Risky Bulletin: Cyberattack cripples cars across Russia

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Push Security . You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed .

A cyberattack has wreaked havoc across Russia on Monday after the servers of the Delta smart alarm system went down.

Per reports in local media , car owners using Delta's alarm system couldn't unlock cars or stop active alarms. In some cases, owners couldn't start engines or their engines jammed while driving .

The company confirmed the incident but did not provide other details besides calling it a " large-scale external attack ."

Delta's phone lines and website were down all day on Monday and the disruption continued the next day.

The attack didn't appear to impact systems managing home alarm systems—or at least home owners didn't notice the malfunction.

According to Auto.ru , the Delta app launched in 2020, is compatible with most cars, and can also be used to track a car's location.

The app also stores payment data, which is now making some of its customers wary of the potential of having both personal and financial data stolen in the case of a breach of Delta internal systems.

No known hacking group has taken credit for the attack, and it's unclear if this was just a simple DDoS or something way worse like a wiper or ransomware.

The Delta incident also took place on the same day that the Leonardo travel booking system went down across Russian airports, but authorities said it was unrelated and linked that outage to a technical issue .

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat and Adam at the helm!

Breaches, hacks, and security incidents

China hacked phones at Downing Street: Chinese hackers have allegedly hacked the phones of senior officials in Downing Street. The hacks took place between 2021 and 2024 and targeted the aides of Boris Johnson, Liz Truss, and Rishi Sunak. It's unclear what level of access the hackers had or if they compromised former Prime Ministers. British PM Sir Keir Starmer is set to meet Chinese officials this week. [ The Telegraph ]

Huge GDPR fine in Sweden: The Swedish data protection agency has fined sports software provider SportAdmin €565,000 for a January 2025 security breach that exposed the personal details of 2.1 million individuals, most of which were children who signed up for various sports clubs.

General tech and privacy

USSC to hear Facebook pixel tracking case: The US Supreme Court will hear a case regarding the legality of Facebook's Pixel tracking technology. The case deals with the use of the Pixel on one of Paramount Global's sports streaming sites. A California man argues that an 80s era video rental privacy law protects him from sharing his viewing habits with third-parties like Facebook or online advertisers. [ Courthouse News ]

Google agrees to $68m settlement: Google has agreed to pay $68 million to settle a class action lawsuit. The company was accused of illegally recording users via its voice assistant. Google later used the recordings to deliver targeted ads. Apple reached a similar $95 million settlement last year over similar Siri recordings. [ The Guardian ]

TikTok switches to 'muricaaaaah ToS: After it entered a new ownership model, the new US-owned TikTok company has updated its terms of service to include even more data collection clauses, such as precise GPS location data, AI prompt history, and others. [ BBC ]

WhatsApp rolls out Strict Account Settings: WhatsApp is rolling out a new security feature meant to block advanced exploits and spyware. The new Strict Account Settings feature works similar to the Apple's Lockdown Mode and Android's Advanced Protection Mode. It enables two-factor authentication, turns on security notifications, and prompts the user to set up encrypted backups. It also disables link previews and blocks attachments and media from unknown senders.

Split view comes to Firefox: Support for split view tabs are currently under testing in Firefox Nightly Previews. Only two tabs are supported, so temper your expectations.

Government, politics, and policy

US cancels all BAH contracts over leak: The US Treasury has canceled all contracts with Booz Allen Hamilton over a leak of IRS documents. Between 2018 and 2020, a Booz Allen employee leaked the tax records of more than 400,000 Americans to reporters at ProPublica and the New York Times. This included tax records for President Donald Trump, Elon Musk, Jeff Bezos, and other billionaires. The leak exposed their tax avoidance schemes. [ Zero Day ]

New White House cyber order: The Trump administration has rescinded a 2021 Biden-era executive order that required federal agencies to obtain cybersecurity attestations and assurances from software providers. The White House says federal agencies will shift to using SBOMs to control their software supply chains. [ NextGov ]

Israel working on new cyber law: The Israeli government is working on the country's first cybersecurity law. The law is expected to pass this week. It will require all organizations to report when they are under a cyberattack to the country's National Cyber Directorate. If the attacks targets the country's critical infrastructure, organizations must report the incident as soon as it's discovered. [ The Jerusalem Post ]

France social media ban for kids under 15: The French National Assembly has voted to ban social media for children under the age of 15. The proposed law also includes a ban on mobile phones in high schools. If the law passes the French Senate, it will be enforced on new accounts by the start of the 2026 school year. Social media companies will have until the end of the year to deactivate existing accounts under the age limit. A similar ban is already in place in Australia. Lawmakers in Russia and the UK are also working on their own bans. [ Le Monde ]

France plans to ditch US conferencing platforms: The French government is ditching US video conferencing platforms and replacing them with a local alternative. The government has ordered all agencies and departments to switch from Zoom and Microsoft Teams to the Visio platform by 2027. Visio launched this year and is part of a national plan to create a sovereign digital ecosystem. [ Euronews ]

EU opens formal Twitter probe: The European Commission has launched a formal probe into Twitter over a GrokAI feature that generated sexualized and nude photos of women and children. Twitter and its xAI division face fines of up to 6% of global revenue. Twitter is facing similar investigations in more than a dozen countries across Europe and Asia.

