Risky Business #793 -- Scattered Spider is hijacking MX records
In this week’s edition of Risky Business Dmitri Alperovitch and Adam Boileau join Patrick Gray to talk through the week’s news, including:
EXCLUSIVE: A Scattered Spider-style crew is hijacking DNS MX entries and compromising enterprises within minutes
The SVG format brings the all horrors of HTML+JS to image files, and attackers have noticed
Brian Krebs eats a 6.3Tbps DDoS … ‘cause that’s how you demo your packet cannon
Law enforcement takes out Lumma Stealer, Qakbot, Danabot and some dark web drug traffickers
Iranian behind 2019 Baltimore ransomware mysteriously appears in North Carolina and pleads guilty
CISA’s leadership is fleeing in droves, even though the US needs them more than ever.
This week’s episode is sponsored by Thinkst Canary. Long time friend of the show Haroon Meer joins and talks through where he feels the industry is at, having just returned home from the AI-fueled hype at this year’s RSA conference.
This episode is also available on Youtube.
Show notes
China-linked ‘Silk Typhoon’ hackers accessed Commvault cloud environments, person familiar says - Nextgov/FCW
Risky Bulletin: SVG use for phishing explodes in 2025 - Risky Business Media
KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Krebs on Security
Midwestern telco Cellcom confirms cyber incident after days of service outages | The Record from Recorded Future News
Microsoft leads international takedown of Lumma Stealer | Cybersecurity Dive
Who said what? on X: "Message from the administrator of Lumma Stealer on the forums about the recent events🕊️👀 https://t.co/MOjCSMMErK" / X
Ransomware hackers charged, infrastructure dismantled in international law enforcement operation | The Record from Recorded Future News
Oops: DanaBot Malware Devs Infected Their Own PCs – Krebs on Security
DOJ charges man allegedly behind Qakbot malware | The Record from Recorded Future News
US, Europol arrest 270 dark web drug traffickers in Operation RapTor | The Record from Recorded Future News
Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars | The Record from Recorded Future News
Decentralized crypto platform Cetus hit with $223 million hack | The Record from Recorded Future News
Nearly 70,000 impacted by Coinbase breach involving $20 million ransom demand | The Record from Recorded Future News
USA: Crypto investor charged with kidnapping, torturing man in an NYC apartment
Vietnam orders ban on Telegram messaging app over security concerns | The Record from Recorded Future News
Exclusive: Hacker who breached communications app used by Trump aide stole data from across US government | Reuters
CISA loses nearly all top officials as purge continues | Cybersecurity Dive
White House dismisses scores of National Security Council staff - The Washington Post
--------
1:04:52
Risky Business #792 -- Beware, Coinbase users. Crypto thieves are taking fingers now
On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:
TeleMessage memory dumps show up on DDoSecrets
Coinbase contractor bribed to hand over user data
Telegram does seem to be actually cooperating with law enforcement
Britain’s legal aid service gets 15 years worth of applicant data stolen
Shocking no one, Ivanti were weaseling when they blamed latest bugs on a third party library
This week’s episode is sponsored by Prowler, who make an open source cloud security tool. Founder and original project developer Toni de la Fuente joins to talk through the flexibility that open tooling brings. Prowler is also adding support for SaaS platforms like M365, and of course, an AI assistant to help you write checks!
This episode is also available on Youtube.
Show notes
TeleMessage - Distributed Denial of Secrets
How the Signal Knockoff App TeleMessage Got Hacked in 20 Minutes | WIRED
Coinbase says thieves stole user data and tried to extort $20M
Hack could cost Coinbase up to $400M: filing | Cybersecurity Dive
Severed Fingers and ‘Wrench Attacks’ Rattle the Crypto Elite
Money Stuff: US Debt Rates Itself | NewsletterHunt
2 massive black market services blocked by Telegram, messaging app says | Reuters
Telegram Gave Authorities Data on More than 20,000 Users
GovDelivery, an email alert system used by governments, abused to send scam messages | TechCrunch
ATO warning as hackers steal $14,000 in tax returns: ‘Be wary’
Hack of SEC social media account earns 14-month prison sentence for Alabama man | The Record from Recorded Future News
19-year-old accused of largest child data breach in U.S. agrees to plead guilty
Beach mansion, Benz and Bitcoin worth $4.5m seized from League of Legends hacker Shane Stephen Duffy | 7NEWS
Pegasus spyware maker rebuffed in efforts to get off trade blacklist - The Washington Post
Ransomware attack hits supplier of refrigerated groceries to British supermarkets | The Record from Recorded Future News
UK government confirms massive data breach following hack of Legal Aid Agency | The Record from Recorded Future News
Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities | Cybersecurity Dive
Expression Payloads Meet Mayhem - Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428)
--------
53:01
Risky Biz Soap Box: Push Security's browser-first twist on identity security
In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security.
