Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Prowler.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

Listen here

Photo by Lukasz Szmigiel on Unsplash

In an eye-popping investigation, Reuters has revealed that Meta had projected its 2024 advertisements for scams and banned goods would bring in about USD$16 billion or 10% of its total revenue. 

The report is based on a cache of documents reviewed by Reuters.

In one of those documents, Meta's safety staff estimated that the company's platforms were "involved" in a third of all successful scams in the US. That's a stunning figure. But we do wonder how much of that involvement is simply WhatApp being used to talk to victims. If advertisements weren't the bait that lured victims, it hardly seems fair to blame Meta for running an end-to-end encrypted messaging app. 

The company doesn't get such an easy pass elsewhere, though. Other documents revealed that Meta only bans advertisers if its automated systems are 95% certain that an account is committing fraud. If the account doesn't meet that threshold, but Meta still believes it is likely a scammer, the company instead charges higher advertisement rates as a "penalty". According to Reuters the idea here is to discourage suspicious advertisers from buying ads. But in our view it's just as likely to encourage Meta to accept high-risk ads than prevent scammers from placing them. It's a two-sided incentive. A scammer's penalty is Meta's profit, after all. 

The documents suggest that Meta's management weighed the financial windfall from scam ads against the costs of regulatory action. The company raked in $3.5 billion every six months from ads determined by the legal team to have "higher legal risk", such as impersonating a brand or celebrity. The document notes that the revenue would almost certainly exceed the cost of "any regulatory settlement involving scam ads". 

One document from February 2025 detailed exactly how much revenue Meta was willing to forgo to clamp down on suspicious advertisers: 0.15% of total revenue or $135 million. Our napkin maths suggests if you are only willing to forgo $135 million to tackle a $16 billion problem … you still have a $16 billion problem.

Scams are a huge issue, and our cynical view is that (much like the cybersecurity field) companies typically only respond when political pressure or government action forces their hands. One former Meta employee Rob Leathern suggested to Wired, that the platforms should be forced to relinquish any money earned by scam ads. This could be used to fund anti-scam non-profits, for example, and would remove the incentive for Meta to turn a blind eye.

We can get behind that.

For Now, Supply Chain Attackers Are Eschewing Total Mayhem

For whatever reason, state-backed adversaries are showing at least some restraint when it comes to their supply chain attacks.

Last week, network security firm SonicWall announced that state-backed hackers were responsible for a September breach of the MySonicWall cloud backup service. In that incident the hackers stole all firewall configuration files that had been backed up to the service.

The firewall backup files were designed to completely restore a device or its replacement and they included a snapshot of the full configuration including credentials and other secrets. According to SonicWall, those credentials and secrets were "individually encrypted" but it is not clear how the encryption keys were stored or derived. 

The company has reassured its customers that the breach did not impact its products and that "no other SonicWall systems or tools, source code, or customer networks were disrupted or compromised". That's not entirely reassuring. The attack was clearly not targeted at SonicWall per se, but was, instead, an attempt to access its customers. 

Even configuration information without cleartext secrets could be used to inform attacks on SonicWall customers. Of course, attacking vendors to get to customers is not a new phenomena. 

Back in mid-October, the networking and security firm F5 disclosed an even more worrying attack. The company said it had been the victim of a "highly sophisticated nation-state threat actor" that gained "long-term persistent access to certain F5 systems". The systems accessed included the development environment for F5's main product, the BIG-IP load balancer as well as the company's engineering knowledge management platform. 

The attackers first broke into F5 in late 2023 and weren't discovered until August this year. F5 claims to be "trusted by 85% of the Fortune 500". When the breach was disclosed CISA released an emergency directive for federal agencies to find and patch vulnerable devices. 

The day it disclosed the attack, F5 released a whole bunch of patches for vulnerabilities believed to have been stolen. In addition to the vulnerability information, the hackers stole some source code and also configuration or implementation information "for a small percentage of customers". (Risky Bulletin has a good wrap of the whole incident.) 

