MS and CrowdStrike partner, Qualcomm bugs exploited, new CISA cut details - Cybersecurity Headlines

Summary

Cyber Security Headlines – Episode Summary
Hosted by Rich Strofalino, CISO Series
Release Date: June 3, 2025

1. Microsoft and CrowdStrike Partner to Standardize Threat Actor Naming

In a significant move to enhance cybersecurity collaboration, Microsoft and CrowdStrike announced a partnership aimed at linking aliases used for specific threat groups. Although this initiative does not establish a single naming standard, it marks a step towards harmonizing threat attribution across platforms.

Rich Strofalino highlights, “The two companies announced a partnership to connect aliases used for specific threat groups” (00:00). Microsoft has updated its Threat Actor Reference Guide to include a linked map that correlates common threat group names as identified by both Microsoft and CrowdStrike. This collaborative effort is designed to make attribution faster and cleaner, enabling defenders to maintain a comprehensive view of malicious campaigns.

Additionally, Microsoft has opened the door for other cybersecurity firms to contribute to this initiative, with Google Mandiant and Palo Alto Networks’ Unit 42 already on board. Strofalino notes, “Microsoft also said Google Mandiant and Palo Alto Networks Unit 42 will be contributing their information” (00:00), emphasizing the importance of a unified approach in the cybersecurity landscape.

2. Qualcomm Adreno Bugs Under Active Exploitation

Qualcomm disclosed critical vulnerabilities in its Adreno GPUs, outlined in the June 2025 security bulletin. Three key flaws—two leading to memory corruption and one a use-after-free in the Adreno driver—are currently under limited targeted exploitation, as indicated by the Google Threat Analysis Group.

Strofalino explains, “Qualcomm sees Adreno bugs under active exploitation” (00:00). While specific details remain scarce, the language used suggests potential spyware applications. Qualcomm has issued patches to OEMs, urging phone manufacturers to distribute these updates promptly to mitigate risks. However, the patches are not pushed directly to devices, relying instead on OEMs to implement the necessary updates.

3. Firepanel Security Flaws Could Compromise OT Systems

Consilium Safety, a provider of fire and gas detection systems with an estimated install base of 85,000, is grappling with critical security flaws in its CS5000 fire panels. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory detailing two significant vulnerabilities.

One flaw allows an attacker to take over a device using a default pre-installed account. Despite the option for owners to change their account via SSH, the research revealed that the default account remains unchanged across observed installations. The second flaw involves a hard-coded password on a VNC server, creating a backdoor into the system.

Strofalino reports, “Consilium said it was aware of the flaws but chose not to mitigate them” (00:00). Instead, Consilium recommends that customers upgrade to newer product lines, leaving existing systems vulnerable unless updated by the manufacturers.

4. New Details on Proposed CISA Budget Cuts

A recently released document from the Department of Homeland Security reveals additional details about the proposed budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) in President Trump’s fiscal 2026 budget. The cuts are set to increase the reduction amount to $495 million, affecting various divisions within CISA.

Rich Strofalino outlines, “The amount cut would marginally increase to $495 million” (00:00). The proposal includes eliminating 325 positions through early retirement and voluntary separation programs, alongside withholding funding for 301 currently vacant positions. Significant impacts are anticipated in CISA’s Mission Support, Enterprise Services, and Stakeholder Engagement Consolidation divisions, each facing reductions of over 100 roles. Additional cuts target regional operations and the discontinuation of federal funding for bomb prevention and federal school safety programs. The budget proposal is pending congressional approval.

5. Chrome Discontinues Support for Chunghua Telecom and Netlock Certificates

Google has taken decisive action to enhance web security by removing support for TLS server authentication certificates issued by Chunghua Telecom and Netlock in Chrome version 139. This decision stems from observed concerning behaviors and non-compliance with security standards over the past year.

As reported by Strofalino, “Google announced that starting with version 139, Chrome will no longer trust TLS server authentication certificates issued by Chunghua Telecom and Netlock” (00:00). While existing certificates remain unaffected, any certificates issued after July 31, 2025, will trigger security threat warnings in Chrome. This measure aims to protect users from potential security breaches associated with these certificate authorities.

6. Black Owl Group Poses Significant Threat to Russia

Kaspersky researchers have shed light on the activities of the threat group Black Owl, also known as BO Team. This group has been actively targeting Russian organizations since 2024, employing sophisticated cyberattack techniques that have notably disrupted the Russian national electronic court filing system.