Push has built an identity security platform that collects identity information and events from your users’ browsers. It can detect phish kits and shut down phishing attempts, protect SSO credentials, and find shadow/personal account that a user has spun up.
It’s extremely difficult to bypass. That’s because when you’re in the browser it doesn’t matter how a phishing link arrives, or how a threat actor has concealed it from your detection stack – if the user sees it, Push sees it.
There are solutions for protecting your users SSO credentials, like passkeys. But what about all the SaaS in your environment? Even if it’s enrolled into your SSO, are you sure that’s how your users are authenticating to it? What about the automation platforms your developers and admins use? What about data platforms like Snowflake? Are your using setting up passkeys for those accounts? How would you know, and what problems can it cause if those accounts are vulnerable?
This is a fun one!
This episode is also available on Youtube.
Show notes
--------
34:24
Risky Business #791 -- Woof! Copilot for Sharepoint coughs up creds and keys
On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:
Struggling to find that pesky passwords.xlsx in Sharepoint? Copilot has your back!
The ransomware ecosystem is finding life a bit tough lately
SAP Netweaver bug being used by Chinese APT crew
Academics keep just keep finding CPU side-channel attacks
And of course… bugs! Asus, Ivanti, Fortinet… and a Nissan LEAF?
This week’s episode is sponsored by Resourcely, who will soothe your Terraform pains. Founder and CEO Tracis McPeak joins to talk about how to get from a very red dashboard full of cloud problems to a workable future.
This episode is also available on Youtube.
Show notes
Exploiting Copilot AI for SharePoint | Pen Test Partners
MrBruh's Epic Blog
Ransomware group Lockbit appears to have been hacked, analysts say | Reuters
"CONTI LEAK: Video they tried to bury! 6+ Conti members on a private jet. TARGET’s birthday — $10M bounty on his head. Filmed by TARGET himself. Original erased — we kept a copy."
Mysterious hackers who targeted Marks and Spencer's computer systems hint at political allegiance as they warn other tech criminals not to attack former Soviet states
The organizational structure of ransomware groups is evolving rapidly.
SAP NetWeaver exploitation enters second wave of threat activity
China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures
DOGE software engineer’s computer infected by info-stealing malware
Hackers hijack Japanese financial accounts to conduct nearly $2 billion in trades
FBI and Dutch police seize and shut down botnet of hacked routers
Poland arrests four in global DDoS-for-hire takedown
School districts hit with extortion attempts after PowerSchool breach
EU launches vulnerability database to tackle cybersecurity threats
Training Solo - vusec
Branch Privilege Injection: Exploiting Branch Predictor Race Conditions – Computer Security Group
Remote Exploitation of Nissan Leaf: Controlling Critical Body Elements from the Internet
PSIRT | FortiGuard Labs
EPMM Security Update | Ivanti
--------
57:52
Wide World of Cyber: How state adversaries attack security vendors
In this edition of the Wide World of Cyber podcast Patrick Gray talks to SentinelOne’s Steve Stone and Alex Stamos about how foreign adversaries are targeting security vendors, including them.
From North Korean IT workers to Chinese supply chain attacks, SentinelOne and its competitors are constantly fending off sophisticated hacking campaigns.
This edition of the Wide World of Cyber was recorded in front of a live audience in San Francisco, with Patrick attending via Zoom.
The Wide World of Cyber podcast series is a wholly sponsored co-production between SentinelOne and Risky Business Media.
This episode is also available on Youtube.
Show notes
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.
New Zealand