On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

* Musk's DOGE kid has a history with The Com
* Paragon fires Italy as a spyware customer
* Thailand cuts power to scam compounds…
* … and arrests Phobos/8Base Russian cybercrims
* The CyberCX DFIR report shows non-U2F MFA is well and truly over
* And much, much more.

This week's episode is sponsored by Dropzone.AI. They make an AI SOC analysis platform that relieves your analysts of the necessary but tedious work, so they can focus on the value of human insight. Dropzone's founder and CEO Edward Wu joins to talk about how they approach the problem.

Show notes:

Teen on Musk’s DOGE Team Graduated from ‘The Com’ – Krebs on Security
https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-graduated-from-the-com/

ACLU Warns DOGE’s ‘Unchecked’ Access Could Violate Federal Law | WIRED
https://www.wired.com/story/aclu-doge-congress-musk-data/

Lawsuit accuses Trump administration of violating federal information security law | The Record from Recorded Future News
https://therecord.media/doge-lawsuit-alleged-information-security-violations

The Recruitment Effort That Helped Build Elon Musk’s DOGE Army | WIRED
https://www.wired.com/story/elon-musk-doge-recruiting-palantir/

States prepare privacy lawsuit against DOGE over access to federal data | The Record from Recorded Future News
https://therecord.media/doge-privacy-lawsuit-state-attorneys-general

Union groups sue Treasury over giving DOGE access to sensitive data | The Record from Recorded Future News
https://therecord.media/union-groups-sue-treasury-over-giving-doge-access-to-data

Student group sues Education Department over reported DOGE access to financial aid databases | The Record from Recorded Future News
https://therecord.media/university-of-california-students-sue-education-department-doge

Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts | The Record from Recorded Future News
https://therecord.media/hackers-exploiting-trimble-cityworks-bug-used-by-local-govs

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers - Ars Technica
https://arstechnica.com/security/2025/02/deepseek-ios-app-sends-data-unencrypted-to-bytedance-controlled-servers/

DeepSeek Is a Win for Chinese Hackers - Risky Business
https://risky.biz/deepseek-is-a-win-for-chinese-hackers/

Owner of spyware used in alleged WhatsApp breach ends contract with Italy | WhatsApp | The Guardian
https://www.theguardian.com/technology/2025/feb/06/owner-of-spyware-used-in-alleged-whatsapp-breach-ends-contract-with-italy

Another person targeted by Paragon spyware comes forward | TechCrunch
https://techcrunch.com/2025/02/11/another-person-targeted-by-paragon-spyware-comes-forward/

Apple fixes security flaw allowing third-party access to locked devices | The Record from Recorded Future News
https://therecord.media/apple-ios-vulnerability-citizen-lab

U.S. sanctions bulletproof hosting provider for supplying LockBit infrastructure | CyberScoop
https://cyberscoop.com/zservers-bulletproof-hosting-sanctions-lockbit-ransomware/

Thailand cuts power supply to Myanmar scam hubs | The Record from Recorded Future News
https://therecord.media/thailand-cuts-power-scam-compounds-myanmar

8Base ransomware site taken down as Thai authorities arrest 4 connected to operation | The Record from Recorded Future News
https://therecord.media/8base-ransomware-site-taken-down-4-arrested

Two Russian nationals arrested in takedown of Phobos ransomware infrastructure | The Record from Recorded Future News
https://therecord.media/phobos-ransomware-takedown-arrests-russian-nationals

The Company Man: Binance exec detained in Nigeria breaks his silence | The Record from Recorded Future News
https://therecord.media/binance-exec-tigran-gambaryan-breaks-his-silence

Deloitte pays $5M in connection with breach of Rhode Island benefits site | Cybersecurity Dive
https://www.cybersecuritydive.com/news/deloitte-5m-rhode-social-services/739309/

DFIR - Threat Report 2025 | CyberCX
https://cybercx.com.au/resource/dfir-threat-report-2025/

Request a Demo | Dropzone AI
https://www.dropzone.ai/request-a-demo?utm_campaign=7749659-2025-FQ1%20Risky%20Business&utm_source=Sponsorship&utm_medium=Podcast&utm_content=Risky%20Business

In this edition of Between Two Nerds Tom Uren and The Grugq talk about Israeli spyware vendor Paragon, how and why it positions itself to sell to the US market, and how its capabilities might work.

