Risky Bulletin: Syrian Army infected with spyware before regime collapse - Risky Bulletin

Summary8 min read

Risky Bulletin: Syrian Army Infected with Spyware Before Regime Collapse Hosted by Claire Aird | Released on June 4, 2025

Introduction

In this episode of Risky Bulletin, Claire Aird delves into a range of critical cybersecurity incidents impacting global security, corporate integrity, and individual privacy. From state-sponsored spyware targeting military personnel to major breaches in the retail and fashion industries, this bulletin provides comprehensive updates on the latest threats and defensive measures in the cybersecurity landscape.

1. Spyware Infection in the Syrian Army

Timestamp: 00:04

Claire begins the episode by highlighting a significant cybersecurity breach within the Syrian military. According to New Lines Magazine, members of the Syrian army were deceived into installing a malicious spyware application on their Android devices.

App Details: The spyware was embedded within an app named STFD686, which purportedly offered financial aid to military personnel. This app seemed to be affiliated with the Syria Trust for Development, a humanitarian organization overseen by Bashar al-Assad's wife.
Malware Used: The app contained a variant of the Spymax Remote Access Trojan (RAT), enabling attackers to monitor the movements of Syrian soldiers effectively.
Impact Timeline: The app was deployed in June of the previous year, just five months prior to the collapse of the Assad regime, indicating a deliberate and strategic effort to undermine military operations.

"A spyware app infected the Syrian army soldiers before the regime collapsed." — Claire Aird [00:04]

2. NSO Group Appeals WhatsApp Verdict

Timestamp: 02:15

The bulletin shifts focus to the NSO Group, an Israeli spyware manufacturer, which has filed an appeal against a court verdict related to a WhatsApp lawsuit.

Verdict Details: Last month, NSO was mandated to pay Meta (formerly Facebook) $167 million in damages. The lawsuit arose after an NSO exploit was utilized to hack into 1,400 WhatsApp users in 2019.
NSO's Stance: The company contests the verdict, labeling it as "unlawful and excessive" and is seeking a reduced financial penalty through a new trial.

"The company is seeking reduced damages for a new trial. It called the verdict unlawful and excessive." — Claire Aird [02:15]

3. Shutdown of Emergency Cybersecurity Assistance Group

Timestamp: 04:50

Claire reports the closure of the Emergency Management and Response Information Sharing and Analysis Centre (EMR ISAC).

Role of EMR ISAC: This organization provided essential cybersecurity support to first responders, including bomb squads and search and rescue teams.
Reason for Shutdown: The cessation of operations in late May is attributed to federal funding cuts impacting several Information Sharing and Analysis Centre (ISAC) groups this year.

4. Microsoft’s Quick Machine Recovery Feature

Timestamp: 07:30

A significant update from Microsoft is discussed, introducing a new feature aimed at enhancing system recovery processes.

Feature Overview: The Quick Machine Recovery allows Windows operating systems to directly consult Microsoft for solutions if they fail to boot, streamlining the recovery process.
Rationale: This development follows a problematic CrowdStrike update that caused over 8 million Windows computers to enter a reboot loop last year.

5. Cyberattack on Korana Pro

Timestamp: 09:45

An Indian grocery delivery startup, Korana Pro, fell victim to a malicious cyberattack.

Attack Details: Hackers deleted the company's customer data and source code for its mobile application. While the app remains online, it is currently unable to process payments.
Source of Attack: The breach originated from an account belonging to a former employee, as reported by TechCrunch.

6. Ransomware Impact on Marks and Spencer

Timestamp: 12:10

Marks and Spencer (M&S) is experiencing disruptions due to a recent ransomware attack.

Operational Impact: The attack has crippled the UK retail chain’s HR systems, leading to the suspension of online recruitment processes.
Interim Measures: Individual stores are resorting to Facebook ads, inviting prospective employees to attend walk-in recruitment days in person.
Outlook: M&S anticipates that the disruption to its systems will persist for at least another month.

7. Data Breach at Cartier

Timestamp: 14:35

Luxury fashion house Cartier has disclosed a significant data breach affecting its customers.

