Risky Bulletin: A decade later, Russian hackers are still using SYNful Knock, and it's still working

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by  Kroll . You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed .

Cisco and the FBI have asked "the public, private sector, and international community"—also known as "anyone willing to listen"—to patch their stupid end-of-life Cisco routers for an ancient 2018 vulnerability that's being " broadly " exploited by Russian hackers linked to the country's FSB intelligence service.

A group known as Static Tundra has been abusing a bug tracked as CVE-2018-0171 over the past year to install backdoors on old and outdated Cisco routers that are still haunting many corporate and government networks.

Static Tundra has been abusing the vulnerability ever since it was discovered back in 2018, but they expanded operations in 2022 and then again last year, as Russia's war in Ukraine has forced the FSB to ramp up intelligence collection capabilities.

The vulnerability allows attackers to abuse a bug in the Smart Install feature to crash the router and then run custom malicious code that installs a custom-made backdoor known as SYNful Knock .

When it was discovered back in 2015, the backdoor was a novelty because it was one of the first custom-made Cisco implants that modified the device firmware to add reboot persistence and allow intruders to return any time they wanted.

Cisco and the FBI say the group has used the backdoor to dump and steal configuration files and then return in case they find a target of interest that they want to compromise further by using the router as a launch point for reconnaissance and other exploits.

The new reports shed light on what this particular group has been doing lately. According to Cisco Talos, Static Bear is a subcluster inside an older and larger Russian espionage operation known as Dragonfly , Energetic Bear , and Berserk Bear .

The group had basically gone dormant around 2022, after the US Justice Department charged four members and formally linked its operations to FSB Center 16.

Taking into account the Talos and FBI reports, the answer to the question of what has Dragonfly been up to is nothing and a lot at the same time. Same old exploits over and over again, because people don't patch their s**t and the same decade-old backdoor still works just fine.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat and Adam at the helm.

Breaches, hacks, and security incidents

Orange Belgium hack: Hackers have stolen customer data from the Belgian branch of Orange Telecom. The hack took place at the end of July and impacted 850,000 clients . Stolen data includes names, telephone numbers, SIM card numbers, PUK codes, and subscription details. Orange Romania and Orange France also disclosed breaches this year.

General tech and privacy

Thundermail selects Germany: Mozilla has chosen Germany to host the servers of its upcoming Thundermail webmail service. The service is Mozilla's first foray into the hosted email business. It is expected to launch later this year under a paid subscription model.

The importance of not getting hacked: In an interview , Coinbase CEO Brian Armstrong says that if the company had gotten hacked in its early stages, it would have had to shut down and Coinbase would not exist today.

Google expands AI Mode: Google has expanded its AI Mode search experience to 180 new countries . The mode will only work in English.

Microsoft aims to be quantum-safe by 2029: Microsoft aims to ship quantum-safe encryption algorithms in all products by 2029 . The algorithms will become defaults by 2033. The migration to quantum-safe algorithms will begin with core services next year.

Government, politics, and policy

VIGINUM head leaves for private sector: The head of operations at France's anti-disinformation agency VIGINUM has left for the private sector. According to Intelligence Online , Hervé Letoqueux will join Finnish disinformation-fighting company Check First. Letoqueux has led VIGINUM since the agency was established three years ago.

China blocks all HTTPS traffic for an hour: China's Great Firewall blocked all HTTPS traffic on Wednesday for an hour. The incident caused massive Internet disruptions in China. It's unclear if this was an intentional test or a technical fault. Russia has regularly conducted experiments to disconnect its national internet from the rest of the world. China has not recently conducted similar tests.

New NSA deputy director: The Trump administration has selected Joe Francescon to become the NSA's next deputy director. Francescon replaces Wendy Noble. Noble was fired by the White House in April at the request of far-right activist Laura Loomer. Francescon served in the DOD and NSC during the first Trump administration. [ Additional coverage in Politico ]

ODNI cuts 40% of staff: The Office of the Director of National Intelligence will fire 40% of its workforce. The agency hopes to cut its budget by more than $700 million annually. Director of National Intelligence Tulsi Gabbard claimed the Office was bloated, inefficient, and politicized and weaponized intelligence. [ Additional coverage on PBS ]

US border search numbers: The US CBP executed more device searches at the border in the first three months of the year than any other previous quarter, according to government numbers . [ Additional coverage in TechCrunch ]

FTC tells US tech companies not to censor content: The US Federal Trade Commission has warned several US tech companies not to censor content or weaken encryption at the request of foreign governments. The FTC specifically mentions the EU's Digital Services Act and the UK's Online Safety Act. Letters were sent to Akamai, Alphabet, Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack and X.

Sponsor section

In this Risky Business sponsor interview , Ed Currie from Kroll Cyber talks to Tom Uren about the recent hack of the Gravy Analytics geolocation data provider. He explains the hack and how geolocation data can be used by malicious actors.

