERP) systems.

Legislation Details:
"The government passed a law in April that requires critical infrastructure operators to use Russian-made software," Aird explains (00:30).
Implementation Timeline:
The law becomes effective in September 2025, though a specific deadline for migration has yet to be established.
Current Compliance Status:
Approximately one-third of Russian firms continue to utilize foreign ERP solutions such as SAP and Oracle, highlighting significant potential disruptions in the transition period.
Impact on Businesses:
This move underscores Russia's intention to bolster its cybersecurity by reducing reliance on foreign software, potentially reshaping the global ERP market.

2. Ohio Requires Public Approval for Ransomware Payments

In a groundbreaking shift, Ohio's local government bodies must now approve any ransom payments resulting from ransomware attacks through transparent, public mechanisms.

New Policy Overview:
"Local government bodies in Ohio will have to approve ransomware payments in full view of the public," states Aird (02:15).
Legislative Context:
This requirement is part of the 2026 state budget bill, which also mandates the establishment of cybersecurity programs aimed at preventing future cyberattacks.
Funding Constraints:
The bill restricts the use of current Department of Homeland Security (DHS) Cyber grants, previously utilized by the Multi-State Information Sharing and Analysis Centre (MS-ISAC), for services provided by MS-ISAC.
Strategic Response:
A 17-member panel, led by former US Army Cyber Command head Ed Cardin and Josh Stiefel of the House Armed Services Committee, is tasked with formulating a roadmap for establishing a dedicated US cyber force for the next fiscal year.

3. Significant Data Breaches Affecting Major Corporations

Two high-profile companies, Chanel and Cisco, have reported substantial data breaches, raising concerns over their cybersecurity defenses.

Chanel Data Breach:
"Chanel has notified customers of a data breach impacting its U.S. operations," Aird reports (05:45). The breach involved unauthorized access through one of Chanel's database providers, although the exact number of affected individuals remains undisclosed.
Cisco Security Incident:
In a similar vein, Cisco experienced a breach in late July, compromising customer information. The breach was facilitated by a threat actor employing voice phishing tactics against a third-party CRM platform manager. Both breaches suggest a potential coordinated campaign targeting Salesforce users, though neither company has formally confirmed this association.

4. Thai Hospital Fined for an Unusual Data Breach

A private hospital in Thailand faced a hefty fine of $37,000 after an egregious data breach incident.

Incident Details:
Patient records were infamously repurposed as packaging for local delicacies, specifically "Kannom, Tokyo," a type of crispy crepe filled with custard (07:20).
Hospital's Response:
The institution admitted to hiring a contractor to dispose of sensitive records but failed to ensure proper execution, leading to the breach.

5. Ransomware Attack Leads to Data Leak in Louisiana

Data from Louisiana's East Baton Rouge Sheriff's Office was exposed following a ransomware attack in April of the previous year.

Exposed Information:
The leaked data includes informant details, polygraph results, internal affairs investigations, IMSI catcher warrants, training manuals for creating online sock puppet accounts, and information on using Cellebrite and GreyKey phone unlocking tools (09:10).
Response Strategy:
Notably, the Sheriff's office opted not to pay the ransom, a decision that underscores the complexities and risks associated with such cyber extortion tactics.

6. Ongoing Cybersecurity Threats and Vulnerabilities

a. Candiru Spyware Vendor Remains Active

Israeli spyware provider Candiru continues its operations despite scrutiny.

Recent Developments:
Security firm Recorded Future identified new servers associated with Candiru's Devil's Tongue spyware, with active deployments in countries including Hungary, Saudi Arabia, and Indonesia (11:00).

b. Iranian APT Group Alters Front Company Name

An Iranian advanced persistent threat (APT) group has rebranded its front company to evade US sanctions.

Company Evolution:
Previously sanctioned as the Cotton Sandstorm Group, the company has undergone name changes to Shahid Shustari and Aria Sepa Ayanda Sozan while maintaining its operational base.

c. SonicWall Advises Disabling SSL VPN Feature

SonicWall has issued a critical advisory for administrators to disable the SSL VPN feature on their devices immediately.

