Risky Bulletin: Scattered Spider targets the aviation sector - Risky Bulletin

Summary7 min read

Risky Bulletin: Scattered Spider Targets the Aviation Sector
Hosted by risky.biz
Release Date: June 30, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the evolving landscape of cybersecurity threats and responses. Prepared by Catalyn Kim and Panu, the bulletin covers a spectrum of incidents ranging from cybercriminal activities targeting major industries to significant governmental actions addressing national security concerns.

Cybercrime Groups and Their Activities

1. Scattered Spider Targets Aviation Sector

Overview: The Scattered Spider cybercrime group has intensified its focus on the aviation industry, with recent intrusions affecting major airlines such as WestJet and Hawaiian Airlines.
Background: Earlier in the year, Scattered Spider was implicated in disruptions at UK retailers Marks and Spencers and Co Op, as well as insurance firms including Aflac, Erie Insurance, and Philadelphia Insurance.
Quote: Claire Aird states, "Individuals associated with the group have been linked to recent intrusions at WestJet and Hawaiian Airlines" [00:04].

2. Sinaloa Cartel's Use of Hackers

Incident: The Sinaloa drug cartel employed a hacker in 2018 to monitor an FBI official's phone, obtaining sensitive call records and geolocation data.
Impact: The gathered intelligence was utilized to identify and eliminate informants in a case against cartel leader Joaquín "El Chapo" Guzmán.
Quote: "A DOJ report released last week said the hacker obtained call records and geolocation data" [00:04].

3. Societe Generale Bank Heist

Details: A cybercrime group orchestrated SIM swapping attacks to steal over one million pounds from Societe Generale customers. The operation involved five individuals, including an intern who provided customer details.
Outcome: All suspects were arrested earlier in the month.
Quote: "The group carried out SIM swapping to gain access to accounts" [00:04].

4. Grylok Ransomware Cases

Sentencing: A Russian man received a seven-year prison term, while a Russian woman was sentenced to five years for their roles in developing and promoting the Grylok ransomware.
Financial Impact: The couple amassed over 3 million euros and infected more than 400,000 users.
Quote: "Both sentences included an additional two years for refusing to hand over passwords for their devices and crypto wallets" [00:04].

5. Resupply Defi Platform Crypto Theft

Incident: Hackers exploited a vulnerability in the Resupply Defi platform, stealing $10 million worth of cryptocurrency by depositing $200,000 and withdrawing millions.
Method: Funds were laundered using the Tornado Cash mixer.
Quote: "The hackers have not been identified" [00:04].

Government Actions and Policies

1. Russian Throttling of Cloudflare Traffic

Action: Russian ISPs are throttling traffic from Cloudflare, effectively blocking access by limiting data transfer to 16 kilobytes before resetting connections.
Timeline: The restrictions commenced in early June, mirroring the Kremlin's earlier censorship of YouTube in February.
Quote: "Cloudflare says it's not received formal communication from the Russian government" [00:04].

2. Canada Bans Hikvision Operations

Decision: Canada has ordered Chinese security camera manufacturer Hikvision to cease operations, citing national security threats.
Implications: Government agencies are prohibited from purchasing new Hikvision products.
Background: The US previously sanctioned Hikvision for its role in surveilling the Uyghur minority in China.
Quote: "Officials said the company is a threat to Canada's national security" [00:04].

3. U.S. Cyber Command Leadership Change

Appointment: Patrick Ware has been named the new executive director of U.S. Cyber Command, succeeding Morgan Adamsky.
Background: Ware brings 34 years of experience from the NSA to his new role.
Quote: "Ware will occupy the number three spot inside the U.S. military Cyber Operations Branch" [00:04].

4. U.S. Legislation on Foreign AI Tools

Proposal: Two U.S. senators introduced a bill to ban federal agencies from utilizing AI tools developed by foreign adversaries, including China, Russia, and Iran.
Current Actions: Multiple agencies and states have already restricted the use of the Chinese AI tool Deepseek.
Quote: "Several agencies and US states recently banned employees from using the Chinese AI tool Deepseek" [00:04].