Stolen Data: The breach compromised names, emails, and countries of residence of Cartier’s clientele.
Industry Context: Cartier joins other high-profile fashion brands like Christian Dior, Tiffany & Co., Victoria’s Secret, and Adidas in recently experiencing similar breaches.

8. Hacking of Morocco’s Land and Property Service

Timestamp: 17:00

The Moroccan Land and Property Service has been targeted by cybercriminals, resulting in the theft of its database.

Perpetrators: The Algerian hacking group Jabiroot claimed responsibility, releasing over 10,000 files on Telegram.
Nature of Data: The leaked information includes real estate transactions conducted by Moroccan public figures.
Previous Attacks: Jabiroot had previously compromised Morocco's Social Security database in April, releasing manipulated documents that misled officials.

9. Cryptocurrency Heists in Taiwan and Beyond

Timestamp: 19:25

Claire covers a series of cryptocurrency-related cybercrimes affecting different platforms.

Bitapro Exchange: A Taiwanese crypto exchange, Bitapro, lost $11.5 million worth of cryptocurrency in an attack confirmed this week. The funds were laundered through Tornado Cash and Thorchain.
ForceBridge Platform: Another breach involved the cross-chain platform ForceBridge, where hackers stole $3.7 million in crypto assets by exploiting weak access controls and manipulating the bridge's security mechanisms, as reported by blockchain security firm Hashex.

10. Nigerian Sextortion Campaign Arrests

Timestamp: 21:50

Authorities in Nigeria have made significant arrests related to a widespread sextortion campaign.

Details of the Operation: 22 suspects were detained following a joint investigation between Australian and Canadian police forces.
Tragic Outcome: The campaign has been linked to the suicide of a two-year-old Australian in 2023, highlighting the severe emotional and psychological impacts of such cybercrimes.

11. Swatting of US Government Officials

Timestamp: 24:05

A Romanian national, Thomas Szabo, has pleaded guilty in a DC court for orchestrating swatting attacks against US government officials.

Modus Operandi: Szabo, along with a Serbian accomplice, used Google Voice to place fake bomb threats and false police reports, targeting members of Congress, state governors, federal officials, and law enforcement personnel.
Legal Proceedings: The 26-year-old was arrested last year and admitted his involvement in the large-scale campaign during court proceedings.

12. Emerging Threats in DevOps Infrastructure

Timestamp: 26:20

A new threat actor group is actively breaching DevOps infrastructure to deploy cryptocurrency miners.

Targets: The attacks focus on software packages such as Consul Docker, Gitea, and Nomad.
Noteworthy Incident: According to cloud security firm Wiz, this marks the first publicly documented exploitation of Nomad servers in the wild.

13. Malicious Ruby Libraries Targeting Telegram

Timestamp: 28:45

Socket Security has identified two malicious Ruby libraries designed to intercept traffic on the Telegram messenger.

Functionality: These plugins masquerade as Telegram proxies built on the Fastlane App Automation service socket, aiming to capture sensitive messaging data.
Target Demographic: Researchers believe the primary targets are developers in Vietnam, especially in light of the recent nationwide block on Telegram announced by authorities.

14. Crocodylus Android Malware Enhancements

Timestamp: 31:10

The Crocodylus Android malware has undergone updates, expanding its malicious capabilities.

New Features: Attackers can now add contacts to victims’ address books, enhancing the plausibility of social engineering attacks.
Distribution: The malware spreads primarily through malvertising campaigns and has been active this year.
Previous Exploits: It has been used to harvest login credentials for mobile banking apps and extract crypto wallet seed phrases.

15. Meta and Yandex Privacy Intrusions

Timestamp: 33:35

A concerning discovery reveals that Meta and Yandex have been exploiting local host ports to monitor mobile user activities.

Methodology: Websites incorporating MetaPixel and Yandex Metrica scripts connect to local ports on Android devices. Both Meta and Yandex applications listen on these ports to gather browsing metadata, cookies, and advertising IDs.
Privacy Implications: This technique circumvents standard privacy protections, including incognito mode, Android's permission controls, and cookie clearing.
Response: Meta ceased using this tracking method following its disclosure by cybersecurity researchers.

16. Collaborative Initiative on APT Group Naming

Timestamp: 36:00

Four major cybersecurity firms have announced a joint initiative to address the complexities of Advanced Persistent Threat (APT) group naming.