Reason for Advisory:
Multiple security firms, including Arctic Wolf and Google, reported ongoing attacks exploiting SonicWall systems to deploy ransomware (13:00).

d. Nvidia Servers Vulnerable to Hijacking

A series of three vulnerabilities in Nvidia's Triton Inference server platform have allowed remote attackers to hijack servers running AI models.

Vulnerability Details:
Discovered by Wiz (now part of Google Cloud), these bugs have been patched by Nvidia following their disclosure (14:30).

e. Dell Laptops Susceptible to Firmware Backdoors

Five vulnerabilities, collectively known as "ReVault," impact over 100 Dell laptop models by compromising the Control Vault 3 firmware.

Exploitation Mechanism:
These bugs can be leveraged via a Windows API without needing elevated privileges, facilitating unauthorized backdoors. Dell has responded with necessary firmware updates (16:00).

f. Streamlit Framework Vulnerability

A critical flaw in the Streamlit app deployment framework allows attackers to perform path traversal and arbitrary file uploads, potentially compromising underlying cloud servers.

Patch Information:
Streamlit addressed this vulnerability with a security patch released in March (17:40).

g. Adobe Releases Emergency Security Updates

Adobe has issued an out-of-band update for its Experience Manager CMS to fix two vulnerabilities after researchers released proof-of-concept exploits.

Patch Rationale:
Despite the absence of active exploitation in the wild, Adobe preemptively patched the issues following responsible disclosure protocols (19:10).

h. Cloudflare Accuses Perplexity of Policy Violations

Cloudflare has leveled accusations against AI company Perplexity for circumventing crawl restrictions by altering user agents and IP addresses, effectively hiding their scanning activities in approximately 20% of cases (20:50).

7. Meta Enhances WhatsApp Security Features

In an effort to combat scams and unauthorized additions to user groups, Meta has introduced a new feature in WhatsApp.

New Notification System:
Users will receive alerts when they are added to new groups by individuals outside their contact list. These group notifications will remain disabled until the user opts to join, enhancing personal security and privacy (22:00).

Conclusion

Today's edition of Risky Bulletin highlights significant shifts in cybersecurity policies, particularly Russia's move towards domestic software solutions and Ohio's transparent approach to handling ransomware payments. The episode also underscores the persistent threat of data breaches impacting both global brands and public institutions, while detailing ongoing vulnerabilities in major software platforms. These developments collectively emphasize the critical need for robust cybersecurity measures and proactive governance in the face of evolving cyber threats.

This summary is based on the transcript provided and aims to encapsulate the key discussions and insights shared in the August 6, 2025 episode of Risky Bulletin.

Transcript

Claire Aird (0:04)

