Risky Business - Risky Business #810 -- Data extortion attacks have a silver lining
Episode Date: October 15, 2025In this week’s show Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including: FBI intervenes in Scattered Spider Salesforce leaksite Clop... loots Oracle E-Biz deployments Plus so much more data extortion.. At least it’s not ransomware … we guess? The US still can’t decide who’s gonna be in charge of NSA & Cybercom Cambodian scam compounds get sanctioned and $15b in crypto is seized NSO gets sold for pocket-lint-grade money Bugs! Redis CVSS 10, Ivanti, Crowdstrike and… Internet Explorer?! zeroday?! In the wild?!!!? This week’s episode is sponsored by Stairwell. Founder Mike Wiacek talks about how Stairwell brings VirusTotal-like visibility to private files, and about integrating the insights that brings into your SOC workflow. This episode is also available on Youtube. Show notes FBI takedown banner appears on BreachForums site as Scattered Spider promotes leak | The Record from Recorded Future News Dozens of Oracle customers impacted by Clop data theft for extortion campaign | CyberScoop Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882) Clop is a Big Fish, But Not Worth Hunting - Risky Business Media ShinyHunters Wage Broad Corporate Extortion Spree – Krebs on Security The company Discord blamed for its recent breach says it wasn't hacked Qantas confirms cybercriminals released stolen customer data | The Record from Recorded Future News Red Hat confirms breach of GitLab instance, which stored company’s consulting data | CyberScoop Risky Bulletin: Microsoft revamps Edge's "IE Mode" after zero-day attacks - Risky Business Media Teenagers arrested in England over cyberattack on nursery chain Kido | The Record from Recorded Future News Acting US Cyber Command, NSA chief won’t be nominated for the job, sources say | The Record from Recorded Future News Layoffs, reassignments further deplete CISA | Cybersecurity Dive Trump’s scandalous directive to AG Pam Bondi reached the public by accident Feds sanction Cambodian conglomerate over cyber scams, seize $15 billion from chairman | The Record from Recorded Future News US Congress committee investigating Musk-owned Starlink over Myanmar scam centres | Myanmar | The Guardian Satellites Are Leaking the World’s Secrets: Calls, Texts, Military and Corporate Data | WIRED Netherlands invokes special powers against Chinese-owned semiconductor company Nexperia | The Record from Recorded Future News Spyware maker NSO Group confirms acquisition by US investors | TechCrunch Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits | WIRED Wiz Finds Critical Redis RCE Vulnerability: CVE‑2025‑49844 | Wiz Blog SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal | CyberScoop SonicWall SSLVPN devices compromised using valid credentials | Cybersecurity Dive Issues Affecting CrowdStrike Falcon Sensor for Windows ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities - SecurityWeek Jaguar Land Rover launches phased restart at factories after cyber-attack | Jaguar Land Rover | The Guardian Windows 10 support ends today — here's who's affected and what you need to do
Transcript
Discussion (0)
Hey everyone and welcome back to risky business. My name's Patrick Gray and yeah, I'm on
deck again after a couple of weeks off. I had a terrific break and consider myself extremely
lucky that I can take basically all of the school holidays off to hang out with my kids.
One of the reasons I was able to do that this break is because Amberly Jack stepped in for me
to fill in for me and host the first ever edition of risky business that didn't have
me in it and she did a terrific job so I just wanted to start today's show by saying
Amberly thank you so much for doing that and yeah universally awesome feedback as well
and you know the week before that Adam was away so this is our first show together in like
four weeks which is yeah so it's cool we've missed it so we're back on deck before we get into
it though just one thing I wanted to mention this week is we are hiring we're probably not
really looking to urgently onboard anyone but we are looking for someone to
join us who can act as an interviewer and as a podcaster and someone who's also
got you know plenty of knowledge about cyber security and you know the
products that make up the cyber security industry if this is something that you
are interested in doing if you want to apply to work with us we're most
interested in people who are based anywhere from the east coast of Australia to
the west coast of the United States New Zealand pretty much the perfect
location time zone wise. So if you want to apply to that for that just email your
resume to editorial at risky.biz and include a video of yourself and this can just be
shot straight into a into a phone like self-shot video explaining to us what you
think a big problem in enterprise security is and that'll just give us a sense
of how you speak to a camera, how you speak to a microphone. So yeah if it's
something you're interested in pursuing do get in touch with us and yeah
On to this week's show now, and this week's show is brought to you by Stairwell.
