Risky Business Episode #794 Summary: "Psychic Panda outgunned by Fluffy Lizard and UNC56728242"

Release Date: June 4, 2025
Host: Patrick Gray
Co-host: Adam Boileau
Guest: Matt Muller, Field CISO at Tynes

Introduction

In Episode #794 of Risky Business, host Patrick Gray and co-host Adam Boileau delve into the latest happenings in the information security realm. The episode spans a broad spectrum of topics, from threat actor nomenclature to novel command and control (C2) techniques and an insightful discussion with Matt Muller from Tynes about the security shortcomings of SaaS providers.

Key Discussions and Insights

1. Threat Actor Naming Standardization

[02:31]
Patrick Gray initiates the discussion by addressing the ongoing issue of inconsistent threat actor naming conventions. Major companies like Google, CrowdStrike, Microsoft, and Palo Alto have agreed to create a unified database to streamline threat actor identification. Adam Boileau expresses skepticism about the initiative's success, highlighting past attempts often led to disputes over group identities.

Patrick Gray [00:00]: "Why do we think it's going to be different this time?"

Despite the optimism, both hosts agree that while centralizing threat actor names could enhance clarity for major groups, complexities persist for lesser-known factions.

2. Open Source Software in Military Applications

[07:09]
The conversation shifts to a 404 Media report by Matthew Galt, revealing that Ukrainian forces successfully deployed drones powered by the open-source software Ardupilot to target Russian aircraft. This incident underscores the dual-use nature of open-source technologies, where tools designed for civilian purposes are repurposed for military tactics.

Adam Boileau [08:36]: "It's good quality open source software... guiding these drones."

This revelation highlights the evolving landscape of modern warfare, where accessible technology plays a pivotal role.

3. Intelligence Gathering via Malicious Apps

[12:35]
Patrick Gray critiques a New Lines magazine report on a malicious app distributed to Syrian soldiers under the guise of a humanitarian tool. The app, promoted by the Syria Trust for Development, ostensibly offered financial aid but instead served as a conduit for intelligence collection through an Android Remote Access Trojan (RAT).

Adam Boileau [14:50]: "They would drop a RAT so that the attackers had a bunch of details about the users."

The segment underscores the vulnerabilities present in mobile applications and the exploited trust in official channels.

4. Deepfake Scams Impersonating White House Officials

[16:20]
Federal authorities are investigating a scam involving deepfake audio of the White House Chief of Staff, Susie Wiles. Scammers, having obtained her contact information, used AI-generated voices to deceive her associates into sending money by claiming distressing scenarios, such as being stranded in Venezuela.

Patrick Gray [18:01]: "What thought process goes through your head to arrive that that's a good idea to do so?"

This case exemplifies the increasing sophistication of social engineering attacks leveraging deepfake technology.

5. Sanctioning of a Philippine Cloud Provider for Enabling Scams

[19:59]
Krebs on Security reports that the U.S. has sanctioned a Philippine-based cloud provider for facilitating "pig butchering" scams—fraudulent schemes targeting victims for financial gain. Adam commends the move, emphasizing the effectiveness of sanctions against large-scale criminal infrastructures.

Adam Boileau [20:35]: "It's exactly the place to target these kinds of operations."

This action reflects a strategic approach to dismantling cybercriminal ecosystems by targeting their foundational services.

6. Takedown of AV Check—A Criminal Antivirus Service

[22:15]
The Dutch and Finnish police, alongside U.S. agencies, executed a takedown of "AV Check," an underground service akin to VirusTotal but designed for cybercriminals. This operation was part of the broader Operation Endgame, aimed at crippling large-scale cybercrime efforts.

Patrick Gray [22:45]: "They're going after anything that just makes it easy and is operating at scale."

The dismantling of AV Check signifies progress in international cyber law enforcement collaboration.

7. Identification of Trickbot’s Kingpin by German Authorities

[24:22]
German Federal Police have identified Vitaly Nikolayevich Kovalev, a Russian national, as the leader behind the notorious Trickbot malware. Despite the confirmation, Kovalev remains within Russia, making legal repercussions unlikely.

Patrick Gray [24:35]: "He was the dude that had the relationships with the FSB and so on."

This identification marks a significant milestone in attributing cybercriminal activities to individual orchestrators.

8. Australia’s Mandatory Ransomware Payment Notifications

[25:03]
Australia is pioneering a policy requiring businesses with turnovers above AUD 3 million (approx. USD 2 million) to notify the government of any ransomware payments. The move aims to provide the government with data to assess the ransomware threat landscape more accurately.

Patrick Gray [26:53]: "If you poll 100 out of 100 CISOs, I'm fairly certain you'll get similar sentiments."

This policy reflects proactive governmental measures to understand and mitigate ransomware impacts better.

9. Novel Command and Control via Google Calendar Events

[28:57]
Chinese threat actors, specifically APT41 tied to China's Ministry of State Security, have been observed using Google Calendar events as a covert C2 channel. This method involves storing commands within calendar invites, allowing malware to communicate discreetly by polling these events for instructions.