Show notes:
- TechCrunch report (https://techcrunch.com/2025/01/31/whatsapp-says-it-disrupted-a-hacking-campaign-targeting-journalists-with-spyware/)
- this tweet (https://x.com/sherrwood9/status/1886053557880951253)
- Dropping Italy as a customer (https://www.theguardian.com/technology/2025/feb/06/owner-of-spyware-used-in-alleged-whatsapp-breach-ends-contract-with-italy)

In this podcast Tom Uren and Patrick Gray talk about the cyber espionage implications of Chinese AI firm DeepSeek's recently released models. They will certainly be picked up by various APT crews to try and accelerate their campaigns.

They also discuss the UK NCSC's attempt to quantify 'comedy bugs' and whether EU sanctions against Russian military intelligence officers for a five-year-old cyber espionage campaign targeting Estonia are pointless.

On this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:

* DeepSeek leaves an unauthed database on the internet
* Russia hacked UK prime minister's personal mail
* Australia sanctions a Telegram group… which is more sensible than it sounds
* Medical device backdoor turns out to be just poorly thought out upgrade feature
* Google abuses weak hashing to patch AMD CPU microcode
* And much, much more.

This week's episode is sponsored by email security boffins Sublime. Their co-founder and CEO Josh Kamdjou joins to talk about how attackers' abuse of legitimate services like Docusign is a challenge for email security vendors.

Show Notes:

Exclusive: Musk aides lock workers out of OPM computer systems | Reuters
https://www.reuters.com/world/us/musk-aides-lock-government-workers-out-computer-systems-us-agency-sources-say-2025-01-31/

Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History | Wiz Blog
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak

Криптостилер SparkCat в магазинах Google Play и App Store | Securelist
https://securelist.ru/sparkcat-stealer-in-app-store-and-google-play/111638/

Russian hackers suspected of compromising British PM’s personal email account | The Record from Recorded Future News
https://therecord.media/keir-starmer-email-hack-russia-suspected

PowerSchool hack: missed basic security step resulted in data breach
https://www.nbcnews.com/tech/security/powerschool-hack-data-breach-protect-student-school-teacher-safe-rcna189029

Australia sanctions ‘Terrorgram’ white supremacist online group | The Record from Recorded Future News
https://therecord.media/australia-sanctions-terrorgram-online-hate-group

‘Paid actors’ could be behind some antisemitic attacks, Albanese says | Australian security and counter-terrorism | The Guardian
https://www.theguardian.com/australia-news/2025/jan/22/paid-actors-antisemitic-attacks-australia-pm-anthony-albanese-police-afp-ntwnfb

Interview with James Glenday, ABC News Breakfast | Australian Minister for Foreign Affairs
https://www.foreignminister.gov.au/minister/penny-wong/transcript/interview-james-glenday-abc-news-breakfast

WhatsApp says spyware company Paragon Solutions targeted journalists
https://www.nbcnews.com/tech/security/whatsapp-says-spyware-company-paragon-solutions-targeted-journalists-rcna190227

Spyware maker Paragon confirms US government is a customer | TechCrunch
https://techcrunch.com/2025/02/04/spyware-maker-paragon-confirms-u-s-government-is-a-customer/?guccounter=1

Former Polish justice minister arrested in sprawling spyware probe | The Record from Recorded Future News
https://therecord.media/poland-spyware-former-justice-minister-arrested

Sweden releases suspected ship, says cable break ‘clearly’ not sabotage | The Record from Recorded Future News
https://therecord.media/sweden-releases-ship-suspected-cable-sabotage

Backdoor found in two healthcare patient monitors, linked to IP in China
https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/

Attackers exploit zero-day vulnerability in Zyxel CPE devices | Cybersecurity Dive
https://www.cybersecuritydive.com/news/exploit-zero-day-vulnerability--zyxel/738611/

AMD: Microcode Signature Verification Vulnerability · Advisory · google/security-research · GitHub
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w

22-year-old math wiz indicted for alleged DeFI hack that stole $65M - Ars Technica
https://arstechnica.com/information-technology/2025/02/man-indicted-for-two-alleged-defi-hacks-that-stole-65-million/

A method to assess 'forgivable' vs 'unforgivable'... - NCSC.GOV.UK
https://www.ncsc.gov.uk/report/a-method-to-assess-forgivable-vs-unforgivable-vulnerabilities

Living Off the Land: Credential Phishing via Docusign abuse
https://sublime.security/blog/living-off-the-land-credential-phishing-via-docusign-abuse/

Living Off the Land: Callback Phishing via Docusign comment
https://sublime.security/blog/living-off-the-land-callback-phishing-via-docusign-comment/

B2B freight-forwarding scams on the rise to evade financial fraud crackdowns
https://sublime.security/blog/b2b-freight-forwarding-scams-on-the-rise-to-evade-financial-fraud-crackdowns/

Callback phishing via invoice abuse and distribution list relays
https://sublime.security/blog/callback-phishing-via-invoice-abuse-and-distribution-list-relays/

Enhanced message groups: Improving efficiency in email incident response
https://sublime.security/blog/enhanced-message-groups-improving-efficiency-in-email-incident-response/

In this edition of Between Two Nerds Tom Uren and The Grugq talk about how the compromise of US telecommunications companies by Chinese hackers has very little to do with US government lawful intercept laws.

