Risky Bulletin: Trump admin halts Russia cyber operations - Risky Bulletin

Summary6 min read

Risky Bulletin: Trump Admin Halts Russia Cyber Operations
Risky Bulletin Episode Released on March 3, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delves into significant developments in the cybersecurity landscape, focusing on the Trump administration's strategic shift away from targeting Russian cyber operations. The episode, prepared by Catalyn Kim Panu and sponsored by cloud security company Prowler, covers a range of topics from government policy changes to major cybersecurity incidents worldwide.

Trump Administration's Shift in Cyber Operations Against Russia

Claire Aird opens the episode by highlighting a pivotal change in U.S. cybersecurity strategy under the Trump administration.

"The Trump administration stops treating Russian hackers as a threat. This marks a significant shift in our national cybersecurity posture." [00:04]

A memo from Defense Secretary Pete Hegseth directed the Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Cyber Command to deprioritize Russian cyber threats. According to The Guardian, a subsequent order further emphasized prioritizing Chinese threats and safeguarding U.S. systems, explicitly omitting Russian adversaries.

"Staff were allegedly told verbally to stop working on anything Russia related," Aird notes [00:04].

Interestingly, the National Security Agency (NSA) did not receive a similar directive, indicating a possible divergence in how different agencies approach cybersecurity threats.

Cancellation of U.S. Cybersecurity Contracts

The administration's shift also impacted international cybersecurity collaborations. The U.S. government terminated a $95 million contract with IBM aimed at enhancing the cybersecurity defenses of European and Asian allies.

"Under the contract, IBM deployed cybersecurity experts to countries like Albania, Azerbaijan, and Kosovo to bolster their defenses," Aird explains [00:04].

This cancellation aligns with broader government efforts to curtail spending, particularly affecting U.S. aid initiatives.

Iranian Crackdowns on Anti-Government Dissidents

Turning to international human rights concerns, Aird reports on Iran's intensified efforts to suppress dissent on social media platforms.

"Iranian authorities are seizing the Instagram accounts of anti-government dissidents, with influencers being arrested and forced to hand over their passwords," she states [00:04].

These authorities delete dissident posts and replace them with confiscation messages, highlighting a growing trend of digital repression.

Zero-Day Vulnerabilities and Meta's Legal Actions Against NSO Group

A significant portion of the episode is dedicated to the discovery of new zero-day vulnerabilities exploited by cybercriminals.

"Amnesty International and Google have identified three vulnerabilities used by the Cellebrite phone unlocking toolkit," Aird informs listeners [00:04].

These vulnerabilities, primarily in the Linux USB stack, have been utilized to hack Android devices. While one bug has been patched in the February Android security update, the other two await integration into future updates.

In related news, Meta is intensifying its legal battle against the Israeli spyware firm NSO Group.

"Meta is seeking a permanent injunction against NSO Group that would ban it from its platforms," Aird reports [00:04].

A temporary injunction already restricts NSO's access to WhatsApp following a 2019 lawsuit where NSO was held liable for targeting over 1,400 WhatsApp users.

Security Breaches in Spyware Applications

The episode also covers vulnerabilities in spyware apps, specifically Spyse and Spysee.

"A bug in mobile's spyware app Spyse has exposed the email addresses of all its users," Aird reveals [00:04].

An anonymous researcher exploited this flaw to monitor sign-ups, uncovering that Spysee boasts over half a million registered users. This researcher has also exposed similar vulnerabilities in two other spyware applications, raising concerns about privacy and security in such tools.

Zapier's Security Breach and Recovery Efforts

Software automation company Zapier disclosed a security breach where a hacker accessed internal code repositories.

"The attacker may have gained access to limited customer information that was included in some repositories," Aird explains [00:04].

In response, Zapier is proactively emailing affected customers to inform them about the breach and the steps being taken to mitigate potential impacts.

Recovery of Stolen Crypto Assets

In a positive development within the crypto space, U.S. authorities have successfully recovered $31 million worth of crypto assets stolen from Uranium Finance during the CRYP heist in April 2021.

"Crypto investigation firm TRM Labs spent two years tracking the stolen funds across multiple blockchains," Aird notes [00:04].

This recovery underscores the efficacy of blockchain tracking tools in combating cyber theft.

Emergence of the 1111 Botnet and DDoS Attacks

A new botnet, named 1111 Bot, has been identified, having infected over 30,000 devices primarily in Iran.

"The botnet has launched large-scale DDoS attacks against telecom providers and gaming platforms, with attacks peaking at 6.5 terabytes per second," Aird reports [00:04].

