Risky Business #799 -- Everyone's Sharepoint gets shelled
Risky Biz returns after two weeks off, and there sure is cybersecurity news to catch up on. Patrick Gray and Adam Boileau discuss:
Microsoft tried to make outsourcing the Pentagon’s cloud maintenance to China okay (it was not)
She shells Sharepoint by the sea-shore (by ‘she’ we mean ‘China’)
Four (alleged) Scattered Spider members arrested (and bailed) in the UK
Hackers spend $2700 to buy creds for a Brazilian payment system, steal $100M
Fortinet has SQLI in the auth header, Citrix mem leak is weaponised, HP hardcodes creds and Sonicwalls get user-moderootkits. Just security vendor things!
This week’s episode is sponsored by Airlock Digital. CEO David Cottingham talks through what it takes to build a mature, resilient management platform for a security critical system.
This episode is also available on Youtube.
Show notes
Update on DOD’s cloud services
Microsoft to stop using engineers in China for tech support of US military, Hegseth orders review
A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers
While DOD policy bans unauthorized apps like TikTok from being on employees phones over national security risks
Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security
National Guard was hacked by China's 'Salt Typhoon' group, DHS says
Suspected contractor for China’s Hafnium group arrested in in Italy | Cybersecurity Dive
Singapore accuses Chinese state-backed hackers of attacking critical infrastructure networks | The Record from Recorded Future News
UK Arrests Four in ‘Scattered Spider’ Ransom Group – Krebs on Security
Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
Brazilian police arrest IT worker over $100 million cyber theft | The Record from Recorded Future News
At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds | WIRED
Hacker returns cryptocurrency stolen from GMX exchange after $5 million bounty payment | The Record
Indian crypto exchange CoinDCX says $44 million stolen from reserves | The Record
Chainalysis: $2.17 billion in crypto stolen in first half of 2025, driven by North Korean hacks | The Record
PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts
Risky Bulletin: Browser extensions hijacked for web scraping botnet
A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors
A surveillance vendor was caught exploiting a new SS7 attack to track people's phone locations | TechCrunch
Ukrainian hackers wipe databases at Russia's Gazprom in major cyberattack, intelligence source says
File transfer company CrushFTP warns of zero-day exploit seen in the wild | The Record
HPE warns of hardcoded passwords in Aruba access points
Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw | Cybersecurity Dive
Google finds custom backdoor being installed on SonicWall network devices - Ars Technica
Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
--------
1:13:55
--------
1:13:55
Risky Biz Soap Box: Prowler, the open cloud security platform
In this sponsored Soap Box edition of the Risky Business podcast Patrick Gray chats with Toni de la Fuente, founder of open source multi-cloud security product Prowler.
Toni explains how Prowler came to be, and how its journey followed his own learning about the cloud. The pair also discuss Prowler’s successful transition from an open-source project into a community, and now a growing business with an as-a-service platform.
This episode is also available on Youtube.
Show notes
--------
32:08
--------
32:08
Risky Business #798 -- Mexican cartel surveilled the FBI to identify, kill witnesses
On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:
Australian airline Qantas looks like it got a Scattered Spider-ing
Microsoft works towards blunting the next CrowdStrike disaster
Changes are coming for Microsoft’s default enterprise app consenting setup
Synology downplays hardcoded passwords for its M365 cloud backup agent
The next Citrix Netscaler memory disclosure looks nasty
Drug cartels used technical surveillance to find, fix and finish FBI informants and witnesses
This week’s episode is sponsored by RAD Security. Co-founder Jimmy Mesta joins to talk through how they use AI automation to assess the security posture of sprawling cloud environments.
This episode is also available on Youtube.
Show notes
Qantas hit by cyber attack, leaving 6 million customer records at risk of data breach
Scattered Spider appears to pivot toward aviation sector | Cybersecurity Dive
Microsoft to make Windows more resilient following 2024 IT outage | Cybersecurity Dive
(384) The Ultimate Guide to App Consent in Microsoft Entra - YouTube
When Backups Open Backdoors: Accessing Sensitive Cloud Data via "Synology Active Backup for Microsoft 365" / modzero
AT&T deploys new account lock feature to counter SIM swapping | CyberScoop
Iran-linked hackers threaten to release Trump aides' emails | Reuters
US government warns of new Iran-linked cyber threats on critical infrastructure | Cybersecurity Dive
Actively exploited vulnerability gives extraordinary control over server fleets - Ars Technica
Critical vulnerability in Citrix Netscaler raises specter of exploitation wave | Cybersecurity Dive
Identities of More Than 80 Americans Stolen for North Korean IT Worker Scams | WIRED
Cloudflare confirms Russia restricting access to services amid free internet crackdown | The Record from Recorded Future News
Mexican drug cartel used hacker to track FBI official, then killed potential FBI informants, government audit says | CNN Politics
Audit of the FBI's Efforts to Mitigate the Effects of Ubiquitous Technical Surveillance - Redacted Report
NATO members aim for spending 5% of GDP on defense, with 1.5% eligible for cyber | The Record from Recorded Future News
US sanctions bulletproof hosting provider for supporting ransomware, infostealer operations | CyberScoop
US, French authorities confirm arrest of BreachForums hackers | TechCrunch
Spanish police arrest five over $542 million crypto investment scheme | The Record from Recorded Future News
Scam compounds labeled a 'living nightmare' as Cambodian government accused of turning a blind eye | The Record from Recorded Future News
--------
1:02:19
--------
1:02:19
Risky Business #797 -- Stuxnet vs Massive Ordnance Penetrators
On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news:
We roll our eyes over the “16 billion credentials” leak hitting mainstream news
Some interesting cyber angles emerge from the conflict in Iran
Opensource maintainer of libxml2 is fed up with this hacker crap
Shockingly, there are yet more ways to trick people into pasting commands into Windows
Veeam “patches” its backup software RCE like it’s 2002 … by breaking the public PoC
This week’s episode is sponsored by Internet-wide honeypot reconnaissance platform, Greynoise. Founder Andrew Morris joins to talk about their journey spotting Chinese ORB-builders hacking thousands of ASUS routers, and why they’re destined for the woodchipper.