5. Germany's Move Against Deepseek

Regulation: Berlin's Data Protection Agency seeks to ban Deepseek in Germany, alleging illegal data transfers to China and GDPR violations.
Potential Impact: This action may catalyze an EU-wide ban on the application.
Quote: "Berlin's Data Protection Agency wants to ban Deepseek in Germany" [00:04].

6. Brazil's Supreme Court on Social Media Liability

Ruling: Social media platforms in Brazil are now held liable for user-generated content, mandating the monitoring and removal of posts containing hate speech, racism, and calls for violence.
Context: This decision follows similar threats from the Trump administration regarding potential tariffs on tech firms enforcing content moderation.
Quote: "Social networks will have to monitor and remove user posts that contain hate speech, racism and calls for violence" [00:04].

7. Australia's Designation of Terragram as a Terrorist Organization

Action: The Australian government has labeled the Terragram online community as a terrorist group for its activities on Telegram, including recruiting members for violent acts.
Law Enforcement: Two administrators were arrested in the U.S. following violent incidents in Slovakia and Turkey.
Quote: "The group operates on Telegram, where it recruits and encourages members to carry out murders, physical attacks and other hate crimes" [00:04].

Cybersecurity Incidents and Trends

1. Employee Sabotage in the UK

Case: Mohammed Umar Taj, a 31-year-old man, was sentenced to over seven months in prison for sabotaging his former UK employer by altering login credentials and MFA settings, leading to significant IT outages.
Impact: The sabotage resulted in at least £200,000 in lost business and reputational damage across the UK, Germany, and Bahrain.
Quote: "The sabotage caused IT outages for the company's customers in the UK, Germany and Bahrain" [00:04].

2. Rise of Cybercrime in Africa

Statistics: Cybercrime accounts for over 30% of all reported crimes in both Western and Eastern Africa, with prevalent issues including online scams, ransomware, BEC (Business Email Compromise), and digital sextortion.
Challenges: Most African legal systems are ill-equipped to tackle the burgeoning cybercrime problem.
Quote: "Cybercrime accounts for more than 30% of all reported crimes in Western and Eastern Africa" [00:04].

3. North Korean Hacking and AI Abuse

Activities: Hacking groups linked to Andariel and Kimsuki are leveraging ChatGPT to automate OSINT reconnaissance and execute cryptocurrency thefts.
Techniques: These groups use AI to generate malicious code for draining crypto wallets and to analyze public data for potential targets.
Quote: "North Korean hacking groups are abusing ChatGPT to automate OSINT reconnaissance and cryptocurrency thefts" [00:04].

4. Silence of Pro-Scottish Independence Accounts

Findings: An investigation revealed that numerous pro-Scottish independence social media accounts went silent amid Israel's military operations in Iran, coinciding with Iran's internet blackout and power outages from Israeli strikes.
Analysis: Iran's influence operations aim to intertwine local political movements with its foreign policy objectives.
Quote: "Dozens of pro Scottish independence social media accounts went silent at the start of Israel's military operation in Iran" [00:04].

Technology Updates and Security Enhancements

1. Microsoft's New Windows Security Technology

Development: Microsoft is introducing a new endpoint security platform that allows antivirus and security tools to operate without kernel access.
Purpose: This innovation responds to last year's CrowdStrike bug, which compromised over 8.5 million Windows systems.
Collaboration: Several Endpoint Detection and Response (EDR) vendors are collaborating with Microsoft to test this new technology.
Quote: "Microsoft is previewing new Windows technology that will allow antivirus and security tools to run without kernel access" [00:04].