Sources told Bloomberg that Chinese state-backed hackers were responsible, and the malware used in the F5 hack is linked to the group known as Salt Typhoon. Despite the length of time they were in F5 systems and the vulnerability information they accessed, the impact of the hack, to date, is surprisingly limited. 

By contrast, other Chinese-backed campaigns discreetly taking advantage of undisclosed vulnerabilities have regularly ramped up into mass exploitation once the activity is detected. See, for example, this year’s mass exploitation of SharePoint vulnerabilities and the Exchange free-for-all in 2021.

This F5 intrusion reminds us of the 2020 SolarWinds hack. In that incident, the threat actors gained access to the build system of SolarWind's Orion software. Rather than just stealing source code and vulnerabilities, however, the build system was subverted to push malware out to customers in a software update. 

Around 18,000 customers received the malware, but subsequent hacking was only carried out on about 100 of them. This breach was a huge deal politically at the time, but in truth was targeted and responsible, especially in contrast to mass hacking events that have occurred since. 

In F5's case the hackers had all the pieces in place to carry out a SolarWinds-style attack by subverting BIG-IP's build, but they don't appear to have pulled the trigger. 

State-backed hackers have an enduring interest in enterprise vendors whose products could be compromised to provide access to target networks. For whatever reason, adversaries seem to show some restraint in these cases, unlike the Chinese when they get their hands on some juicy Exchange 0day and go ham.

We're not saying these supply chain attacks aren't bad and damaging. They are. But as we'll always cheerily tell you here at Risky Business Media: It could always be worse!

UK Suspends Drug Boat Intel Sharing

Britain's spy agencies and its military have stopped sharing intelligence with the US about suspected drug trafficking vessels in the Caribbean, according to a new CNN report .

This month, 76 people have been killed in 19 US strikes against what the White House alleged were drug smuggling boats. Sources told CNN that British officials believe the strikes are illegal and the UK does not want to be complicit in them. The UK has a number of intelligence assets in its Caribbean territories. It suspended intelligence sharing about a month ago. 

A source told The Times that this intelligence could come from GCHQ and include the location of drug smuggling vessels and the numbers of people onboard.

The UK's decision could result in being cut off from US intelligence in response, so it is not a risk-free move. This is a reminder that secretive intelligence agencies can be responsible moral actors, despite their frequent portrayal in Hollywood movies as utilitarian and amoral. 

Russian Wipers Hit Ukraine's Grain

The Russian hacking group Sandworm has been launching wiper attacks against Ukraine's grain sector, according to Slovak cyber security firm ESET. 

ESET speculates the attacks are designed to weaken Ukraine's wartime economy as grain is a major export for the country. Its report doesn't describe how the wipers are affecting the grain sector, so it is unclear if these are clever attacks that achieve what would otherwise be impossible with drones, missiles, or other conventional munitions. That would be interesting.

It is worth noting, however, that the impact of the war on Ukraine's agricultural production is already huge. In April the English-language Ukrainian outlet United24 Media reported that up to 25% of the country's agricultural land is off limits because it is either unsafe due to landmines or is too close to combat zones. Russia has also used conventional weapons to disrupt exports by targeting grain storage facilities, ports and even vessels.  

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. UK to stop spoofed phone numbers: Mobile carriers and the UK government have agreed to a raft of measures that will make it harder for scammers to operate on UK mobile networks.  These will "eliminate" the ability for foreign call centres to spoof UK numbers and also allow police to track down scammers operating within the country. 
2. KK Park scam centre being demolished: The Myanmar military junta is dynamiting the notorious scam compound and it is good to see further action after a raid on the compound last month. It appears international pressure is having an impact, although some observers believe the demolition is just a PR ploy by the junta 
3. US Cyber security threat sharing bill to be extended: A short-term renewal of the Cybersecurity Information Sharing Act, which expired at the end of September, is included as part of the deal to reopen the US federal government. The good news isn't so much the extension, which only runs till 30 January, but that some lawmakers care enough about cyber security to include the renewal in negotiations to end the shutdown.