Participants: Microsoft, CrowdStrike, Google, and Palo Alto Networks will collaborate to publish documents that detail overlapping APT names assigned by each entity.
Objective: While aiming to harmonize naming conventions, the companies do not intend to develop a universal APT naming taxonomy, acknowledging the diversity in threat identification processes.

17. Qualcomm Patches Zero-Day Vulnerabilities

Timestamp: 38:25

Chipmaker Qualcomm has addressed three zero-day vulnerabilities exploited in its Adreno GPU driver.

Discovery: These vulnerabilities were uncovered by Google's security team, specifically targeting attacks against Android smartphones.
Remediation: Patches have been distributed to smartphone manufacturers, with updates expected to roll out to end-users promptly.

18. Google Patches Chrome Zero-Day

Timestamp: 40:50

Google has released a critical security update for the Chrome browser addressing an actively exploited zero-day vulnerability.

Vulnerability Details: The flaw lies in Chrome's V8 JavaScript engine, leading to potential memory corruption issues.
Context: This marks the third Chrome zero-day vulnerability patched within the current year, underscoring the ongoing challenges in maintaining browser security.

19. Vulnerabilities in Pre-Installed Smartphone Apps in Poland

Timestamp: 43:15

Poland's Computer Emergency Response Team (CERT) has identified significant vulnerabilities in applications pre-installed on smartphones from local vendors.

Affected Devices: Smartphones from brands like Kruger, Mats, and Ulefone are vulnerable.
Vulnerabilities Exploited:
- Stealing PIN Codes: Attackers can extract personal identification numbers.
- Factory Reset: Malicious actors can remotely reset devices to default settings.
- Code Injection: Vulnerabilities allow for the injection and execution of malicious code with system-level privileges.

Conclusion

This episode of Risky Bulletin underscores the pervasive and evolving nature of cyber threats across various sectors and geographies. From state-sponsored espionage to vulnerabilities in widely-used software, the bulletin emphasizes the critical need for robust cybersecurity measures and international collaboration to mitigate these risks. Claire Aird effectively navigates through each story, providing listeners with a comprehensive understanding of the current cybersecurity landscape.