2. Google's Chrome Security Feature

Update: Google has implemented a security enhancement in Chrome that automatically escapes less-than and greater-than characters within HTML attributes.
Objective: This measure is designed to thwart cross-site scripting (XSS) attacks that embed malicious code into web pages.
Deployment: The feature was rolled out with Chrome version 138 last week.
Quote: "Google has added a new security feature to Chrome that automatically escapes less than and greater than characters inside HTML attributes" [00:04].

3. Exploitation of Citrix Vulnerability

Vulnerability: Security firm Reliaquest reported that hackers are exploiting a new Citrix vulnerability involving an out-of-bounds read, which allows data extraction from server memory.
Risk: Potential exploits include stealing session tokens and gaining unauthorized access without authentication.
Status: Citrix has yet to confirm the attacks or Reliaquest's findings.
Quote: "Citrix has not confirmed the attacks or Reliaquest's findings" [00:04].

4. CentOS Webpanel Vulnerability Fix

Issue: The CentOS webpanel project addressed a vulnerability that could enable attackers to hijack web hosting servers by knowing at least one username.
Mechanism: The flaw allows attackers to bypass authentication, with proof-of-concept code already in circulation.
Resolution: A fix has been released to secure affected systems.
Quote: "The vulnerability allows them to take over the underlying server" [00:04].

Conclusion

This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats and the corresponding measures taken by organizations and governments worldwide. From sophisticated cybercriminal operations targeting critical sectors like aviation and finance to legislative actions aimed at safeguarding national security and personal data, the landscape remains ever-evolving. Additionally, technological advancements by industry leaders like Microsoft and Google demonstrate ongoing efforts to bolster defenses against emerging threats. As cybercrime continues to proliferate, especially in regions like Africa and among state-sponsored actors, the importance of robust cybersecurity strategies and international cooperation becomes increasingly paramount.