In this product demo Airlock Digital co-founders Daniel Schell and David Cottingham show Risky Business host Patrick Gray around the latest version of the company's allowlisting software.

Airlock allows customers to control what executes in their environment. From applications to DLLs to scripts to Windows lolbins.

It is a terrific product that allows organisations to successfully implement allowlisting at massive scale. It is deployed in environments with 100,000+ endpoints.

Risky Business #777 -- It's SonicWall's turn

Coming to you from the same room in Risky Business headquarters Patrick Gray and Adam Boileau discuss the week's cybersecurity news. They talk through:

Sonicwall firewalls hand out remote code exec like candy
Mastercard make a slapstick-grade mistake with their DNS
The data breach at PowerSchool and other niche SaaS providers
Academic research proposes taking down Europe's power grid
Apple CPUs get a new speculative execution side channel
And much, much more.

This week's episode is sponsored by Push Security, who make an identity security product that runs inside browsers. Luke Jennings joins to discuss some of the pitfalls of federated authentication, like attackers using unexpected identity providers to log in to your apps.

Show notes:

SonicWall warns hackers targeting critical vulnerability in SMA 1000 series appliances | Cybersecurity Dive
https://www.cybersecuritydive.com/news/sonicwall-hackers-vulnerability-sma-1000/738333/

MasterCard DNS Error Went Unnoticed for Years – Krebs on Security
https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-years/

Data breach hitting PowerSchool looks very, very bad - Ars Technica
https://arstechnica.com/security/2025/01/students-parents-and-teachers-still-smarting-from-breach-exposing-their-info/

OpenAI rival DeepSeek limits registration after ‘large-scale malicious attacks’ | The Record from Recorded Future News
https://therecord.media/deepseek-limits-registration-blames-malicious-attacks

Hackers imitate Kremlin-linked group to target Russian entities | The Record from Recorded Future News
https://therecord.media/hacker-imitates-gamaredon-to-target-russia

UK to examine undersea cable vulnerability as Russian spy ship spotted in British waters | The Record from Recorded Future News
https://therecord.media/britain-undersea-cables-russian-spy-ship

Questions grow over whether Baltic Sea cable damage was sabotage or accidental | The Record from Recorded Future News
https://therecord.media/finland-eagle-s-tanker-questions-over-alleged-sabotage

Researchers say new attack could take down the European power grid - Ars Technica
https://arstechnica.com/security/2025/01/could-hackers-use-new-attack-to-take-down-european-power-grid/

At least $69 million stolen from crypto platform Phemex in suspected cyberattack | The Record from Recorded Future News
https://therecord.media/69-million-stolen-cyberattack-crypto-platform-phemex

BreachForums admin to be resentenced after appeals court slams supervised release | The Record from Recorded Future News
https://therecord.media/breachforums-resentenced-supervised-release-admin

Apple chips can be hacked to leak secrets from Gmail, iCloud, and more - Ars Technica
https://arstechnica.com/security/2025/01/newly-discovered-flaws-in-apple-chips-leak-secrets-in-safari-and-chrome/

Apple fixes zero-day flaw affecting all devices | TechCrunch
https://techcrunch.com/2025/01/28/apple-fixes-zero-day-flaw-affecting-all-devices/

I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny
https://eaton-works.com/2024/12/19/mcdelivery-india-hack/

Government websites vanish under Trump, from the Constitution to DEI
https://www.nbcnews.com/tech/tech-news/government-websites-vanish-trump-constitution-dei-rcna188522

Trail of Bits: Director, Technical Marketing
https://apply.workable.com/trailofbits/j/B49EEE1191/

Push Security: Security Researcher (remote in the USA)
https://pushsecurity.bamboohr.com/careers/74

Risky Business #776 -- Trump will flex America's cyber muscles

Risky Business returns for its 19th year! Patrick Gray and Adam Boileau discuss the week's cybersecurity news and there is a whole bunch of it. They discuss:

The incoming Trump administration guts the CSRB
Biden's last cyber Executive Order has sensible things in it
China's breach of the US Treasury gets our reluctant admiration
Ross Ulbricht - the Dread Pirate Roberts of Silk Road fame - gets his Trump pardon
New year, same shameful comedy Forti- and Ivanti- bugs
US soldier behind the Snowflake hacks faces charges after a solid Krebs-ing
And much, much (much! after a month off) more.