Russian companies must migrate to domestic ERP systems Ohio's public sector will have to approve ransom payments in public Chanel and Cisco disclose data breaches and a Thai hospital gets fined over the dumbest data breach ever. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Aird today. Today is the 6th of August and this podcast episode is brought to you by no code automation platform Tynes Russian companies will soon be required to migrate to domestic resource planning software. The government passed a law in April that requires critical infrastructure operators to use Russian made software. Enterprise resource planning is the first category to be designated as critical under that law. The law enters into effect in September, but no migration deadline has been set. About one third of Russian companies still use foreign ERP software such as SAP and Oracle. In other news, local government bodies in Ohio will have to approve ransomware payments in full view of the public. Approval for payments will need to be decided through regular open governance processes such as voting or committee. The new requirement was included in the 2026 state budget bill. The same bill will also require local governments to establish cybersecurity programs to Prevent future attacks. U.S. state and local governments cannot use this year's DHS Cyber grants for services provided by the Multi State Information Sharing and Analysis Centre. Ms. ISAC has previously provided critical cybersecurity intelligence for states and helped secure US elections until earlier this year. The DHS provided regular funding to the group. Its current funding runs out at the end of September. A panel has been tasked with creating a plan for establishing a US cyber force. The 17 person panel is comprised of former military and civilian leaders. The panel is led by the former head of US Army Cyber Command, Ed Cardin and Josh Stiefel, previously of the House Armed Services Committee. According to the record, the panel will prepare a roadmap for Congress to establish the cyber branch for next year's defence budget. A private hospital in Thailand has been fined $37,000 after its patient records were used as wait for it snack packaging. The paper records were used as wrappers for the local delicacy. Kannom, Tokyo this is a crispy crepe typically filled with custard, which sounds delicious. The hospital claimed it paid a contractor to dispose of the sensitive records but failed to follow up. French fashion brand Chanel has notified customers of a data breach. The incident impacted the company's U.S. operations. Chanel said hackers stole data from one of its database providers. It didn't say how many customers were affected. Networking equipment vendor Cisco has suffered a security breach. The incident occurred in late July and exposed some customer information. Cisco says a threat actor voice phished a third party that manages its CRM platform. Both the Cisco and Chanel breaches are likely part of the ongoing campaign targeting Salesforce users. Neither company has confirmed this. Data from a US Sheriff's office has been leaked after a ransomware attack last year. The data from Louisiana's East Baton Rouge Sheriff's office exposed informant details, polygraph results, internal affairs investigations and IMSI catcher warrants. The leak also included training manuals for creating online sock puppet accounts accounts and using the cellebrite and Grey Key phone unlocking tools. The office refused to pay when it was hit by ransomware in April last year. Israeli spyware vendor Candiru is still active. Security firm Recorded Future has discovered new servers that manage and deliver the company's Devil's Tongue spyware. Eight clusters of servers were found, five of which are still active. The servers have been linked to deployments in Hungary, Saudi Arabia, Azerbaijan, Uzbekistan, Spain and Indonesia. An Iranian apt group has changed the name of its front company following U.S. sanctions. The Cotton Sandstorm Group was sanctioned for interfering in the 2020 U.S. presidential election. The group was operated by a contractor named Yemeney Pasagad. The State Department says the company has changed its name to Shahid Shustari but still operates from the same address. This is the third time the company has changed its name. It also operated as Aria Sepa Ayanda Sozan last year. Sonicwall is urging administrators of its virewalls to disable the device's SSL VPN feature. The company received reports of attacks against the devices from multiple security firms this week. Security firms Arctic Woof, Google, Mandiant and Huntress said attackers have been hacking SonicWall systems and deploying RansomW. SonicWall says it's investigating whether the attacks used older bugs or a new zero day exploit. Remote attackers can hijack Nvidia servers running AI models. The attacks are enabled by a chain of three vulnerabilities in the Nvidia Triton Inference server platform. The bugs were discovered in the Triton platform's Backend by Wiz, which is now part of Google Cloud. Nvidia patched the issues this week. A set of vulnerabilities could allow threat actors to backdoor Dell laptops. The bugs impact the Control Vault 3 firmware, which supports advanced authentication options such as fingerprint and smart card readers. The five bugs, codenamed Revault, impact more than 100 models of Dell laptops. The bugs can be exploited via a Windows API and don't require elevated privileges. Dell has released firmware updates. A vulnerability in the Streamlit app deployment framework can allow attackers to hijack the underlying cloud servers. The framework only validates file updates, uploads client side, leading to straightforward path traversal and arbitrary file upload. Streamlit released a security patch in March. Adobe has released an out of band security Update to patch 2 vulnerabilities in its Experience Manager CMS. The patches were released after security researchers published proof of concept code. The researchers published the code after Adobe failed to patch the issue within 90 days of being notified. Adobe said the bugs were not being exploited in the wild at the time of the patch. Cloudflare has accused AI company Perplexity of ignoring no crawl policies. Cloudflare says Perplexity modifies its user agent and changes source IP when a website blocks it. It says the company hides its identity in about one fifth of its scanning activity. And finally, Meta will warn users when they're added to new WhatsApp groups by someone outside of their contacts. Group notifications will be disabled until the user agrees to to join. Meta launched the feature to help users avoid scams, and that is all for this podcast edition. Today's show was brought to you by our sponsor Tines. Find them at tynes.com thanks for your company.