Risky Business #793 Summary: Scattered Spider is Hijacking MX Records

Release Date: May 28, 2025
Host: Patrick Gray
Guests: Adam Boileau, Dmitri Alperovich
Sponsored by: Thinkst Canary

1. Scattered Spider’s Rapid MX Record Hijacking

The episode opens with Patrick Gray introducing a concerning trend observed by CyberCX, an Australian cybersecurity firm. They are witnessing a surge in attacks by the group Scattered Spider, which focuses on hijacking MX (Mail Exchange) records of Australian enterprises.

• Patrick Gray [00:00]: "What makes this really interesting is the speed at which they're moving."

• Adam Boileau [01:58]: Describes Scattered Spider's polished workflow, which involves social engineering to control DNS, hijacking inbound email, and swiftly pivoting into cloud applications like Atlassian, Slack, Microsoft 365, and Azure. This rapid movement leaves organizations scrambling to respond as email services are disrupted within minutes.

• Dmitri Alperovich [05:15]: Highlights that while DNS hijacking isn't new, the speed and efficiency of Scattered Spider's operations make them more destructive than some established ransomware groups.

The group’s tactics leave organizations with broken email systems and compromised cloud infrastructures, often resulting in extortion attempts and significant data theft. The speed of these attacks challenges traditional incident response mechanisms, leading to prolonged recovery times.

2. Silk Typhoon Targets Commvault Cloud

Adam discusses another threat actor named Silk Typhoon, which has been exploiting vulnerabilities in Commvault’s cloud backup solutions.

• Adam Boileau [07:35]: Explains that Silk Typhoon exploited a remote code execution (CVE) vulnerability in Commvault's web server product. Microsoft detected unusual activity within Azure and alerted Commvault. While Commvault stated that customer backup data wasn’t impacted, the breach raises concerns about the integrity of backup environments and the potential for unauthorized data access.

3. Emergence of SVG-Based Phishing Attacks

A significant increase in SVG (Scalable Vector Graphics) usage in phishing campaigns was highlighted by Patrick and Adam, with insights from Dmitri.

• Patrick Gray [08:47]: Notes that while SVGs currently represent 1% of phishing attacks, their use is on the rise. SVGs can embed JavaScript and other active content, enabling sophisticated phishing vectors.

• Adam Boileau [09:21]: Compares SVGs to "MySpace in a GIF," emphasizing their dual nature as both image and executable code, making them potent tools for attackers.

• Dmitri Alperovich [11:26]: While acknowledging the innovation of phishing tactics, Dmitri asserts that advanced filtering solutions can detect and mitigate SVG-based threats by analyzing the behavior and embedded scripts within SVG files.

The discussion underscores the need for updated email filtering mechanisms and browser defenses to counteract these evolving phishing strategies effectively.

4. Brian Krebs’ Site Suffers Record DDoS Attack

Brian Krebs, a prominent cybersecurity journalist, experienced a massive 6.3 terabits per second (Tbps) DDoS attack on his website.

• Adam Boileau [14:20]: Highlights that Google's DDoS prevention platform managed the attack, which was reportedly orchestrated by the same botnet responsible for Cloudflare’s largest DDoS incident.

• Dmitri Alperovich [14:48]: Speculates that the attack was more of a test for the botnet's capabilities, using Krebs as a high-profile target to demonstrate power without intent to cause lasting damage.

The attack emphasizes the relentless nature of DDoS threats and the importance of robust mitigation strategies, even for well-protected targets.

5. Cellcom Telco Faces Prolonged Service Disruption

A midwestern telecommunications company, Cellcom, is grappling with an ongoing incident disrupting voice and text services for around 300,000 subscribers.

• Adam Boileau [16:09]: Suggests the disruption might stem from a ransomware attack, given the prolonged impact and the CEO’s candid communication about the challenges faced.

• Dmitri Alperovich [17:04]: Raises concerns about the existential threat such an outage poses to the company, potentially driving customers away permanently.

The incident highlights the severe repercussions telecom companies can face from cybersecurity breaches, affecting both operations and customer trust.

6. Llama (Luma) Stealer and Law Enforcement Takedown

The Llama Stealer malware recently underwent a significant law enforcement operation resulting in domains seizure.

• Adam Boileau [18:46]: Describes the takedown, where law enforcement exploited vulnerabilities in Dell’s iDRAC (Integrated Dell Remote Access Controller) systems to infiltrate the botnet's infrastructure. The attackers struggled to recover their operations, indicating the effectiveness of the takedown.

• Dmitri Alperovich [21:12]: Notes the resilience of cybercriminals, as the operators of Llama hinted at future efforts despite the current setbacks.

This segment illustrates the complexities of dismantling sophisticated botnets and the ongoing cat-and-mouse game between law enforcement and cybercriminals.

7. Operation Endgame 2: Danabot Malware Disrupted

Operation Endgame 2 successfully took down the Danabot malware family, resulting in the arrest of 16 individuals and the seizure of associated infrastructure.

• Dmitri Alperovich [22:49]: Points out the espionage variants of Russian botnets targeting diplomatic communications, raising concerns about state-sponsored cyber espionage.

• Adam Boileau [22:18]: Emphasizes the broad impact of the operation, highlighting the extensive efforts to dismantle the botnet's operations.