Sponsor section

In this Risky Business sponsor interview , Catalin Cimpanu talks with Luke Jennings, VP of Research & Development at Push Security, about ConsentFix. It's a new form of email-based social engineering attack used in the wild, an evolution of the ClickFix attack that goes after your identity.

Arrests, cybercrime, and threat intel

31 more charged in ATM jackpotting scheme: The US has indicted 31 Venezuelan and Colombian nationals for their role in an ATM jackpotting scheme. The group scouted ATMs at night, opened their case, and replaced the hard drive with one pre-loaded with the Ploutus malware. The Justice Department has now charged 87 individuals over the past two months linked to this scheme. All the suspects are allegedly members of the Tren de Aragua criminal cartel.

Saudi activist wins spyware case: A critic of the Saudi government was awarded £3 million pounds ($4.1 million) in damages in a lawsuit filed in the UK. Ghanem Al-Masarir sued the Saudi Kingdom in 2019 after his phone was infected with the Pegasus spyware. He was also assaulted in the streets of London following the hack. The assault predated the killing of Washington Post journalist Jamal Khashoggi by several months. Al-Masarir sued the Saudi government, citing severe depression that forced him to abandon his YouTube satire channel. The court awarded the damages to cover the loss of revenue from the channel. The Saudi government refused to participate in the lawsuit, citing state immunity. [ Reuters ]

BestBuy employee claims hackers extorted him: US authorities have detained a BestBuy employee who allegedly helped thieves steal expensive items from the store. The employee claims he was extorted by a hacker group with nude photos. He was shown images of the thieves and told to "let it happen." [ Yahoo News ]

Doxing and swatting group dismantled: Hungarian and Romanian authorities have arrested the members of a group behind doxing and swatting attacks. Three suspects were detained in Hungary and one in Romania. The group operated via a Discord group. They doxed victims, threatened to kill people, and issued fake bomb threats against educational, religious, and law enforcement organizations.

The division-slash trick: Threat actors are using the Unicode character for math division ( ∕ ) instead of a standard forward slash ( / ) in malicious links to evade detection. The non-standard character can cause some security tools to fail and let the malicious link through. According to email security firm Barracuda , the technique was used in phishing attacks targeting Japanese organizations.

New GPS-assisted car fraud in Spain: Pirate tow truck groups are exploiting emergency beacons to defraud car owners seeking assistance. Spanish authorities say the groups are intercepting GPS coordinates emitted by V-16 beacons. The beacons have become mandatory for all cars in Spain this year. Security researchers have warned about the possible risks of beacons exposing API keys and granting attackers to the underlying platform aggregating data from all Spanish cars. [ SUR in English ]

Royal Family scams: The Belgian cybersecurity agency warns of ongoing scam campaigns posing as the Belgian Royal Family , delivered via e-mail, WhatsApp, and malicious ads.

WinRAR bug exploitation expands: Google Mandiant says that attacks exploiting a recent WinRAR bug, CVE-2025-8088, have now expanded from initial Russian APTs to Chinese espionage groups and financially motivated e-crime operations.

SLSH's new Okta vishing campaign: The Scattered LAPSUS$ Hunters hacking group is targeting the Okta and SSO accounts at more than 100 large companies. The group is using a combination of classic phishing and vishing to lure employees into sharing SSO sessions and tokens. According to security firm Silent Push , the group is using specialized phishing panels that allow members to control the phishing process in real time and direct victims to perform the needed actions. Some of the companies targeted by the group include the likes of Atlassian, Zillow, HubSpot, Epic Games, and Telstra.

New ClickFix variant: BlackPoint Cyber has spotted a new ClickFix variation that abuses the Microsoft Application Virtualization (App-V) toolkit to hide malicious PowerShell commands. The commands deploy the Amatera infostealer on targeted hosts.

BadBox admins: Infosec reporters Brian Krebs looks at the possible administrators of BadBox 2.0, a major botnet consisting of millions of Android TV devices. Current data suggest the botnet is managed by a Chinese national named Huang Guilin. Krebs was able to track him down after the admins of the rival Kimwolf botnet hacked and leaked screenshots from the BadBox backend panel.

Chrome extension hijacks Amazon affiliate referrals: Socket Security has spotted a Chrome extension that claims to block Amazon ads but just replaces affiliate referral codes.

