Cyber Security Headlines – Episode Summary
Hosted by Rich Strofalino, CISO Series
Release Date: June 3, 2025

1. Microsoft and CrowdStrike Partner to Standardize Threat Actor Naming

In a significant move to enhance cybersecurity collaboration, Microsoft and CrowdStrike announced a partnership aimed at linking aliases used for specific threat groups. Although this initiative does not establish a single naming standard, it marks a step towards harmonizing threat attribution across platforms.

Rich Strofalino highlights, “The two companies announced a partnership to connect aliases used for specific threat groups” (00:00). Microsoft has updated its Threat Actor Reference Guide to include a linked map that correlates common threat group names as identified by both Microsoft and CrowdStrike. This collaborative effort is designed to make attribution faster and cleaner, enabling defenders to maintain a comprehensive view of malicious campaigns.

Additionally, Microsoft has opened the door for other cybersecurity firms to contribute to this initiative, with Google Mandiant and Palo Alto Networks’ Unit 42 already on board. Strofalino notes, “Microsoft also said Google Mandiant and Palo Alto Networks Unit 42 will be contributing their information” (00:00), emphasizing the importance of a unified approach in the cybersecurity landscape.

2. Qualcomm Adreno Bugs Under Active Exploitation

Qualcomm disclosed critical vulnerabilities in its Adreno GPUs, outlined in the June 2025 security bulletin. Three key flaws—two leading to memory corruption and one a use-after-free in the Adreno driver—are currently under limited targeted exploitation, as indicated by the Google Threat Analysis Group.

Strofalino explains, “Qualcomm sees Adreno bugs under active exploitation” (00:00). While specific details remain scarce, the language used suggests potential spyware applications. Qualcomm has issued patches to OEMs, urging phone manufacturers to distribute these updates promptly to mitigate risks. However, the patches are not pushed directly to devices, relying instead on OEMs to implement the necessary updates.

3. Firepanel Security Flaws Could Compromise OT Systems

Consilium Safety, a provider of fire and gas detection systems with an estimated install base of 85,000, is grappling with critical security flaws in its CS5000 fire panels. The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory detailing two significant vulnerabilities.

One flaw allows an attacker to take over a device using a default pre-installed account. Despite the option for owners to change their account via SSH, the research revealed that the default account remains unchanged across observed installations. The second flaw involves a hard-coded password on a VNC server, creating a backdoor into the system.

Strofalino reports, “Consilium said it was aware of the flaws but chose not to mitigate them” (00:00). Instead, Consilium recommends that customers upgrade to newer product lines, leaving existing systems vulnerable unless updated by the manufacturers.

4. New Details on Proposed CISA Budget Cuts

A recently released document from the Department of Homeland Security reveals additional details about the proposed budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) in President Trump’s fiscal 2026 budget. The cuts are set to increase the reduction amount to $495 million, affecting various divisions within CISA.

Rich Strofalino outlines, “The amount cut would marginally increase to $495 million” (00:00). The proposal includes eliminating 325 positions through early retirement and voluntary separation programs, alongside withholding funding for 301 currently vacant positions. Significant impacts are anticipated in CISA’s Mission Support, Enterprise Services, and Stakeholder Engagement Consolidation divisions, each facing reductions of over 100 roles. Additional cuts target regional operations and the discontinuation of federal funding for bomb prevention and federal school safety programs. The budget proposal is pending congressional approval.

5. Chrome Discontinues Support for Chunghua Telecom and Netlock Certificates

Google has taken decisive action to enhance web security by removing support for TLS server authentication certificates issued by Chunghua Telecom and Netlock in Chrome version 139. This decision stems from observed concerning behaviors and non-compliance with security standards over the past year.

As reported by Strofalino, “Google announced that starting with version 139, Chrome will no longer trust TLS server authentication certificates issued by Chunghua Telecom and Netlock” (00:00). While existing certificates remain unaffected, any certificates issued after July 31, 2025, will trigger security threat warnings in Chrome. This measure aims to protect users from potential security breaches associated with these certificate authorities.