Arrests, cybercrime, and threat intel

RapperBot botnet author arrested: US authorities have charged an Oregon man with building and operating the RapperBot DDoS botnet. Ethan Foltz managed RapperBot as a DDoS-for-hire operation together with another individual going by the hacker name of Slaykings. The botnet had been around since 2021 and primarily infected home routers and DVRs. It was averaging between 65,000 and 95,000 infected devices before the FBI took it offline earlier this month. According to court documents, Foltz was identified after he paid RapperBot command-and-control servers with his PayPal account. The botnet was also used to target Pentagon networks on at least three occasions. [ Additional coverage in KrebsOnSecurity ]

Europol says Qilin reward is fake: Europol says that reports of a reward for members of the Qilin ransomware group are false. The $50,000 reward was posted on an Europol-themed Telegram channel. The agency told SecurityWeek it does not have an official presence on Telegram.

Scattered Spider member sentenced to 10 years: A member of the Scattered Spider group was sentenced to 10 years in prison. Noah Michael Urban hacked into major online services, stole customer data, and then used the information for SIM swapping attacks. Urban, who used the hacker names of Sosa and King Bob, was also ordered to pay $13 million in restitution to past victims. He is one of five Scattered Spider members detained last year. [ Additional coverage in KrebsOnSecurity ]

Dutch phisher sentenced: Dutch authorities sentenced a 26-year-old man to four years in prison for phishing and scams targeting the elderly. The suspect stole €277,000 using sites that impersonated banks and government services. His hacking spree lasted almost half a decade, from 2019 to 2024, when he was arrested.

New SMS blasters arrested: Thai and Vietnamese authorities have detained two new suspects for driving with SMS blasters in their cars. A 35-year-old South Korean man was arrested in Bangkok, and another suspect was detained in Ho Chi Minh City . Both were paid to drive around and send waves of SMS spam to users connecting to their fake base station. The arrests mark the third bust of SMS blasters in Thailand in the last two weeks, and the second one in Vietnam. [ Additional coverage in CommsRisk ]

Microsoft restricts Chinese firms from MAPP: Microsoft has restricted access for Chinese security firms to its Active Protections Program, or MAPP. According to Bloomberg , the change will limit access to any security companies from countries where they have to report vulnerabilities to their governments. For now, only Chinese companies are affected. Microsoft will also no longer provide "proof of concept" code for upcoming security fixes. MAPP participants will receive only a general description of the upcoming patches. Microsoft changed the rules after suspicions that a recent SharePoint zero-day originated from a MAPP leak.

Russia reports first case of cybercrime on Max: After Russian officials spent weeks claiming they need to ban foreign instant messaging services like WhatsApp and Telegram because they're full of "crime" and that Russians should switch to the "cleaner" Max app, authorities reported on Wednesday the first case of fraud on the app.

VPN extension takes screenshots: A popular Google Chrome extension is silently taking screenshots of every page its users visit. The FreeVPN.One extension is installed by more than 100,000, and does not disclose the behavior in any way. Screenshots are taken a few seconds after pages load and are uploaded to a remote server. Device details and geolocation data are also collected. According to Koi Security , the malicious behavior was added in an update on July 17. The extension is still live on the Chrome Web Store, where it was once featured as a recommended extension.

New UAE exploit broker: A new exploit broker is offering rewards of up to $20 million for exploit chains in mobile operating systems. Advanced Security Solutions launched this month and operates out of the UAE. The company is offering, by far, the largest prices for zero-day exploits on the market. It's also offering $15 million for zero-click exploits in Android and iOS, $10 million for Linux and Windows, and $7 million for macOS. [ Additional coverage in TechCrunch ]

Intellexa in Czechia: VSquare takes a closer look at Intellexa's companies in the Czech Republic.

GenAI abuse: Proofpoint looks at how AI services are being abused for phishing operations.

GeoServers abused in proxy campaign: A threat actor is hacking GeoServer geospacial database servers to hijack their bandwidth. The hackers target unpatched servers ( for CVE-2024-36401 ) and deploy apps that add the servers to residential proxy networks. The attacks have been going on since March and are still ongoing, according to Palo Alto Networks .

Lumma affiliate ecosystem: Recorded Future looks at the activity of Lumma affiliates —the cybercrime groups who rent and actually deploy the infostealer in the wild.

ClickFix scenarios: Microsoft's security team looks at all the places it has seen ClickFix being used in the wild .

NoName still the top dog: Pro-Kremlin hacktivist group NoName057 has remained the most active DDoS group in July despite an international takedown that took down its servers. The group recovered a week later.

Money laundering in META: Group-IB has published a report on the evolution of money mule tactics in the META region—Middle East, Turkey, and Africa.

Malware technical reports

Warlock ransomware: Trend Micro has published a technical analysis of Warlock , the ransomware strain that was being deployed in the recent SharePoint zero-day hacking spree.

SHAMOS: CrowdStrike has spotted a new version of the Atomic macOS Stealer (AMOS). The new version is named SHAMOS and was developed by the COOKIE SPIDER threat actor. The group used ClickFix techniques to trick users into running malicious commands on their macOS devices.

QuirkyLoader: IBM's X-Force team has spotted QuirkyLoader , a new malware loader involved in multiple campaigns delivering RATs and infostealers. QuirkyLoader appears to have been active since November of last year.