For more insights and updates, subscribe to Risky Bulletin and stay informed on the latest in cybersecurity.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
The Scattered Spider group targets the aviation sector Russia throttles traffic from Cloudflare A Mexican cartel hired hackers to track an FBI official and Canada tells hikvision to cease operations this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 30th of June and this podcast episode is brought to you by Sand Fly Security. The Scattered Spider cybercrime group is now targeting the aviation sector. Individuals associated with the group have been linked to recent intrusions at WestJet and Hawaiian Airlines. Scattered Spider was linked to disruptions at UK retailers Marks and Spencers and Co Op earlier this year. More recently, it attacked insurance firms Aflac, Erie Insurance and Philadelphia Insurance. In other news, the Sinaloa drug cartel hired a hacker in 2018 to track an FBI official's phone. A DOJ report released last week said the hacker obtained call records and geolocation data. According to the FBI, the hacker also used Mexico City's camera system to track the agent's movements. The cartel used the data to identify and kill informants in a case against its leader, Joaquin El Chapo Guzman. Russian Internet service providers are throttling traffic to Cloudflare. The throttling is a de facto block, as users can only load 16 kilobytes of data from Cloudflare before the connection is reset. Their restrictions began in early June. Cloudflare says it's not received formal communication from the Russian government. The Kremlin also blocked YouTube in the same way in February. Canada has ordered Chinese security camera maker Hikvision to cease operations in the country. Officials said the company is a threat to Canada's national security. Government agencies have been banned from purchasing new hikvision products. The US previously sanctioned the company over helping the Chinese government surveil the Uyghur minority in western China. A cybercrime group has stolen more than 1 million pounds from customers of the French bank Societe Generale. The group carried out sim swapping to gain access to accounts. An intern at the bank is believed to have provided the customer details. The group also included one man who forged documents, one who conducted the SIM swaps and two who laundered stolen funds. All five were arrested earlier this month. A Russian man has been sentenced in Belgium to seven years in prison for developing the Grylok ransomware. A Russian woman also received a five year sentence for advertising the ransomware and negotiating with victims. Both sentences included an additional two years for refusing to hand over passwords for their devices and crypto wallets. The couple is believed to have made over 3 million euros and infected more than 400,000 users. The two were detained in Spain in 2023 before being extradited to Belgium. A 31 year old man has been sentenced to more than seven months in prison for sabotaging his former employer in the uk. A day after being suspended from work, Mohammed Umar Taj changed login credentials and Multi Factor Authentication settings. The sabotage caused IT outages for the company's customers in the uk, Germany and Bahrain. The company has not publicly named. The incident led to at least 200,000 pounds in lost business and reputational damage. Hackers have stolen $10 million worth of crypto assets from the Resupply Defi platform. The attackers exploited a vulnerability that allowed them to deposit $200,000 and withdraw millions in return. The hackers used the Tornado cash mixer to launder the funds and have not been identified. Patrick Ware has been named the new executive director of U.S. cyber Command. Ware will occupy the number three spot inside the U.S. military Cyber Operations Branch. Ware served 34 years with the NSA and has replaced Morgan Adamsky. Two U.S. senators have introduced a bill that would ban U.S. federal agencies from using AI tools developed by foreign adversaries. This would include AI technologies produced in China, Russia and Iran. Several agencies and US states recently banned banned employees from using the Chinese AI tool Deepseek. Meanwhile, Berlin's Data Protection Agency wants to ban Deepseek in Germany. The agency says Deepseek illegally transfers user data to China. It reported the app to the Apple and Google stores last week for violating the gdpr. According to cnbc. Germany's action may lead to an EU wide ban. Brazil's Supreme Court has ruled that social media networks are liable for their users posts. Social networks will have to monitor and remove user posts that contain hate speech, racism and calls for violence. The Trump administration previously threatened tariffs for countries that applied fines, taxes or content moderation to US tech firms. The Terragram online community has been designated a terrorist organisation by the Australian government. The group operates on Telegram, where it recruits and encourages members to carry out murders, physical attacks and other hate crimes. Two admins were arrested in the US last week following following violence in Slovakia and Turkey. Australia sanctioned the group's members in February. Cybercrime accounts for more than 30% of all reported crimes in Western and eastern Africa. An Interpol report revealed that online scams, ransomware, BEC and digital sextortion are the most common incidents. Most African countries said their legal systems are not equipped to handle the scale of the problem. North Korean hacking groups are abusing chatgpt to automate OSINT reconnaissance and cryptocurrency thefts. Hackers linked with the Andariel and Kimsuki groups have used ChatGPT to generate malicious code that automatically empties crypto wallets. They also used it to analyze public data to find targets for attacks. South Korean officials found traces of this activity on 39 servers seized last year. Dozens of pro Scottish independence social media accounts went silent at the start of Israel's military operation in Iran, an investigation by the UK Defence Journal found. The accounts remained quiet during Iran's Internet blackout and power outages from Israeli strikes. Iran is known to run influence operations internationally, where it blends local political themes with its own foreign interests. Microsoft is previewing new Windows technology that will allow antivirus and security tools to run without kernel Access. The new endpoint security platform was developed in response to last year's CrowdStrike bug that took down over 8.5 million Windows systems. Several EDR vendors are working with Microsoft to test the new technology. Google has added a new security feature to Chrome that automatically escapes less than and greater than characters inside HTML attributes. The new feature is designed to prevent cross site scripting attacks that rely on sneaking malicious code into web pages. The feature shipped with Chrome 138 last week. Hackers are exploiting a new Citrix vulnerability, according to security firm Reliaquest. The vulnerability is an out of bounds read that lets attackers extract some data from the server's memory. The exploit could be used to steal session tokens and gain access without having to authenticate. Citrix has not confirmed the attacks or Relioquest's findings. And finally, the CentOS webpanel project has fixed a vulnerability that could have allowed threat actors to hijack web hosting services servers. If attackers know at least one username, the vulnerability allows them to take over the underlying server. The attack bypasses authentication and proof of concept code has been published and that is all for this podcast edition. Today's show is brought to you by Sandfly Security. Find them@sandflysecurity.com thanks for your company Sam.