Risky Business #810 — Data Extortion Attacks Have a Silver Lining

Podcast: Risky Business
Host: Patrick Gray (A)
Co-host: Adam Boileau (B)
Sponsor Interview: Mike Wysecek, Stairwell (C)
Date: October 15, 2025

Episode Overview

This episode dives deep into the current wave of data extortion attacks, exploring how these differ from classic ransomware, their silver linings for defenders and policymakers, and the evolving landscape of cybercrime, law enforcement, and critical infrastructure security. The hosts discuss trending incidents, response strategies, infamous vulnerabilities, government shake-ups, and notable controversy in the infosec community. The episode closes with a sponsor interview highlighting advances in file-based threat detection and SIEM enrichment, featuring Stairwell’s practical alternatives to VirusTotal.

Key Discussion Points & Insights

1. Resurgence and Nature of Data Extortion Attacks

[02:34–09:08]

• Fever pitch of data extortion: Groups like Clop and “Scattered Lapses Hunter” are running rampant with Oracle bugs, Salesforce, and more, leading to major leaks such as Qantas customer data (over 5.7 million impacted) [03:02–03:24].
• Shift from ransomware to data leaks:
  • Patrick Gray: “So much of what’s getting attention at the moment is around data extortion and not ransomware, which is just heaps more disruptive.” [06:22]
  • Noted that while data leaks are bad, they're less disruptive to critical operations compared to ransomware attacks on hospitals or supply chains.
  • Examples include the Colonial Pipeline ransomware incident vs. current data leak situations.

Silver Lining:

• Adam Boileau: “Harm minimisation approach: this [data extortion] is better.” [09:04]
• Patrick Gray: “If you’re going to pick a cybercrime problem and your choice is this or ransomware. You pick this every day of the week.” [08:42]

2. Law Enforcement and Policy Moves on Data Leaks

[03:41–06:59]

• FBI takedowns of leak sites, notably “breach forums” (and derivatives), targeting infrastructure to delay or destroy leak releases [03:41–04:58].
• Active destruction of leaked datasets by government agencies:
  • Patrick Gray: “Somewhere in government someone was signing a piece of paper authorizing ASD AFB joint task forces or whatever to go and destroy that data.” [04:58]
  • Acceptance that takedowns now result in “shells getting popped” in the interest of national security.

3. Clop’s Campaign: Targeting Oracle E-Business Suite

[09:08–12:38]

• Clop moves from file transfer appliances (like GoAnywhere) into larger enterprise targets, using zero-days [09:30].
• Intricacies of Oracle E-Biz exploitation:
  • Chains of 4–5 bugs, including server-side request forgery for deep lateral movement [11:03].
  • Adam Boileau: “E biz… Like it’s 14,000 JSP files in the Webroot public facing... It took me weeks of making spreadsheets to figure out what endpoints you could reach…” [11:28]
  • Campaign effectiveness yet to be assessed, but the technical challenge is substantial.

4. Collateral Damage: Notable Victims and Industry Response

[13:03–15:00]

• Red Hat, Discord (user data), and other tech companies have been hit as part of this wave.
• Social engineering and outsourced call centers (as in Qantas) prove to be weak links.
  • Patrick: “You can outsource your call centers, but you can’t escape accountability...” [13:37]

5. Edge/IE Mode Exploitation and Legacy Risks

[15:00–16:56]

• Attackers are socially engineering users to open websites in Edge IE Mode, then deploying IE zero-days (memory corruption) [15:00].
• Microsoft’s mitigation: making IE Mode activation more onerous.
  • Adam: “You gotta hand it to them. I mean, like your real browser is too hard. Why not turn on IE and attack that instead?” [16:56]

6. Outrageous Attacks: Doxxing a Nursery School

[17:13–18:23]

• Two 17-year-olds in England arrested for leaking data (including photos) from UK nursery chain Keto.
• Even criminal circles rebuked the attackers, leading to a retraction of the leaks [17:13–18:02].
  • Patrick: “Just scummy, isn’t it?” [18:02]

7. US Government Cybersecurity Turmoil

[18:25–21:51]

• NSA/Cyber Command’s dual-hat leadership in limbo; acting head General Hartman likely to resign after no nomination [19:04].
  • Fear that ending dual-hat could put a civilian atop the NSA [19:41].
• At CISA, a wave of resignations and forced departures is “killing” the agency [21:15].
  • Adam: “That kind of centralized, coordinated leadership for cyber was a thing the US really needed… It’s all disappearing…” [21:51]

8. Trump Era Shenanigans & InfoSec Satire

[21:51–23:56]

• Trump’s accidental Truth Social post, meant as a DM instructing prosecution, adds legal controversy [23:12].
  • Adam: “Turns out it’s not just Mastodon… Apparently it’s difficult everywhere.” [23:12]
  • Patrick (sarcastically): “Maybe we just gotta start talking up Trump… and maybe we could go run [the NSA].” [20:13]

9. Criminal Infrastructure & Satellite Communications Abuse

[23:56–28:46]

• $15 billion in Bitcoin seized from Cambodian conglomerate, which ran scam compounds laundering money through bitcoin mining [24:13].
  • These compounds constitute ~40% of Cambodia/Laos/Myanmar GDP [25:30].
• U.S. Congressional committee investigating Starlink for providing Internet to scam operations—aided by visible Starlink dishes (drone photos) [26:52].
  • Patrick: “Starlink is a bit of a cesspit.” [28:47]
  • Constant CAPTCHA prompts show scale of abuse.