And Mike Weiasek, who is the founder of Stairwell, will be along in this week's sponsor interview
a little bit later on talking about how a bunch of people these days are licensing the Stairwell API
and they're using it for Seam enrichment much in the same way that people would use virus total.
So that is an interesting conversation and it is coming up later.
But first up, of course, it is time for a check of the week's security news with Adam.
missed you dude
no well it's good to be back
like there's a lot of
lot of interesting stuff
to talk about some great bugs too
which I always enjoy
yeah it's funny right
we got a we got a whole bug section
at the end of the show
but like a big thing that's been happening
I guess really all year
but it seems to have hit fever pitch
at the moment is just all of these
data extortion attacks right
so we've got
clop going nuts with some
oracle bugs
and then we've got
what are they calling
they're calling themselves ironically
what is it the lapsis shiny
scattered hunters
scattered lapsus hunter yeah so like the com with its usual kind of set of hats on yes yeah yeah and a
sense of humor about it and they've been going around and what socially engineering people's
sales force data that's been obviously happening for months now but some of that data is now starting to
leak big news here in australia where uh quantis data on like 5.7 million customers or something i'd be
one of them uh has leaked but look it's just i mean it's just mayhem out there right yeah yeah it really
is. And we're, you know, the kind of stuff happening in so many directions. We've seen, you know,
some new data leaks that's coming up with data that previously we hadn't seen publicized,
you know, some arrests, some kind of doxing generally of Com kids. But yeah, it's a real mess out there.
Yeah, so we've seen this FBI take down of yet one more breach forums, right? So it's breach
forums, not breached forums, and I don't know if there's like 17 of these as well,
as they were with breach forums. What do we know here?
So this was a leak site that was being set up to distribute data from Salesforce.
They called it breached forums, or breach forums, which I think is just at this point
basically a running joke because it'll just confuse us, poor pundits, you have to talk about it.
But they were going to stand up, Scatter Spider crew, the comm crew, whoever, were going to stand
up a site to release a bunch of data.
They'd set up a clear net and a dark website.
That got seized by the FBI, or at least take it.
you know, the FBI seized banner put on top of it.
It looks like they had compromised the servers behind it
because it was also the onion site, the dark web site was also,
had been defaced, I guess, defaced by law enforcement.
Since then, the kids have, you know, kind of taken back their onion site.
I think the clear web one, the domain is long gone,
the registrarers pulled it or whatever.
So, yeah, they were setting up to leaks and data,
got kind of gazumped by the FBI.
And, you know, that may have set it back a little bit, but I'm sure we'll see the data come out, nevertheless.
I mean, this is something that occurred to me when the news first broke here about the Qantas data leaking,
which is that somewhere in government, someone was signing a piece of paper authorising ASD, AFB, joint task forces or whatever,
to go and destroy that data, right?
Like, search and destroy for large corpuses of data, you know, leaked in a country like Australia,
like that is going to result in shells getting popped.
Like, that's down a policy right now.
And I just thought that, you know, that my mind went there immediately on hearing the news.
I thought, you know, I just found that interesting.
Yeah, it's certainly, like the world has changed a little bit around, you know, both data extortion
and, like, I guess the impact that has on the wider ransomware, you know, like locking things up for ransom.
But, yeah, like that kind of calculus is different than perhaps it would have been five or six years ago.
And the idea that, you know, we see law enforcement, you know, showing up in leak sites and spooks in some case, you know,
going around and destroying data.
Like, it's a, it's an interesting development.
And, you know, it's probably still better than ransomware.
I think it makes more sense than the other way around, right?
Like, I never thought it made sense that you would have, like in the case of Qantas,
it's a very important company that used to be, I think it was state owned, right, at some point,
and then privatized.
And, you know, it's a very big deal.
And the idea that someone would steal heaps of customer data and just post it and the
government would just go, ah, well, you know, what are you going to do?
Like, that's the part that seemed crazy.
I think the idea that we've got authorities like really actively, aggressively and quickly going after this sort of leak data, that's a good thing.