This attack sets a new record for volumetric DDoS attacks, surpassing the previous peak of 5.6 terabytes per second recorded by Cloudflare in October last year.

Russian Ransomware Gang Members Receive Light Sentences

Russian courts have handed down relatively lenient sentences to members of notorious ransomware gangs.

"Lockbit affiliate Mikhail Matveev was sentenced to one and a half years Restriction of Freedom," Aird states [00:04].

Similarly, Revil affiliate Alexander Ermakov received a two-year sentence for developing the SugarLocker ransomware. Both individuals are serving sentences unrelated to the severe cybercrimes they are known for, raising questions about Russia's approach to cybercriminals.

Europol's Crackdown on AI-Generated CSAM Distribution

Europol has detained 25 suspects across multiple countries involved in using generative AI to produce and distribute Child Sexual Abuse Material (CSAM).

"The content was distributed through an online platform run by a Danish national who was arrested last November," Aird elaborates [00:04].

This operation highlights the evolving tactics of cybercriminals and the challenges in combating AI-driven illicit activities.

Exploitation of Cross-Site Scripting Vulnerabilities for Pornography Advertising

Hackers are exploiting a reflected cross-site scripting (XSS) vulnerability in the Krpano JavaScript library to advertise pornography.

"Security researcher Oleg Zayetsev uncovered the campaign when he received unexpected results searching for pornography," Aird explains [00:04].

This malicious campaign leverages a bug in Krpano, commonly used for building VR environments and virtual tours, to redirect users to illicit content.

Dominance of Russian Infostealers in Malware Rankings for 2024

Russian-infused malware, particularly infostealers, dominated malware rankings in 2024.

"Luma C2 was the most active, accounting for 35% of all infostealer C2 discovered online," Aird reports [00:04].

Other notable malware includes Lactrodectus as the most common dropper, Async Rat as the prevalent access Trojan, and Hook as the leading Android malware strain, according to security firm Recorded Future.

Microsoft's Shutdown of Skype to Focus on Teams

In a strategic move, Microsoft announced the shutdown of its Skype instant messaging app on May 5th to concentrate resources on its Teams service.

"Microsoft has urged users to migrate their Skype accounts to Teams or export their content," Aird informs [00:04].

Despite its peak of over 300 million active users and its acquisition in 2011 for $8.5 billion, Skype's relevance has diminished in favor of the more integrated Teams platform launched in 2017.

Security Breach at Teammate Compliance App

The New Zealand-based business compliance app, Teammate, has encountered a security breach allegedly involving a security researcher.

"Teammate accused security researcher JLT of hacking its service and threatened to report him to authorities," Aird states [00:04].

However, the researcher contends there was no actual hacking; instead, Teammate had left its MongoDB database exposed without a password, inadvertently facilitating access.

Sectigo vs. DigiCert: Certificate Authority Dispute

Sectigo revealed it received a cease and desist letter from rival Certificate Authority (CA) DigiCert after one of its employees reported a vulnerability in DigiCert's infrastructure.

"DigiCert claims the Sectigo staffer posted misleading information about its services," Aird reports [00:04].

Despite the allegations, Sectigo chose not to censure its employee, maintaining confidence in its internal protocols and commitment to security transparency.

Conclusion

This episode of Risky Bulletin underscores a dynamic and often tumultuous cybersecurity environment, shaped by shifting governmental priorities, evolving cyber threats, and ongoing battles between major tech entities and malicious actors. From the Trump administration's reassessment of Russian cyber threats to significant breaches and recoveries in the global digital landscape, the insights provided offer a comprehensive overview of the current state of cybersecurity.

