Transcript
Steve Prentiss (0:00)
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, May 26, 2025. I'm Steve Prentiss. CISA warns Commvault clients of campaign targeting cloud applications the agency is warning that hackers are targeting cloud environments used by clients of data management firm Commvault. The company had previously disclosed a February data breach revealed by Microsoft involving a nation state actor who accessed app credentials used by some Commvault customers to authenticate with Microsoft 365 CISA now reports ongoing cyber threat activity targeting Commvault's applications hosted in Microsoft Azure. The agency believes this is part of a broader campaign aimed at exploiting software as a service applications with default settings and elevated permissions. The attackers likely accessed client secrets, unique codes that link applications to servers, specifically targeting Commvault's M365 backup solution Metallic raising concerns about widespread vulnerability, Russian hacker group Killnet returns with slightly adjusted mandate the group has resurfaced after months of inactivity, claiming to have hacked Ukraine's drone tracking system to aid Russian forces, a claim promoted by Russian media but unverified by independent sources. The timing of the reappearance coincides with Russia's victory day, a key date for propaganda. Analysts suggest this reappearance may be more about re establishing relevance than executing a specific anti Ukraine operation. Cyber experts note that Killnet now seems less ideologically driven and more like a for hire cybercrime group seeking reputation and profit. Researchers view the heavily publicized activity as potentially part of a broader Russian information operation, especially amid ongoing diplomatic efforts involving the us, Russia and Ukraine. Fake VPN and browser Ensys installers used to deliver WinOS 4.0 malware Researchers at Rapid7 are warning of a malware campaign that uses fake software installers masquerading as popular tools like let's VPN and QQ Browser to deliver the WinOS 4.0 framework that is spelled W I n o s. This campaign, which was first detected by Rapid7 in February of this year, involves the use of a multi stage memory resident loader called Katena that is spelled C A T E n a. The company says the attacks appear to focus specifically on Chinese speaking environments, with the cybersecurity company calling out the careful long term planning apparently by a very capable threat actor. European Operation Endgame takes down key ransomware infrastructure this Operation Endgame refers to a campaign coordinated by Europol and Eurojust, which is the European Union Agency for Criminal Justice Cooperation the campaign executed from May 19th through to the 22nd and took down 300 servers and 650 domains and issued 20 international arrest warrants. Agents from numerous EU countries along with the US, the UK and Canada helped with this investigation, which started back in 2024 and culminated in the May takedowns. Authorities also seized 3.5 million euros in cryptocurrency. The operation targeted initial access malware used by threat actors to infiltrate systems prior to ransomware deployment, huge thanks to our sponsor ThreatLocker. ThreatLocker is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com CISO that is T H R E A T L-O C K-E-R.com CISO AI generated TikTok videos push click fix attacks as described by researchers at Trend Micro, Cybercriminals are using TikTok videos to trick users into infecting themselves with Vidar and steal C information, stealing malware through click fix attacks. The messages aim to get viewers to run commands that promise to activate Windows and Microsoft Office, along with premium features in some legitimate software brands such as Capcut and Spotify. The videos are all very similar in design and narration and appear to be largely AI generated. One of these videos claims to provide instructions on how to boost your Spotify experience instantly and has reached almost 500,000 views with over 20,000 likes. Luna moth Extortion attacks targeting Law firms, says FBI the FBI has issued a warning about an extortion gang named Silent Ransom Group, which has been targeting US Law firms over the past two years using callback, phishing and social engineering attacks. This group is also known as Luna Moth, known for conducting bazaar call campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks. The FBI describes their attack style as directing an employee to join a remote access session either through an email sent to them or navigating to a webpage. Once the employee grants access to their device, they are told that work needs to be done overnight. End Quote Quackbot leader indicted in US the Russian national Rustam Rafaelich Galyamov, 48, is allegedly the individual who developed, deployed and controlled the QuackBot malware that is Q A K bot since its start in 2008, according to the newly unsealed indictments. The Quackbot gang infected hundreds of thousands of computers worldwide, ensnaring them in a botnet. Victim organizations belonged to a range of industries including healthcare, insurance, manufacturing, marketing, music, real estate, technology and telecommunications. Galliamov and his co conspirators allegedly sold access to Quackbot infected machines to other cybercriminals who deployed ransomware families such as Black, Basta, Cactus, Conti and Revil New Google Chrome extension updates breached passwords with one click A new feature in the Chrome browser lets its built in password manager automatically change a user's password when it detects the credentials to be compromised, according to its designers. When Chrome detects a compromised password during sign in, Google Password Manager prompts the user with an option to fix it, automatically generating a strong replacement and updating the password for the user. Google says the feature has not yet been formally launched for end users and that it is mainly geared towards developers so that they can optimize their websites for the time that the feature launches. End quote Google added Quote the goal of this feature is to, quote, reduce friction and help users keep their accounts secure without having to search for relevant account settings or abandon the process midway. End quote it's never too late to start thinking about Friday and this Friday we are back with another episode of Super Cyber Friday, where the topic will be Hacking Provable Security, an hour of critical thinking on how to go beyond security ratings and questionnaires. This starts at 1pm Eastern and is followed at 3:30pm Eastern by our Week in Review show. Steve Knight, former CISO at Hyundai Capital America, will be our guest, bringing his expertise on the news stories of the week. To join in on both shows, go to the Events page at CISO Series and if you have some thoughts on the news from today or about the Cybersecurity Headlines show in general, please be sure to reach out to us by email@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. Sam.