Strofalino summarizes, “Black Owl seems to work independently, showing no signs of coordination, collaboration or tool sharing with others” (00:00). Unlike typical hacktivist groups with clear political motivations, Black Owl operates autonomously, utilizing phishing emails to gain initial access and patiently waiting months to execute attacks. Their toolkit includes backdoors like Darkgate and Broken Door, Remcos, and the deployment of Babak ransomware alongside pre-installed applications. The independent and persistent nature of Black Owl makes them a formidable adversary in the cybersecurity domain.

7. Vulnerabilities in Pre-Installed Apps on Ulefone and Kruger & Mats Phones

Security researchers at CertPolska have uncovered several vulnerabilities in pre-installed applications on smartphones from Ulefone and Kruger & Mats. These flaws present significant security risks:

Factory Reset Exploit: A vulnerability in a system app allows any installed app to perform a factory reset of the device.
PIN Code Theft and Intent Injection: Two additional flaws in a pre-installed lock app enable malicious apps to steal PIN codes and inject arbitrary intents with system-level privileges into protected applications.

Rich Strofalino notes, “All three of these flaws require some other malicious app on the phone to be effective, but don't require any Android system permissions themselves” (00:00). While these exploits necessitate the presence of another malicious app, they bypass traditional permission barriers, posing a new layer of threat. Currently, there is no information on whether Ulefone or Kruger & Mats intend to patch these vulnerabilities, leaving devices at ongoing risk.

8. Emerging Cryptojacking Campaign Targets DevOps Web Servers

Researchers at WIZ have identified a new cryptojacking campaign, dubbed Jinx0132, targeting DevOps environments by exploiting misconfigurations and vulnerabilities in web servers associated with HashiCorp's Console and Nomad, as well as Docker and Gidya platforms.

Strofalino explains, “The attacks download off the shelf tooling directly from GitHub repositories rather than using independent infrastructure” (00:00). This strategy leverages readily available tools, reducing the complexity and cost for attackers. Nomad, in particular, is highlighted as especially vulnerable due to its default configuration, which grants unrestricted access to the server API. Such access effectively provides remote code execution capabilities on both the server and connected nodes, making it a prime target for malicious actors seeking to embed cryptojacking operations within compromised environments.

Conclusion

This episode of Cyber Security Headlines delivered a comprehensive overview of the latest developments in the cybersecurity realm, from strategic partnerships and emerging threats to critical vulnerabilities and budgetary changes affecting key security agencies. Rich Strofalino effectively encapsulated the dynamic and evolving nature of cybersecurity challenges, providing listeners with valuable insights and actionable information to enhance their defensive strategies.

Notable Quotes:

“The two companies announced a partnership to connect aliases used for specific threat groups.” – Rich Strofalino (00:00)
“Consilium said it was aware of the flaws but chose not to mitigate them.” – Rich Strofalino (00:00)
“Google announced that starting with version 139, Chrome will no longer trust TLS server authentication certificates issued by Chunghua Telecom and Netlock.” – Rich Strofalino (00:00)
“Black Owl seems to work independently, showing no signs of coordination, collaboration or tool sharing with others.” – Rich Strofalino (00:00)
“All three of these flaws require some other malicious app on the phone to be effective, but don't require any Android system permissions themselves.” – Rich Strofalino (00:00)
“The attacks download off the shelf tooling directly from GitHub repositories rather than using independent infrastructure.” – Rich Strofalino (00:00)

For more detailed discussions and daily updates, visit CISOseries.com.

Note: Timestamps are based on the podcast transcript and correspond to when each topic was discussed.