The operation underscores the international cooperation required to combat organized cybercrime and the persistent threat posed by sophisticated malware families.

8. Closure on the Baltimore Ransomware Attack

An Iranian national has pleaded guilty to the Baltimore ransomware attack originally reported in 2019.

• Adam Boileau [26:09]: Details the case where the perpetrator demanded 13 Bitcoin (then ~$70,000) to unlock Baltimore’s network, causing significant disruptions to city services.

• Dmitri Alperovich [27:20]: Discusses the impact on residents and the challenges faced by the city in restoring services and regaining public trust.

The resolution of this case marks a significant milestone in holding cybercriminals accountable, though questions remain about the methods leading to the suspect’s arrest in North Carolina.

9. Crypto Platform Attacks: Cetus and Coinbase Breaches

The episode addresses significant breaches in the cryptocurrency sector:

• Cetus saw $233 million worth of crypto stolen from its decentralized finance (DeFi) platform.

• Coinbase reported a breach affecting 70,000 users, leading to increased phishing attempts targeting former account holders like Dmitri Alperovich.

• Dmitri Alperovich [30:49]: Expresses frustration over relentless phishing attempts post-breach, highlighting the real-world dangers of compromised crypto data, including transaction histories, balances, and home addresses.

These incidents demonstrate the vulnerabilities within crypto platforms and the cascading effects of breaches on users’ security and trust.

10. Crypto Investor Torture Incident

A harrowing story emerged of a cryptocurrency investor who was physically tortured to extract his crypto wallet password.

• Patrick Gray [32:01]: Relays the incident where a 28-year-old investor was held and tortured in New York, ultimately resisting payment demands even under duress.

• Adam Boileau [33:04]: Reflects on the extreme lengths criminals will go to secure crypto assets, raising concerns about the physical security aspects of digital currencies.

This case underscores the intersection of physical violence and digital security, emphasizing the need for robust protection mechanisms for crypto assets.

11. Vietnam Bans Telegram Amidst Security Concerns

Vietnam has officially banned Telegram, citing concerns over subversive material and cybercrime activities.

• Dmitri Alperovich [35:58]: Suggests that the ban is likely motivated by the government's desire to control information flow rather than solely focusing on criminal activities, given Vietnam's stringent content filtering policies.

• Patrick Gray [35:12]: Acknowledges the dual motivations behind the ban, recognizing both the legitimate concerns over cybercrime and the broader implications for information suppression.

The ban highlights the challenges governments face in balancing security and freedom of information, especially with platforms like Telegram that facilitate both legitimate and illicit activities.

12. Telemessage Data Leak by DDoS Secrets

A data leak from Telemessage, a secure messaging service, was exploited by the group DDoS Secrets.

• Adam Boileau [38:26]: Notes that the leaked data mainly contained phone numbers and metadata, with limited sensitive information, suggesting that the breach was mitigated quickly.

• Dmitri Alperovich [39:46]: Raises broader concerns about Telemessage’s security posture, advocating for more secure alternatives for sensitive governmental communications.

The incident serves as a reminder of the persistent vulnerabilities in secure communication platforms and the importance of rigorous security assessments.

13. Leadership Exodus at CISA and NSC

Significant departures within CISA (Cybersecurity and Infrastructure Security Agency) and the National Security Council (NSC) were discussed.

• Adam Boileau [43:06]: Highlights the concerns over the removal of seasoned leaders from CISA, potentially weakening the agency's cybersecurity capabilities amid escalating global threats.

• Dmitri Alperovich [43:48]: Attributes the NSC’s staffing cuts to the incoming administration's disposition, emphasizing a shift away from a policy-focused approach to a more streamlined implementation strategy.

The leadership changes raise alarms about the resilience and effectiveness of critical national cybersecurity institutions during pivotal times.

14. Sponsor Interview: Thinkst Canary on AI Hype in Security

The episode features an interview with Haroon Meer, founder of Thinkst Canary, discussing the overhype of AI in the security industry.

• Haroon Meer [48:19]: Critiques the current AI boom, stating, "I question how much we understand the problems we've already started selling solutions to." He argues that many AI-driven security solutions are overpromised and underdelivered, creating market noise without delivering substantial value.

• Patrick Gray [49:34]: Agrees that while AI has transformative potential, the prevalent market trend of branding products as AI-centric without meaningful innovation leads to market saturation with ineffective solutions.

• Haroon Meer [52:15]: Emphasizes the importance of solving real problems over chasing AI hype, cautioning against the "hype cycle" where companies rapidly switch focus to attract investment without ensuring product efficacy.

The discussion underscores the necessity for grounded, problem-focused innovation in the security sector, warning against the pitfalls of succumbing to fleeting technological trends without substantive advancements.

Conclusion

Risky Business #793 delves deep into the evolving landscape of cybersecurity threats and industry dynamics. From the sophisticated tactics of Scattered Spider and the rapid evolution of phishing methods to significant breaches in the crypto space and leadership shifts within key national agencies, the episode provides a comprehensive overview of the current security challenges. The sponsor interview with Haroon Meer offers a critical perspective on the AI hype within the industry, advocating for substance over trend-driven solutions. For information security professionals, this episode serves as an essential digest of contemporary threats, responses, and industry insights.