Note: This summary excludes sponsor messages and non-content sections to focus solely on the informational aspects of the episode.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
A spyware app infected the Syrian army soldiers before the regime collapsed. NSO appeals its WhatsApp verdict Chrome and Qualcomm patch zero days and an emergency services information sharing group shuts down this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 4th of June and this podcast episode is brought to you by Asset Inventory and Network Visibility company Run zero. Members of the Syrian army were reportedly duped into installing spyware on their Android devices, according to New Lines magazine. The spyware was hidden in an app that offered financial aid for military personnel. The app, STFD686, appeared to be associated with the Syria Trust for Development, a humanitarian organisation overseen by Bashar al Assad's wife. It contained a version of the Spymax Remote Access Trojan, and this allowed attackers to track the movement of Syrian soldiers. The app rolled out in June last year, five months before the collapse of the Assad regime. In other news, Israeli spyware maker NSO Group has filed an appeal in its WhatsApp lawsuit. The company is seeking reduced damages for a new trial. It called the verdict unlawful and excessive. Last month, NSO was ordered to pay Meta $167 million in damages after an NSO exploit was used to hack 1,400 WhatsApp users in 2019. A US organisation that gave cyber security assistance to emergency services has shut down. The Emergency Management and Response Information Sharing and Analysis Centre ceased operations in late May. The group provided cyber security assistance to first responders, bomb squads, search and rescue teams and other emergency services. EMR ISAC is one of several ISAC groups that have shut down following federal funding cuts this year. Microsoft is testing a new way for Windows to recover if it fails to boot up. The Quick Machine recovery feature will allow the OS to check directly with Microsoft for a solution. Microsoft developed the feature after a bad CrowdStrike update sent more than 8 million Windows computers into a reboot loop last year. A hacker has wiped the service of Indian grocery delivery startup Korana Pro. The hacker deleted the company's customer data along with the source code for its mobile app. The Korana Pro app is still online but can't process payments. According to TechCrunch. The hack originated from a former employee's account. Some Marks and Spencer stores are holding walk in recruitment days after a ransomware attack crippled the UK retail chain in April. The HR systems are still offline, so individual stores have resorted to posting Facebook ads telling prospective employees to show up in person. Marks and Spencer expects the disruption to its systems to last at least another month. A hacker has stolen customer data from luxury fashion house Cartier. The company notified users about the breach this week. Stolen data includes names, emails and countries of residence. Cartier joins fashion brands Christian Dior, Tiffany & Co. Victoria's Secret and Adidas who all recently disclosed breaches. Morocco's land and property service has been hacked and its database stolen Algerian hacking group Jabiroot has released over 10,000 files on Telegram. It claims the files real estate transactions by Moroccan public figures. The same group hacked Morocco's Social Security database in April. At the time, Moroccan officials accused the group of releasing modified and misleading documents. A hacker has stolen $11.5 million worth of cryptocurrency from Taiwanese crypto exchange Bitapro. The hack occurred in early May and was confirmed by the company this week. The funds have already been laundered through Tornado Cash and Thorchain. Hackers have stolen $3.7 million worth of crypto assets from cross chain platform ForceBridge, according to Blockchain security firm Hashex. The attackers exploited weak access control mechanisms to bypass the bridge's protections. They then manipulated the bridge to steal its assets. Nigerian Authorities have arrested 22 suspects linked to a sextortion campaign. The individuals were detained following a joint investigation between Australian and Canadian police. The group has been linked to the suicide of a year old Australian in 2023. A Romanian man who swatted US government officials has pleaded guilty in a DC court. 26 year old Thomas Szabo was the moderator of the online chat room shenanigans which called in fake bomb threats and police swattings. In late 2023, Szabo was involved in a large scale campaign that targeted multiple U.S. government officials. Victims included members of Congress, state governors, federal officials and law enforcement. Sabo as well as a Serbian were identified and arrested last year after using Google Voice to place the swatting calls. A new threat actor is breaching DevOps infrastructure and deploying cryptocurrency miners. The attacks have targeted software packages such as Consul Docker, Gitea and Nomad. Cloud security firm Wiz says this is the first publicly documented case of Nomad servers being exploited in the wild. Socket Security has discovered two malicious Ruby libraries designed to intercept Telegram messenger traffic. The plugins are advertised as Telegram proxies built on the Fastlane App Automation service socket. Researchers believe the plugins were created to target developers in Vietnam, where authorities recently announced a nationwide block on Telegram. The Crocodylus Android malware now allows attackers to add contacts to victims, address books. Researchers speculate that the update is to make social engineering attacks seem more legitimate. The malware launched this year and is primarily distributed via malvertising campaigns. To date, it's been used to collect login credentials for mobile banking apps and extract crypto wallet seed phrases. Meta and Yandex have abused local host ports to track the online activity of mobile users. Websites using the MetaPixel and Yandex Metrica scripts connect to local ports on Android devices. Meta and Yandex apps running on the same device listened on those ports to receive browsing metadata, cookies and advertising IDs. Researchers say the technique bypasses privacy protections such as incognito mode, Android's permission controls and clearing cookies. Meta stopped using the technique after it was disclosed by researchers. Four major cybersecurity firms have announced an initiative to work together on apt group naming. Microsoft CrowdStrike, Google and Palo Alto Networks will publish documents detailing how each of their apt names overlap. The companies don't plan on developing a universal apt naming taxonomy. Chipmaker Qualcomm has patched three zero day vulnerabilities exploited in its Adreno GPU driver. The zero days were discovered by Google's security team in attacks against Android smartphones. The patches have been made available to smartphone manufacturers and updates will be delivered to users. Google has released a security update to patch an actively exploited Chrome zero day. The vulnerability is a memory corruption issue in the browser's V8 JavaScript engine. It's the third Chrome Zero day to be patched this year. And finally, Poland's cert has found vulnerabilities in apps pre installed on smartphones from local vendors. The vulnerabilities in Kruger and Mats and Ulefone devices allow local attackers to steal PIN codes and factory reset the phones. They can also allow attackers to inject and run malicious code with system level privileges. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Run Zero. Find them@runzero.com thanks for your company, Sam.