6. Black Owl Group Poses Significant Threat to Russia

Kaspersky researchers have shed light on the activities of the threat group Black Owl, also known as BO Team. This group has been actively targeting Russian organizations since 2024, employing sophisticated cyberattack techniques that have notably disrupted the Russian national electronic court filing system.

Strofalino summarizes, “Black Owl seems to work independently, showing no signs of coordination, collaboration or tool sharing with others” (00:00). Unlike typical hacktivist groups with clear political motivations, Black Owl operates autonomously, utilizing phishing emails to gain initial access and patiently waiting months to execute attacks. Their toolkit includes backdoors like Darkgate and Broken Door, Remcos, and the deployment of Babak ransomware alongside pre-installed applications. The independent and persistent nature of Black Owl makes them a formidable adversary in the cybersecurity domain.

7. Vulnerabilities in Pre-Installed Apps on Ulefone and Kruger & Mats Phones

Security researchers at CertPolska have uncovered several vulnerabilities in pre-installed applications on smartphones from Ulefone and Kruger & Mats. These flaws present significant security risks:

• Factory Reset Exploit: A vulnerability in a system app allows any installed app to perform a factory reset of the device.
• PIN Code Theft and Intent Injection: Two additional flaws in a pre-installed lock app enable malicious apps to steal PIN codes and inject arbitrary intents with system-level privileges into protected applications.

Rich Strofalino notes, “All three of these flaws require some other malicious app on the phone to be effective, but don't require any Android system permissions themselves” (00:00). While these exploits necessitate the presence of another malicious app, they bypass traditional permission barriers, posing a new layer of threat. Currently, there is no information on whether Ulefone or Kruger & Mats intend to patch these vulnerabilities, leaving devices at ongoing risk.

8. Emerging Cryptojacking Campaign Targets DevOps Web Servers

Researchers at WIZ have identified a new cryptojacking campaign, dubbed Jinx0132, targeting DevOps environments by exploiting misconfigurations and vulnerabilities in web servers associated with HashiCorp's Console and Nomad, as well as Docker and Gidya platforms.

Strofalino explains, “The attacks download off the shelf tooling directly from GitHub repositories rather than using independent infrastructure” (00:00). This strategy leverages readily available tools, reducing the complexity and cost for attackers. Nomad, in particular, is highlighted as especially vulnerable due to its default configuration, which grants unrestricted access to the server API. Such access effectively provides remote code execution capabilities on both the server and connected nodes, making it a prime target for malicious actors seeking to embed cryptojacking operations within compromised environments.

Conclusion

This episode of Cyber Security Headlines delivered a comprehensive overview of the latest developments in the cybersecurity realm, from strategic partnerships and emerging threats to critical vulnerabilities and budgetary changes affecting key security agencies. Rich Strofalino effectively encapsulated the dynamic and evolving nature of cybersecurity challenges, providing listeners with valuable insights and actionable information to enhance their defensive strategies.

Notable Quotes:

• “The two companies announced a partnership to connect aliases used for specific threat groups.” – Rich Strofalino (00:00)
• “Consilium said it was aware of the flaws but chose not to mitigate them.” – Rich Strofalino (00:00)
• “Google announced that starting with version 139, Chrome will no longer trust TLS server authentication certificates issued by Chunghua Telecom and Netlock.” – Rich Strofalino (00:00)
• “Black Owl seems to work independently, showing no signs of coordination, collaboration or tool sharing with others.” – Rich Strofalino (00:00)
• “All three of these flaws require some other malicious app on the phone to be effective, but don't require any Android system permissions themselves.” – Rich Strofalino (00:00)
• “The attacks download off the shelf tooling directly from GitHub repositories rather than using independent infrastructure.” – Rich Strofalino (00:00)

For more detailed discussions and daily updates, visit CISOseries.com.

Note: Timestamps are based on the podcast transcript and correspond to when each topic was discussed.