Prepared by Catalyn Kim Panu and read by Claire Aird.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
The Trump administration stops treating Russian hackers as a threat Meta seeks a permanent NSO injunction New celebrite zero days come to light and big name Russian cybercriminals get home detention this is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 3rd of March and this podcast episode is brought to you by cloud security company Prowler. The Trump administration has instructed CISA and Cyber Command to stop worrying about Russia. In a memo, Defence Secretary Pete Hegseth ordered Cyber Command to cease active operations targeting Russia. The Guardian reported that a second order sent to CISA prioritised Chinese threats and the protection of US systems for the agency. Russian hackers were noticeably absent. Staff were allegedly told verbally to stop working on anything Russia related. No similar order was issued to the national security agency. The US government has cancelled a $95 million contract with IBM that aimed to boost the cybersecurity defences of European and Asian allies. Under the contract, IBM deployed cyber security experts to countries like Albania, Azerbaijan and Kosovo to bolster their cyber security defences. The contract was provided through the US aid agency and was cancelled as part of government efforts to cut spend. Iranian authorities are seizing the Instagram accounts of anti government dissidents. Influencers are being arrested and forced to hand over their passwords. Once authorities have access to the accounts, their posts are deleted and replaced with confiscation messages. Amnesty International and Google have identified three vulnerabilities used by the cellebrite phone unlocking toolkit. All three zero days are in the Linux USB stack and were used to hack Android devices. One bug was patched in the Android Android security update in February. The other two are fixed in the upstream Linux kernel but are yet to make their way into an Android update. The company banned Serbian authorities from its service last week after learning of the misuse from Amnesty International. Meta is seeking a permanent injunction against Israeli spyware maker NSO Group that would ban it from its platforms. A temporary injunction already prevents NSO from accessing WhatsApp. It was put in place after Meta sued NSO in 2019. In December last last year, a judge found NSO Group liable for attacks that targeted over 1,400 WhatsApp users. A bug in mobile's spyware app Spyse has exposed the email addresses of all its users. The bug was discovered by an anonymous researcher who exploited the issue to track signups to Stalkerware. The researcher says Spysee has more than half a million registered users. If this sounds familiar, the same researcher exposed sign sign up data for two other spyware apps last week. Software automation company Zapier has disclosed a security breach after a hacker gained access to its internal code repositories. The company says the attacker may have gained access to limited customer information that was included in some repositories. Zapier is emailing customers to notify them about the breach. US authorities have recovered $31 million worth of crypto assets stolen from Uranium Finance. The funds were part of a $53 million CRYP heist in April 2021, shortly after the platform launched. Crypto investigation firm TRM Labs says it spent two years tracking the stolen funds across multiple blockchains. A new botnet named 1111 Bot has infected more than 30,000 devices and has launched large scale DDoS attacks against telecom providers and gaming platforms. Most of the infected devices are security cameras and network video recorders, most of which are located in Iran, according to Nokia. The bot behind a DDoS attack that peaked at 6.5 terabytes per second, the largest volumetric DDoS attack ever documented. The previous record was 5.6 terabytes per second recorded by Cloudflare in October last year. Russian courts have handed down light sentences to two well known ransomware gang members. Lockbit affiliate Mikhail Matveev, better known as Wazawaka, was sentenced to one and a half years Restriction of Freedom, which is Russia's version of home detention. He's not allowed to travel and must check in with authority authorities each month. Revil affiliate Alexander Ermakov was sentenced to two years Restriction of Freedom for his role in developing the SugarLocker ransomware. Wozawaka is known for his attack on the Washington D.C. police, while Ermakov was behind the Medibank ransomware attack in Australia. Both were detained last year for charges unrelated to cases filed in the US. Europol has detained 25 suspects in multiple countries who used generative AI to produce and distribute CSAM imagery. The content was distributed through an online platform run by a Danish national who was arrested last November along with some of the platform's users. Hackers are exploiting a reflected cross site scripting vulnerability in a JavaScript library to advertise pornography. The campaign leverages a bug in Krpano, a library used to build VR environments and virtual tours. Security researcher Oleg Zayetsev uncovered the campaign when he received the results from yale.edu when searching for pornography. Russian infosteelers dominated malware rankings in 2024, with Luma C2 being the most active, according to security firm recorded future. Luma C2 accounted for 35% of all infosteeler C2 discovered online. Lactrodectus was the most common malware dropper, Async Rat was the most common access Trojan and Hook was the most popular Android malware strain. Microsoft will shut down its Skype instant messaging app on May 5th in order to focus on its Teams service. The company has urged users to migrate their Skype accounts to teams or export their content. Skype launched in 2002 and had over 300 million active users at its peak. Microsoft acquired the app in 2011 for $8.5 billion and used it to launch its Teams collaboration platform in 2017. The teammate business compliance app has blamed a security researcher for a recent security breach. The New Zealand company accused security researcher JLT of hacking Teammate's service and threatened to report him to authorities. The researcher claimed there was no hacking involved since the company left its MongoDB database exposed online without a password and finally, certificate authority. Sectigo says it received a cease and desist letter from rival CA Digicert after one of its employees reported a bug in DigiCert's infrastructure. DigiCert claims the Certigo staffer posted misleading information about its services, even if DigiCert eventually had to revoke some of its certificates. Despite the letter, Sectigo refused to censure its employee and that is all for this podcast edition. Today's show is brought to you by our sponsor, Prowler. Find them@prowler.com thanks for your.