Chrome extensions steal ChatGPT auth tokens: A cluster of malicious Chrome extensions have been spotted intercepting and stealing ChatGPT authentication tokens. Fifteen of the 16 were hosted on the official Web Store, while one was distributed via the Edge Add-ons marketplace. According to security firm LayerX , the extensions were collectively downloaded only 900 times.

Malware technical reports

PeckBirdy framework: Trend Micro looks at PeckBirdy , a C&C framework used by Chinese APT groups in attacks against the Chinese gambling industry and government agencies against Asia. [PeckBirdy]

Sponsor section

In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security .

APTs, cyber-espionage, and info-ops

Vortex Werewolf: There's a new APT group named Vortex Werewolf targeting Russian entities. This is the same group that Seqrite discovered last year and calls Operation SkyCloak . Evidence suggests the group's earliest activity dates back to December 2024.

New HoneyMyte campaigns: Kaspersky researchers have spotted new campaigns from a suspected Chinese APT group they track as HoneyMyte, along with new versions of its malware.

Sheet Attack campaign: Zscaler has published a two - part report on an APT campaign targeting Indian government agencies.

"ThreatLabz assesses with medium confidence that these campaigns likely originate from a new subgroup or a parallel Pakistan-linked group, despite sharing similarities with the APT36 threat group."

Vulnerabilities, security research, and bug bounty

Office zero-day: Microsoft has released an out-of-band security update to patch an actively exploited Office zero-day. Tracked as CVE-2026-21509 , the zero-day is a bypass of an Office security feature. Exploitation requires user interaction. All Office versions from 2016 onward are affected. Microsoft says that all customers for Office 2021 and later are protected via a service-side change.

Kubernetes RCE: Threat actors can bypass authorization and execute code on any Kubernetes container. The vulnerability exploits a bug in how Kubernetes API servers handle WebSockets connections. The Kubernetes project has declined to patch the issue, but will release a new API Authorization system in April to address the attack.

Vulnerabilities open Exos doors: SEC-Consult researchers have found multiple vulnerabilities that can be used to unlock doors controlled by the Exos doors and access control system from Dormakaba.

OpenSSL patches an RCE: The OpenSSL project has patched a memory corruption bug that can lead in certain circumstances to remote code execution attacks. The bug, tracked as CVE-2025-15467, resides in how the library processes Cryptographic Message Syntax data. Threat actors can use CMS packets with maliciously crafted AEAD parameters to crash OpenSSL and run malicious code. It is one of 12 issues patched by OpenSSL this week. All issues were found and reported by Aisle Security .

Solana security update: The Solana blockchain project has released a security update to patch a flaw in its mining validator protocols.

Windows Administrator Protection already bypassed: Google's James Forshaw has already found a way to bypass Administrator Protection, a new sudo-like security feature added to Windows 11 user accounts last fall.

"The bypass was interesting because it’s hard to point to the specific bug that causes it. The vulnerability is a result of 5 separate OS behaviors."

Exfil Out&Look technique: Varonis researchers have discovered a new technique named Exfil Out&Look that abuses Outlook add-ins to steal data from inside organizations. 

"Varonis reported to Microsoft via MSRC on September 30, 2025. After their review, Microsoft categorized Exfil Out&Look as a low-severity product bug or suggestion with no immediate fix or patch planned."

Cisco retires Kenna: Cisco is retiring its vulnerability management platform, formerly known as Kenna.VM. Cisco will stop accepting new subscriptions on June 11 and will retire the product for good at the end of June 2028. Cisco acquired Kenna Security in June 2021.

Infosec industry

Threat/trend reports: Cisco , Cloudflare , CSA , HarfangLab , McAfee , ReversingLabs , and Trellix [ PDF ] have recently published reports and summaries covering various threats and infosec industry trends.

Acquisition news: Cybersecurity company Radware has acquired API security testing company Pynt.

Acquisition news: LevelBlue has acquired managed security service provider Alert Logic from Fortra.

New tool—Anamnesis: Security researcher Sean Heelan has released Anamnesis , a framework for studying how LLM agents generate exploits from vulnerability reports, despite the presence of exploit mitigations.

New tool—IDE-SHEPHERD: Security firm DataDog has released IDE-SHEPHERD , an open-source VS Code and Cursor extension to detect malicious behavior from other extensions.

New tool—SharePointDumper: Compass Security's Christian Feuchter has released SharePointDumper , a PowerShell-based auditing utility that enumerates SharePoint sites a user can access and download data from.

CODE BLUE videos: Talks from the CODE BLUE 2025 security conference, which took place in November, are available on YouTube .

Risky Business podcasts

In this edition of Between Two Nerds , Tom Uren and The Grugq discuss how getting pinged hurts state hackers by introducing uncertainty. Publishing technical reports on the hack can actually improve the situation by removing uncertainty about how attackers were detected.

In this edition of Seriously Risky Business , Tom Uren and Amberleigh Jack talk about the rise of technologies that can undermine internet blackouts such as Starlink and its relatively new direct-to-cell service.