Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It’s supported by Lawfare with help from the William and Flora Hewlett Foundation. This week’s edition is sponsored by Prowler.
You can hear a podcast discussion of this newsletter by searching for “Risky Business News” in your podcatcher or subscribing via this RSS feed.
In an eye-popping investigation, Reuters has revealed that Meta had projected its 2024 advertisements for scams and banned goods would bring in about USD$16 billion or 10% of its total revenue.
The report is based on a cache of documents reviewed by Reuters.
In one of those documents, Meta’s safety staff estimated that the company’s platforms were “involved” in a third of all successful scams in the US. That’s a stunning figure. But we do wonder how much of that involvement is simply WhatApp being used to talk to victims. If advertisements weren’t the bait that lured victims, it hardly seems fair to blame Meta for running an end-to-end encrypted messaging app.
The company doesn’t get such an easy pass elsewhere, though. Other documents revealed that Meta only bans advertisers if its automated systems are 95% certain that an account is committing fraud. If the account doesn’t meet that threshold, but Meta still believes it is likely a scammer, the company instead charges higher advertisement rates as a “penalty”. According to Reuters the idea here is to discourage suspicious advertisers from buying ads. But in our view it’s just as likely to encourage Meta to accept high-risk ads than prevent scammers from placing them. It’s a two-sided incentive. A scammer’s penalty is Meta’s profit, after all.
The documents suggest that Meta’s management weighed the financial windfall from scam ads against the costs of regulatory action. The company raked in $3.5 billion every six months from ads determined by the legal team to have “higher legal risk”, such as impersonating a brand or celebrity. The document notes that the revenue would almost certainly exceed the cost of “any regulatory settlement involving scam ads”.
One document from February 2025 detailed exactly how much revenue Meta was willing to forgo to clamp down on suspicious advertisers: 0.15% of total revenue or $135 million. Our napkin maths suggests if you are only willing to forgo $135 million to tackle a $16 billion problem … you still have a $16 billion problem.
Scams are a huge issue, and our cynical view is that (much like the cybersecurity field) companies typically only respond when political pressure or government action forces their hands. One former Meta employee Rob Leathern suggested to Wired, that the platforms should be forced to relinquish any money earned by scam ads. This could be used to fund anti-scam non-profits, for example, and would remove the incentive for Meta to turn a blind eye.
We can get behind that.
For whatever reason, state-backed adversaries are showing at least some restraint when it comes to their supply chain attacks.
Last week, network security firm SonicWall announced that state-backed hackers were responsible for a September breach of the MySonicWall cloud backup service. In that incident the hackers stole all firewall configuration files that had been backed up to the service.
The firewall backup files were designed to completely restore a device or its replacement and they included a snapshot of the full configuration including credentials and other secrets. According to SonicWall, those credentials and secrets were “individually encrypted” but it is not clear how the encryption keys were stored or derived.
The company has reassured its customers that the breach did not impact its products and that “no other SonicWall systems or tools, source code, or customer networks were disrupted or compromised”. That’s not entirely reassuring. The attack was clearly not targeted at SonicWall per se, but was, instead, an attempt to access its customers.
Even configuration information without cleartext secrets could be used to inform attacks on SonicWall customers. Of course, attacking vendors to get to customers is not a new phenomena.
Back in mid-October, the networking and security firm F5 disclosed an even more worrying attack. The company said it had been the victim of a “highly sophisticated nation-state threat actor” that gained “long-term persistent access to certain F5 systems”. The systems accessed included the development environment for F5’s main product, the BIG-IP load balancer as well as the company’s engineering knowledge management platform.
The attackers first broke into F5 in late 2023 and weren’t discovered until August this year. F5 claims to be “trusted by 85% of the Fortune 500”. When the breach was disclosed CISA released an emergency directive for federal agencies to find and patch vulnerable devices.
The day it disclosed the attack, F5 released a whole bunch of patches for vulnerabilities believed to have been stolen. In addition to the vulnerability information, the hackers stole some source code and also configuration or implementation information “for a small percentage of customers”. (Risky Bulletin has a good wrap of the whole incident.)
Sources told Bloomberg that Chinese state-backed hackers were responsible, and the malware used in the F5 hack is linked to the group known as Salt Typhoon. Despite the length of time they were in F5 systems and the vulnerability information they accessed, the impact of the hack, to date, is surprisingly limited.
By contrast, other Chinese-backed campaigns discreetly taking advantage of undisclosed vulnerabilities have regularly ramped up into mass exploitation once the activity is detected. See, for example, this year’s mass exploitation of SharePoint vulnerabilities and the Exchange free-for-all in 2021.
This F5 intrusion reminds us of the 2020 SolarWinds hack. In that incident, the threat actors gained access to the build system of SolarWind’s Orion software. Rather than just stealing source code and vulnerabilities, however, the build system was subverted to push malware out to customers in a software update.
Around 18,000 customers received the malware, but subsequent hacking was only carried out on about 100 of them. This breach was a huge deal politically at the time, but in truth was targeted and responsible, especially in contrast to mass hacking events that have occurred since.