Transcript

Rich Strofalino (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Tuesday, June 3, 2025. I'm Rich Strofalino. Microsoft and CrowdStrike partner to link threat actor names. The two companies announced a partnership to connect aliases used for specific threat groups. Unfortunately, this won't set a single naming standard. Instead, Microsoft updated its Threat Actor Reference Guide with a linked map of common threat groups using each company's naming. The idea is to make attribution faster and cleaner so defenders can maintain a comprehensive view of malicious campaigns. Microsoft also said Google Mandiant and Palo Alto Networks Unit 42 will be contributing their information and would welcome support for the initiative from other companies. Qualcomm sees Adreno bugs under active exploitation in its June 2025 security bulletin, the chip maker patched three flaws in its Adreno GPUs that could lead to memory corruption as well as a use free flaw in the Adreno driver. The company now says that the flaws appear under limited targeted exploitation, according to indications from Google Threat Analysis Group. There are no other details on the exploitation, but the phrasing could indicate spyware. The patches don't go directly to devices, but to OEMs to push out to phones. Qualcomm urged phone makers to push these updates out as soon as possible. Firepanel security flaws could put OT systems to in hot water Consilium Safety makes fire and gas detection systems used across a variety of sectors, with an estimated install base of 85,000. CISA issued an advisory about two flaws impacting its CS5000 fire panel. One flaw allows for a device takeover using a default account pre installed on the device. While owners can change their account over ssh, CISA found that it remained unchanged on every installed system observed. The other flaw comes from a hard coded password that runs on a VNC server, which is, you know, bad. Consilium said it was aware of the flaws but chose not to mitigate them. Instead, it recommended that customers upgrade to its newer line of products. New details on proposed CISA Cuts A new document produced by the Department of Homeland Security details already announced cuts in President Trump's fiscal 2026 budget proposal. The amount cut would marginally increase to $495 million. This would include removing 325 positions through early retirement and voluntary separation payment programs, as well as not funding 301 current vacant positions of the cuts. CISA's Mission Support, Enterprise Services and Stakeholder Engagement Consolidation divisions would each cut over 100 rolls. Other cuts would come from regional operations and the cancellation of federal funding for bombing prevention and and federal school safety programs. The budget proposal now awaits congressional approval. And now, thanks to our episode sponsor, Conveyor, does trying to get the security questionnaire done and back to your customer ever feel like you're herding cats? It's not answering questions. Most of you have automation software for that. It's all the manual back and forth that becomes a slog, like communicating between teams, tracking people down to get their review, updating sources and updating systems. Conveyor just launched an AI agent, Sue, to do all of those things and more for you. Learn more about sue@conveyor.com that's C-O-N-V-E-Y-O-R.com Chrome removed support for two certificate authorities Google announced that starting with version 139, Chrome will no longer trust TLS server authentication certificates issued by Chunghua Telecom and Netlock. Citing patterns of concerning behavior behavior observed over the past year, Google found both companies failed to meet compliance requirements and didn't take meaningful steps to respond to publicly disclosed incidents. Existing certificates won't be impacted, but Those issued after July 31, 2025 will show a potential security threat warning in Chrome. Black Owl group poses a threat to Russia Researchers at Kaspersky released a report on the threat group Black Owl, also known as BO Team, which recently carried out a cyberattack in Russia that wiped out a large part of the Russ Russian national electronic court filing system. The group first appeared online in 2024, operating exclusively against organizations in Russia. Unlike typical Pro Ukrainian hacktivists, BlackOwl seems to work independently, showing no signs of coordination, collaboration or tool sharing with others. The group typically gains access through phishing emails and can wait up to months to set up an attack. They use backdoors, darkgate, Broken Door and Remcos, and have been known to deploy Babak ransomware as well as pre installed apps Open the door to device resets Security researchers at certpolska released details on security vulnerabilities found in pre installed apps on phones sold by Ulefone and Kruger and Mats. One flaw exposes a service in an app that would allow any installed app on the system to perform a factory reset. Two other flaws in a pre installed app lock app allow another app to steal PIN codes and inject arbitrary intent within system level privileges to a protected app. All three of these flaws require some other malicious app on the phone to be effective, but don't require any Android system permissions themselves. No word on if either company plans to patch the issues. New cryptojacking campaign targets DevOps web servers researchers at WIZ began tracking a campaign called Jinx0132, which looks to exploit a range of misconfigurations and vulnerabilities on web servers associated with HashiCorp's console and Nomad offerings, as well as Docker and Gidya. The attacks download off the shelf tooling directly from GitHub repositories rather than using independent infrastructure. Nomad seems particularly vulnerable to these attacks, with the researchers noting this default configuration effectively means that unrestricted access to the server API can be tantamount to remote code execution capabilities on the server itself and all connected nodes. The first reaction to AI tools is often that it'll take jobs, but for analysts, it allows them to free up repetitive tasks for more hypothesis driven threat hunting that would likely slip through the cracks in automation. The promise of time to focus on higher level work is alluring, but what will that look like for analysts? That's one of the segments we're digging into on this week's episode of the CISO Series podcast. Look for the episode AI Isn't Going to Take youe Job. It's going to Eliminate It. Wherever you get your podcasts. And if you have some thoughts on the news from today, or just some feedback on the show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. Reporting for the CISO series, I'm Rich Trofalino reminding you to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines. It.