Targeted Android backdoor: Russian security firm Dr.Web claims to have discovered a new Android backdoor designed for "targeted attacks" against Russian users. The malware is distributed via fake antivirus apps. It can run commands sent by an attacker, but can also spy through the phone's mic and camera, and steal browser and messenger data. Dr.Web has not attributed the malware.

CORNFLAKE.V3 backdoor: Google's Mandiant team looks at attacks from two threat actors (UNC5518 and UNC5774) that deployed version 3.0 of the CORNFLAKE backdoor .

Risky Business podcasts

In this edition of Between Two Nerds , Tom Uren and The Grugq talk about whether the cyber industry and intelligence agencies focus too much on technical details and ignore the bigger picture.

APTs, cyber-espionage, and info-ops

Paper Werewolf (Goffee): BI.ZONE has published a report on Paper Werewolf 's recent abuse of a WinRAR zero-day in attacks targeting Russian companies.

UAC-0057: HarfangLab has discovered two new clusters of malicious archives used by the UAC-0057 APT group to target Poland and Ukraine. The group is also known as Ghostwriter.

Murky Panda (Silk Typhoon): CrowdStrike has seen increased activity from Murky Panda , a Chinese espionage group also known as Silk Typhoon.

MuddyWater targets CFOs: Hunt Intelligence has spotted a spear-phishing campaign targeting CFOs around the world from infrastructure previously used by Iranian APT group MuddyWater.

Vulnerabilities, security research, and bug bounty

Microsoft silently patches Copilot bug: Microsoft has silently patched a vulnerability in its Copilot AI agent. The vulnerability allowed malicious users to instruct Copilot to access files without leaving traces in activity logs. Security firm Pistachio says Microsoft patched the bug this week but did not disclose it, notify customers, or issue a CVE.

Apple zero-day: Apple has patched an actively exploited zero-day in its iOS and macOS operating systems. Tracked as CVE-2025-43300, the vulnerability is located in Apple's image processing framework Image I/O. Apple says attackers can abuse malicious media files to corrupt a device's memory. The zero-day was allegedly used in an " extremely sophisticated attack against specific targeted individuals ."

Cisco security updates: Cisco has released  three security advisories for its firewall products.

Daily AI agent hacking: Embrace the Red has published research on how they hacked the Amazon Q Developer and the Windsurf Cascade vibe-coding AI agents to leak developer secrets.

Anthropic Postgres MCP vulnerability: Datadog researchers have found an SQL injection vulnerability in Anthropic's Postgres MCP server. The vulnerability allowed researchers to bypass read-only restrictions and execute SQL statements. Anthropic responded by deprecating and archiving the project on GitHub.

Vulnerability scoring systems: An academic paper compares the accuracy and usefulness of various vulnerability scoring systems, such as CVSS, SSVC, EPSS, and the Exploitability Index. One of the findings is below.

"Scoring systems show minimal agreement on which CVEs to prioritize: only 5 CVEs overlap across all four systems in their top-100 lists. Large tie groups—such as 198 CVEs sharing a top-20 score in CVSS—further undermine the ability to rank vulnerabilities meaningfully."

Takeover bug in industrial routers: A vulnerability in two industrial routers can allow attackers to take over devices and access OT networks. The vulnerability impacts mbNET and Helmholz REX devices. It allows attackers to post malicious Lua code in the router's management panel and have it executed. Exploitation requires credentials to the device's web panel, but according to Marcel Rick-Cen , many routers still use their default credentials.

nopCommerce DoS: There's a denial of service bug in the nopCommerce platform, where attackers can crash online stores by uploading large Excel files.

More Commvault bugs: WatchTowr Labs has published a write-up on four new vulnerabilities they found in the Commvault enterprise backup solution. They found an RCE back in April. These new bugs can be combined in two different pre-auth RCE chains. All new bugs have been patched this week.

Scamlexity attack: Guardio warns that AI-enabled browsers are extremely vulnerable to AI prompts hidden in malicious websites that may instruct the browser to take fraudulent actions on behalf of users, such as buying unwanted products, subscribing to shady services, or harvesting credentials. They call this type of attack Scamlexity .

Ruby deserialization attacks: Trail of Bits' Matt Schwager has published a history of Ruby deserialization attacks.

Infosec industry

Acquisition news: Aikido Security has acquired AI code review company Trag.

New tool—GroupPolicyBackdoor: Synacktiv has open-sourced GroupPolicyBackdoor, a Python utility for manipulating and exploiting Group Policy Objects (GPOs).

New tool—Azure AppHunter: Cloud security engineer Marios Gyftos has released Azure AppHunter , a PowerShell tool to identify excessive or dangerous permissions assigned to Azure Service Principals.

Threat/trend reports: Acronis , Dragos , Infosys , Netscout , Positive Technologies , and Proofpoint have recently published reports and summaries covering various infosec trends and industry threats.

Risky Business podcasts

In this edition of Seriously Risky Business , Tom Uren and Amberleigh Jack talk about a new report that looks at how Russian cybersecurity firms have adapted since the country's invasion of Ukraine. These firms are doing surprisingly well financially.