In F5’s case the hackers had all the pieces in place to carry out a SolarWinds-style attack by subverting BIG-IP’s build, but they don’t appear to have pulled the trigger.
State-backed hackers have an enduring interest in enterprise vendors whose products could be compromised to provide access to target networks. For whatever reason, adversaries seem to show some restraint in these cases, unlike the Chinese when they get their hands on some juicy Exchange 0day and go ham.
We’re not saying these supply chain attacks aren’t bad and damaging. They are. But as we’ll always cheerily tell you here at Risky Business Media: It could always be worse!
Britain’s spy agencies and its military have stopped sharing intelligence with the US about suspected drug trafficking vessels in the Caribbean, according to a new CNN report .
This month, 76 people have been killed in 19 US strikes against what the White House alleged were drug smuggling boats. Sources told CNN that British officials believe the strikes are illegal and the UK does not want to be complicit in them. The UK has a number of intelligence assets in its Caribbean territories. It suspended intelligence sharing about a month ago.
A source told The Times that this intelligence could come from GCHQ and include the location of drug smuggling vessels and the numbers of people onboard.
The UK’s decision could result in being cut off from US intelligence in response, so it is not a risk-free move. This is a reminder that secretive intelligence agencies can be responsible moral actors, despite their frequent portrayal in Hollywood movies as utilitarian and amoral.
The Russian hacking group Sandworm has been launching wiper attacks against Ukraine’s grain sector, according to Slovak cyber security firm ESET.
ESET speculates the attacks are designed to weaken Ukraine’s wartime economy as grain is a major export for the country. Its report doesn’t describe how the wipers are affecting the grain sector, so it is unclear if these are clever attacks that achieve what would otherwise be impossible with drones, missiles, or other conventional munitions. That would be interesting.
It is worth noting, however, that the impact of the war on Ukraine’s agricultural production is already huge. In April the English-language Ukrainian outlet United24 Media reported that up to 25% of the country’s agricultural land is off limits because it is either unsafe due to landmines or is too close to combat zones. Russia has also used conventional weapons to disrupt exports by targeting grain storage facilities, ports and even vessels.
Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:
In this Risky Business sponsor interview, Casey Ellis chats to Toni de la Fuente, founder and CEO of Prowler, an open source platform for cloud security. They chat about how and why Prowler selectively applies AI to ensure it adds value rather than just because they can.
The former ambassador to Israel during President Trump’s first administration, David Friedman, has been appointed executive chairman of NSO Group.
In the abstract this is a positive move as it indicates that the spyware company is keen to stay in the US government’s good graces. This would be reassuring … in a normal administration.
In the UK, the Bank of England has confirmed the ransomware attack on Jaguar Land Rover affected the UK’s GDP growth for the quarter. The attack disrupted car production but also affected thousands of companies in Jaguar’s supply chain.
In Japan, the beer brewer Asahi is still operating at about 10% capacity more than a month after a ransomware attack.
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last “Between Two Nerds” discussion Tom Uren and The Grugq discuss how cyber criminals and even state actors are being dumb about using AI.
Or watch it on YouTube!
Another Chinese security firm has its data leaked: More than 12,000 internal documents were leaked online from Chinese security firm KnownSec.
The files were uploaded last week on GitHub by an unknown individual and later removed before the repo got any widespread circulation.
According to analyses from Mrxn and NetAskari, who got their hands on the leak, the most recent documents are from 2023. This suggests this was likely when the files were stolen/exfiltrated from the company’s network, or at least someone intentionally truncated the leak to keep the most recent files for themselves.
[more on Risky Bulletin]
Yanluowang ransomware IAB pleads guilty: A Russian man has pleaded guilty to hacking US companies and selling access to ransomware groups.
Aleksei Olegovich Volkov went online under the hacker name of chubaka<dot>kor, and worked as an initial access broker (IAB) for the Yanluowang ransomware.
Volkov used various techniques to breach a corporate employee’s account, escalate access to the employer’s network, and then sold that access to other cyber criminals.
According to court documents, between July 2021 and November 2022, Volkov regularly sold access to individuals who later deployed the Yanluowang ransomware.
[more on Risky Bulletin]
Europol arrests payment service executives for role in credit card fraud ring: Law enforcement agencies from Europe, Asia, and North America have dismantled a massive credit card fraud network that stole money from users using unwanted online subscriptions.
Eighteen suspects were arrested for defrauding users of more than €300 million since 2016.
According to Europol and Eurojust, the group stole credit card data, created accounts on online websites with the stolen information, and subscribed users to premium services.
[more on Risky Bulletin]
In other news: CBO breach not contained; CISA 2015 set for a three-month extension; new OWASP Top 10.
In other news: US CBO hacked by foreign APT; Singapore to punish scammers with cane beatings; Chrome will remove XSLT support for security reasons.
In other news: Meta is making a fortune from scam ads; KT hid a second breach for months; Pakistani senators get scammed.
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Sublime Security. You can hear a podcast discussion of
Risky Business publishes cybersecurity newsletters and podcasts for security professionals.