Russian army map malware, edge tech attack report, Commvault flaw

Cyber Security Headlines - April 25, 2025

Hosted by the CISO Series

1. Russian Army Targeted by Android Malware in Mapping App

In today’s episode, Steve Prentiss opens with a concerning development in military cybersecurity. Cybersecurity Expert reports that the Russian army has fallen victim to a sophisticated Android malware attack embedded within a mapping application. At 00:17, the expert reveals, “A new Android malware has been found hidden in Trojanized versions,” specifically targeting the Alpine Quest Pro mapping app used by Russian soldiers for operational planning.

The malware, distributed through Telegram and Russian app catalogs as a free, cracked version, effectively masquerades as the legitimate Alpine Quest Pro to evade detection. As Prentiss elaborates at 00:38, “Mimics the legitimate app's full functionality to avoid suspicion.” Discovered by the Russian antivirus firm Dr.Web, the spyware steals sensitive information such as phone numbers, contacts, geolocation data, and documents, while also monitoring movements in real-time. This capability poses a significant threat by potentially exposing military operations, especially as it targets location logs and files shared via Telegram and WhatsApp.

The genuine Alpine Quest app is widely utilized for offline GPS mapping, making this attack particularly alarming due to its deep integration into critical military operations.

2. Surge in Exploitation of Edge Device Vulnerabilities

Moving forward, Steve Prentiss discusses the alarming trends in cyberattacks on edge devices. Referencing Mandiant's MTrends report, it is highlighted that in 2024, exploiting security flaws in edge devices like VPNs, firewalls, and routers accounted for one-third of all initial attack methods. The report underscores that nearly half of all observed exploitations were directed at these critical devices, with many attacks leveraging zero-day vulnerabilities.

The Cybersecurity Expert emphasizes at 01:15, “Attackers are increasingly exploiting security flaws in edge devices like VPNs, firewalls, and routers.” These devices, intended to secure networks, often lack robust third-party security support, rendering organizations vulnerable. The trend has notably impacted major companies and government agencies, with a marked increase in espionage activities attributed to Russian and Chinese actors, as noted by Google's Threat Intelligence Group at 01:48.

3. Critical Commvault Command Center Vulnerability

A significant security alert pertains to the Commvault Command Center, as discussed by Watchtower Labs. At 02:05, the Cybersecurity Expert warns of a critical vulnerability within this web-based user interface designed for data protection and recovery tasks. Assigned a CVE number and a CVSS score of 9.0, this flaw allows remote attackers to execute arbitrary code without authentication, potentially leading to full system compromise.

Steve Prentiss clarifies at 02:16, “It allows remote attackers to execute arbitrary code without authentication.” The vulnerability affects the 11.38 innovation release and was initially reported on April 7th, with an official advisory from Commvault released on April 17th. This exposes organizations to heightened risks, emphasizing the need for immediate patching and stringent security measures.

4. Linux IO Uring Creates Security Blind Spots for Rootkits

The episode delves into a major security flaw within the Linux kernel's IO uring interface. ARMO researchers have identified that IO uring allows rootkits to evade detection by bypassing traditional system calls through shared ring buffers. Introduced in Linux 5.1 to enhance asynchronous input/output operations, this mechanism inadvertently creates a critical blind spot for enterprise security tools primarily focused on monitoring syscalls.

At 03:01, the Cybersecurity Expert explains, “Most security tools focus on monitoring syscalls and overlook IO uring, creating a critical blind spot.” ARMO demonstrated the vulnerability with a proof-of-concept rootkit named Curing, highlighting the severe threat it poses. In response, Google has preemptively disabled IO uring by default on Android and Chrome OS to mitigate risks. Steve Prentiss underscores the gravity at 03:27, “The flaw underscores a hidden vulnerability in Linux runtime security environments,” calling attention to the urgent need for enhanced monitoring strategies to secure Linux-based systems.

5. Decline in Government-Imposed Internet Shutdowns

Shifting focus to geopolitical cybersecurity measures, Cloudflare's Q1 2025 Internet Disruption Report reveals a significant decrease in government-imposed internet shutdowns. As Steve Prentiss reports, there have been 600 government internet shutdowns in the first quarter of 2025. These shutdowns are typically employed to suppress protests and exert control, often coinciding with elections or conflicts, especially in authoritarian regimes like Myanmar.

At 05:10, the Cybersecurity Expert notes, “Cloudflare's report shows no new shutdowns so far this year, a rare occurrence seen only in two other quarters over the past three years,” suggesting a potential shift in governmental approaches to controlling internet access. This trend, monitored alongside groups like NetBlocks, indicates a possible move towards more sustainable or less disruptive methods of maintaining control.

6. Marks & Spencer's Ongoing Cyber Incident Impacting Payment Systems

In the retail sector, Marks & Spencer continues to grapple with the repercussions of a recent cyber incident affecting their contactless payment systems. The Cybersecurity Expert details at 05:22, “The UK retailer says its contactless payment systems are still down following a cyber incident that occurred last week.” This disruption has led to the impairment of purchasing procedures such as Click and Collect and home deliveries.

At 05:48, Steve Prentiss highlights, “The retailer announced that some of its internal processes have been moved offline, which the Register suggests is consistent with a ransomware scenario.” This ongoing issue underscores the persistent threats retailers face from ransomware attacks, emphasizing the need for robust cybersecurity defenses and incident response strategies to minimize operational disruptions.

7. Darkula Enhances Phishing Capabilities with Generative AI

The podcast also covers enhancements in cybercriminal toolkits, specifically the China-based phishing-as-a-service platform Darkula. As reported by Netcraft, Darkula has integrated generative artificial intelligence into its cybercrime suite. At 05:58, the expert explains, “Darkula has released new updates to their cybercrime suite with generative artificial intelligence capabilities.”

Steve Prentiss adds at 06:15, “This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes.” The integration of AI into phishing tools democratizes the ability to craft convincing scams, increasing the volume and sophistication of phishing attacks. This development poses a heightened threat landscape, necessitating advanced detection and mitigation strategies to counteract AI-enhanced phishing schemes.

8. Doubling of Third-Party Breaches According to Verizon

Lastly, the Verizon Data Breach Investigations Report highlights a disturbing trend in third-party breaches. The report indicates that the proportion of breaches involving third parties has doubled from 15% to 30% compared to the previous year. Steve Prentiss emphasizes at 06:30, “The proportion of breaches involving third parties rose from 15% in last year's data set to 30% in this year's report.”

The Cybersecurity Expert further explains that cybercriminals are increasingly targeting organizations such as accountants and law firms to reach their intended targets. Verizon attributes this surge to vendors and business partners expanding the attack surface by failing to enforce proper access controls and prevent credential misuse. At 07:06, the expert states, “Vendors and other business partners are expanding the attack surface by failing to enforce proper access controls, including preventing credential misuse.”

This doubling trend underscores the critical importance of robust third-party risk management and the implementation of stringent access controls to protect organizations from downstream security risks.

Conclusion

Today's Cyber Security Headlines covered a range of pressing issues, from advanced malware targeting military operations to the alarming rise in third-party breaches. The integration of AI into cybercriminal toolkits and persistent vulnerabilities in critical infrastructure like edge devices and Linux systems highlight the evolving threat landscape. Additionally, the decline in government-imposed internet shutdowns offers a glimmer of hope amidst global cybersecurity challenges. As organizations navigate these complex threats, the emphasis on proactive security measures and comprehensive risk management remains paramount.

For more detailed stories and updates, visit CISOseries.com.