This week's episode is sponsored by Sandfly Security, who make a Linux EDR solution. Founder Craig Rowland joins to talk about how the Linux ecosystem struggles with its lack of standardised approaches to detection and response. If you've got a telco full of unix, and people are asking how much Salt Typhoon you've got in there… Sandfly's tools are probably what you're looking for.

POLITICO Pro | Article | Acting DHS chief ousts CSRB experts, other department advisers
https://subscriber.politicopro.com/article/2025/01/acting-dhs-chief-ousts-csrb-experts-other-department-advisers-00199722

Treasury’s sanctions office hacked by Chinese government, officials say
https://www.washingtonpost.com/national-security/2025/01/01/treasury-hack-china/

Strengthening America’s Resilience Against the PRC Cyber Threats | CISA
https://www.cisa.gov/news-events/news/strengthening-americas-resilience-against-prc-cyber-threats

AT&T, Verizon say they evicted Salt Typhoon from their networks
https://www.cybersecuritydive.com/news/att-verizon-salt-typhoon/736680/

Risky Bulletin: Looking at Biden's last cyber executive order - Risky Business
https://risky.biz/risky-bulletin-looking-at-bidens-last-cyber-executive-order/

Internet-connected devices can now have a label that rates their security | Reuters
https://www.reuters.com/technology/cybersecurity/internet-connected-devices-can-now-have-label-that-rates-their-security-2025-01-07/

US sanctions prominent Chinese cyber company for role in Flax Typhoon attacks
https://therecord.media/us-sanctions-chinas-integrity-cyber-company-flax-typhoon

FCC ‘rip and replace’ provision for Chinese tech tops cyber provisions in defense bill
https://therecord.media/fcc-rip-and-replace-china-tech-tops-ndaa

CIA nominee tells Senate he, too, wants to go on cyber offense | CyberScoop
https://cyberscoop.com/cia-nominee-john-ratcliffe-cyber-offense/

Trump tells Justice Department not to enforce TikTok ban for 75 days
https://www.nbcnews.com/tech/tech-news/trump-tells-justice-department-not-enforce-tiktok-ban-75-days-rcna188377

Judge rules NSO Group is liable for spyware hacks targeting 1,400 WhatsApp user devices | The Record from Recorded Future News
https://therecord.media/judge-rules-nso-group-liable-for-hack-of-1400-whatsapp-users

Unpacking WhatsApp’s Legal Triumph Over NSO Group | Lawfare
https://www.lawfaremedia.org/article/unpacking-whatsapp-s-legal-triumph-over-nso-group

Time to check if you ran any of these 33 malicious Chrome extensions
https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/

Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate Firewalls - Arctic Wolf
https://arcticwolf.com/resources/blog/console-chaos-targets-fortinet-fortigate-firewalls/

Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware
https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacked-by-actors-exploiting-a-critical-vulnerability/

Researchers warn of active exploitation of critical Apache Struts 2 flaw
https://www.cybersecuritydive.com/news/active-exploitation-apache-struts-2-flaw/736199/

DOJ deletes China-linked PlugX malware off more than 4,200 US computers
https://therecord.media/doj-deletes-china-linked-plugx-malware

Russian internet provider confirms its network was ‘destroyed’ following attack claimed by Ukrainian hackers
https://therecord.media/russian-internet-provider-says-network-destroyed-cyberattack

Ukraine restores state registers after suspected Russian cyberattack
https://therecord.media/ukraine-restores-registers-after-cyberattack

Hackers claim to breach Russian state agency managing property, land records
https://therecord.media/hackers-claim-to-breach-russian-state-agency-land-records

U.S. Army Soldier Arrested in AT&T, Verizon Extortions – Krebs on Security
https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/

In this sponsored Soap Box edition of the show Patrick Gray talks to Island CEO Michael Fey about some of the cool tricks in the Island enterprise browser. You can use it to tick off so many compliance boxes, and not just cybersecurity boxes.

This is largely a conversation about compliance, but it's actually interesting and fun. These are words we never thought we'd type!

You can find Island at https://island.io/

In this product demo the Panther team join Patrick Gray to walk him through their new piped query language for incident response on the Panther SIEM platform.

Panther is a cloud-native SIEM capable of ingesting incredible amounts of data and applying detection-as-code to it in real time. With this new release they've moved into the threat hunting space as well.