Academic Satellite Sniffing

• Cheap dish and SDR gear can intercept surprising amounts of unencrypted, sensitive data—e.g., T-Mobile calls, Airplane WiFi, government comms [29:26–31:18].
  • Adam: “Funny how much stuff is still in the clear.” [30:05]

10. Geopolitics of Semiconductors: Dutch Nationalization vs. China

[31:18–34:12]

• Dutch seize Nexperia (Chinese-owned) over fears of IP exfiltration, amid rising global tension over tech supply chains [31:18].
  • Adam: “We're going to see things get nationalized and stuff get kind of weird.” [34:12]

11. NSO Group: Sanctions Bite, U.S. Investor Acquisition

[34:12–36:04]

• NSO Group (Pegasus) acquired for "tens of millions," down from prior ~$1B valuation—remarkable drop post-global sanctions [34:59].
  • Patrick: “Those sanctions really worked.” [34:59]
  • Hollywood producer (Happy Gilmore’s producer!) rumored as lead buyer [35:30].
  • Patrick: “Wait for the movie!” [35:49]

12. Apple’s Rising Bug Bounties, Practical Limits of Security Rewards

[36:04–38:04]

• Apple offering up to $5M for full exploit chains, $2M for critical bugs, but:
  • Patrick: “It’s worth more than that.”
  • Adam: “The day when one researcher can show up and have a bug chain that’s going to do all the things… has passed. You’re talking whole teams…” [36:47–37:19]

13. Key Vulnerability Roundup

(Timestamps refer to individual sections)

• Redis RCE (CVSS 10): 13 year-old use-after-free bug allows code exec, especially bad due to prevalence and lack of auth in many deployments [39:04–40:45].
  • Adam: “If you can talk to Redis, you can codexec it.”
• SonicWall breach: All cloud backup configs stolen, enabling further attacks. Another major blow to a “besieged” vendor [40:45–42:40].
  • Adam: “Not a great look when your firewall vendor is getting compromised…”
• CrowdStrike Falcon sensor bugs: Privilege escalation & file deletion if local code execution is possible. CrowdStrike downplays as “issues” not vulnerabilities [43:38–44:14].
  • Adam: “Still pretty funny when they get, you know, beaten on by marketing for just calling them a vulnerability.”
• Ivanti Endpoint Manager — ZDI drops advisories: 13 bugs (11 SQLi!) after delayed patches; codebase traces back to Landesk from 1991, explaining volume of issues [45:00–46:21].
• Windows 10 End of Life: October 14, 2025; extended support paid only, except possibly in the EU [46:24–47:14].

Sponsor Interview: Stairwell API — Modern File Threat Intelligence

Guest: Mike Wysecek, CEO/Founder, Stairwell
[49:00–62:32]

• Product Evolution: Originally a file-based hunting platform, now adding an API for binary analysis and SIEM enrichment, akin to VirusTotal — but with enterprise visibility.
• Key differentiators:
  • Visibility into files unique to an enterprise, not just globally known threats [52:07].
  • Private, non-public sharing ensures organizational privacy [52:28].
  • AI analysis explains “why” something’s malicious and provides a likelihood/confidence score [53:33].
  • Correlates enterprise findings with vast DB of external malware and 2 trillion passive DNS records [54:47].
  • Integrates with Google Chronicle, Splunk ES Cloud, offering plug-and-play SIEM enrichment [51:36–53:33].
• Economics: Priced for broad adoption; not aiming for large single contracts.
• Efficiency Gains: Teams using Stairwell clear queues dramatically faster, automating threat hunting and minimizing analyst workload [62:03].
• Quote:
  • Mike Wysecek:
    “We’re able to take that corpus of knowledge… and enrich it with information nobody else can. And that becomes really powerful for saving time, eliminating false positives, finding false negatives…” [50:40]
  • “The days when one researcher can show up and have a bug chain that’s going to do all the things necessary to make that kind of money… That day has passed.” [37:19]

Notable Quotes & Moments

• “Do I dare suggest that we’re in a better place?”
  — Patrick Gray, on shift to less disruptive data extortion [06:59]
• “Maybe what you need to do is get a job for one of these companies, steal their exploit chain, sell it to Apple and then move to Belize.”
  — Patrick Gray, on $5M Apple bug bounties [38:04]
• “That software is older than probably a substantial part of our audience.”
  — Patrick Gray, on Ivanti’s Landesk codebase [46:16]

Timestamps for Key Segments

• [02:34] — Data extortion attacks and fever pitch
• [05:27] — Law enforcement now actively destroying leak data
• [09:30] — Clop targeting Oracle E-Biz
• [11:03] — Watchtower Labs write-up on E-Biz bugs
• [15:00] — Exploiting IE Mode in Edge
• [17:13] — Doxxing UK nursery school; teens arrested
• [18:25] — U.S. Cyber Command, NSA, CISA leadership crises
• [21:51] — Trump & signal-gate, Truth Social DM mishap
• [23:56] — $15B Bitcoin seizure, scam compounds in SE Asia
• [26:52] — Starlink enabling scam compounds, congressional investigation
• [29:26] — Satellite hacking research (academic study)
• [31:18] — Dutch government nationalizes Nexperia
• [34:12] — NSO Group: sanctions, sale to U.S. investors
• [36:04] — Apple bug bounty escalation
• [39:04] — Redis CVSS 10 bug
• [40:45] — SonicWall cloud backup breach
• [43:38] — CrowdStrike bugs, “issues” vs. “vulnerabilities”
• [45:00] — ZDI Ivanti (Landesk) bugs dropped
• [46:24] — Windows 10 EOL
• [49:00] — Stairwell sponsor interview

Overall Tone & Language

• Lively, snarky, and candid.
• Mix of deep technical insight and industry meta-commentary.
• Critical of vendors and government failure but pragmatic about "better bad options".

This summary provides a comprehensive, engaging guide to Risky Business #810, capturing the full sweep of the episode’s insights, context, and memorable moments for infosec pros and anyone tracking the pulse of cyber risk and defense.