Adam Boileau [29:06]: "Looks on the wire, it's proper TLS, scripted connections to Google. Looks totally normal."

This technique illustrates the inventive measures cyber adversaries employ to evade detection by blending malicious traffic with legitimate enterprise communications.

10. Coinbase Breach via Outsourced Customer Service Agents

[32:07]
A Reuters report details a security breach at Coinbase, where outsourced customer service agents in India were incentivized through bribes to photograph their work computers using personal devices. This method bypassed traditional security measures, highlighting vulnerabilities in outsourcing practices.

Adam Boileau [33:02]: "You can't detect this with, you know, endpoint, you're not gonna, you know, spot this with your, you know, data leak prevention software."

The incident underscores the inherent risks associated with outsourced operations and the challenges in monitoring insider threats.

11. Insider Threat Arrest in the Defense Intelligence Agency

[34:15]
James Reddick reports on the arrest of Nathan Villas Latch, a civilian IT specialist at the Defense Intelligence Agency. Latch attempted to sell classified material to a friendly government in exchange for citizenship, motivated by political disdain.

Patrick Gray [35:03]: "He worked for the Defense Intelligence Agency in the insider threat division."

This case highlights the ongoing struggle against insider threats within sensitive governmental sectors.

12. NSO Group Appeals $168 Million Damages in Meta Lawsuit

[36:48]
NSO Group is appealing a substantial damages award against it by Meta (formerly Facebook) for its exploits. NSO claims the damages exceed Supreme Court precedents, arguing they are unaffordable.

Patrick Gray [36:49]: "They're saying they can't pay, which I just think, you know, lol."

The legal battle reflects the scrutiny faced by surveillance technology companies over privacy and misuse concerns.

13. Nation-State Backed Attack via Connectwise

[37:17]
John Greig reports that Connectwise, a software company, has been compromised by nation-state actors using its platform to breach customer organizations. The attack likely leveraged previously identified vulnerabilities, emphasizing the cascading risks posed by compromised third-party software.

Adam Boileau [37:42]: "Once you've realized that a piece of software like this gets you into places that you want to go, why not keep going?"

The breach underscores the importance of securing third-party services integral to enterprise operations.

14. Google Removes Incompetent Certificate Authorities

[38:29]
Google has expelled Chunghua Telecom and Netlock from its trust store due to ongoing security deficiencies. This action ensures that certificates issued by these authorities will no longer be trusted within Google ecosystems, enhancing overall security.

Patrick Gray [38:59]: "They're getting booted out."

This move highlights Google's commitment to maintaining a secure digital infrastructure by enforcing stringent standards for Certificate Authorities (CAs).

15. Meta and Yandex’s De-Anonymization of Android Users

[39:33]
Dan Gooden reports on Meta and Yandex deploying techniques to track Android users by interfacing with local network listeners and exploiting browser functionalities. Meta, in particular, used WebRTC media connections to covertly gather user activity data, bypassing privacy measures like incognito mode.

Adam Boileau [41:16]: "Your users are using incognito mode... You're doing the opposite."

The exploitation of legitimate browser features for tracking reveals ethical and privacy concerns surrounding major tech companies' practices.

Sponsor Interview: Matt Muller from Tynes on SaaS Security

[45:00]
The episode transitions to an in-depth interview with Matt Muller, Field CISO at Tynes, discussing JP Morgan Chase CISO Patrick Opert's open letter criticizing SaaS providers for inadequate security practices. Opert's letter emphasizes the need for SaaS companies to prioritize security over rapid feature development, modernize security architectures, and foster collaboration among security practitioners.

Matt Muller [46:04]: "What do you see as, you know, you're a SaaS, Tynes is essentially a SaaS. Right."

Muller highlights Tynes' commitment to "Secure by Design" principles, ensuring deep inspectability and robust security measures within their automation platform. He advocates for better API integrations, transparency in logging, and minimizing excessive administrative privileges to enhance security postures.

Harun Mia [55:21]: "You get to see the full chain of what's actually happening."

The discussion underscores the critical role of SaaS providers in the broader cybersecurity ecosystem and the necessity for stringent security standards to protect interconnected systems.

Conclusions

Episode #794 of Risky Business offers a comprehensive overview of pressing information security issues, blending high-level discussions with technical insights. From the challenges of standardizing threat actor nomenclature to the innovative yet concerning uses of open-source software in warfare and the ethical lapses by major tech companies, the episode underscores the dynamic and often perilous landscape of cybersecurity. The interview with Matt Muller further emphasizes the urgent need for SaaS providers to elevate their security practices to meet the demands of increasingly interconnected and sophisticated digital environments.

Listeners gain valuable perspectives on both the macro and micro aspects of cybersecurity, making this episode a must-read for information security professionals seeking to stay abreast of current threats, trends, and industry responses.