This episode is also available on Youtube.
Show notes
No, the 16 billion credentials leak is not a new data breach
Canadian telecom hacked by suspected China state group - Ars Technica
Telecom giant Viasat breached by China's Salt Typhoon hackers
WarTranslated on X: "Iran’s jamming GPS in the Strait of Hormuz, messing with ~970 ships, per Windward. UKMTO confirms the interference. Faulty AIS coordinates are screwing up navigation in the Persian Gulf. The IRGC threatens to shut the strait down in hours. https://t.co/kdMJvshOGC" / X
Dmitri Alperovitch on X: "Chairman of the Joint Chiefs Gen. Dan Caine says @US_CYBERCOM supported this strike mission" / X
Top Pentagon spy pick rejected by White House - POLITICO
DHS warns of heightened cyber threat as US enters Iran conflict | Cybersecurity Dive
Exclusive: Early US intel assessment suggests strikes on Iran did not destroy nuclear sites, sources say
U.S. braces for Iran's response after overnight strikes on nuclear sites
Assessing the Damage to Iran’s Nuclear Program
Iran Hacks Tirana Municipality in Retaliation Over MEK - Tirana Times
Iran's government says it shut down internet to protect against cyberattacks | TechCrunch
Aflac discloses cyber intrusion linked to wider crime spree targeting insurance industry | Cybersecurity Dive
Tonga Ministry of Health hit with cyberattack affecting website, IT systems | The Record from Recorded Future News
Alleged Ryuk ransomware gang member arrested in Ukraine and extradited to US | The Record from Recorded Future News
Russia releases REvil members after convictions for payment card fraud | The Record from Recorded Future News
OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys - SpecterOps
Triaging security issues reported by third parties (#913) · Issue · GNOME/libxml2
README: Set expectations straight (35d04a08) · Commits · GNOME / libxml2 · GitLab
What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia | Google Cloud Blog
FileFix - A ClickFix Alternative | mr.d0x
Address bar shows hp.com. Browser displays scammers’ malicious text anyway. - Ars Technica
Researchers urge vigilance as Veeam releases patch to address critical flaw | Cybersecurity Dive
ASUSpicious Flaw - Millions of Users’ Information Exposed Since 2022 | MrBruh's Epic Blog
Perth dad who created ‘evil twin’ Wi-Fi did so to access pictures of women
GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
--------
1:02:16
--------
1:02:16
Risky Business #796 -- With special guest co-host Chris Krebs
On this week’s show Patrick Gray and Adam Boileau are joined by special guest Chris Krebs to discuss the week’s cybersecurity news. They talk through:
Israeli “hacktivists” take out an Iranian state-owned bank
Scattered-spider and friends pivot into attacking insurers
Securing identities in a cloud-first world keeps us awake at night
Microsoft takes the “aas” out of SaaS for Europe, leaving us with just software!
An AI prompt injection into M365 exfils corporate data
This week’s episode is sponsored by Kroll’s Cyber practice. Kroll Cyber Associate Managing Director George Glass is based in London and talks through his experiences helping organisations in the UK deal with the Scattered Spider attacks.
This episode is also available on Youtube.
Show notes
Iran’s Bank Sepah disrupted by cyberattack claimed by pro-Israel hacktivist group | CyberScoop
Iran orders officials to ditch connected devices
Heightened Cyberthreat Amidst Israel-Iran Conflict
Threat group linked to UK, US retail attacks now targeting insurance industry | Cybersecurity Dive
Coming to Apple OSes: A seamless, secure way to import and export passkeys - Ars Technica
Cyberattack on Washington Post Compromises Email Accounts of Journalists
Hackers impersonating US government compromise email account of prominent Russia researcher | The Record from Recorded Future News
A good one to talk to Chris about:
Breaking down ‘EchoLeak’, the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot
CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws | Cybersecurity Dive
Whole Foods supplier making progress on restoration after cyberattack left shelves empty | The Record from Recorded Future News
Ransomware attack on ticketing platform upends South Korean entertainment industry | The Record from Recorded Future News
Advisory: Cybersecurity incident
Risky Business is a weekly information security podcast featuring news and in-depth interviews with industry luminaries. Launched in February 2007, Risky Business is a must-listen digest for information security pros. With a running time of approximately 50-60 minutes, Risky Business is pacy; a security podcast without the waffle.