In today’s cybersecurity news…
Microsoft and CrowdStrike partner to link threat actor names
The two companies announced a partnership to connect aliases used for specific threat groups. Unfortunately, this won’t set a single naming standard. Instead, Microsoft updated its threat actor reference guide with a linked map of common threat groups using each company’s naming system. The idea is to make attribution faster and clearer so defenders can maintain a comprehensive view of malicious campaigns. Microsoft also said Google/Mandiant and Palo Alto Networks’ Unit 42 will be contributing their information and would welcome support for the initiative from other companies.
Qualcomm sees Adreno bugs under active exploitation
In its June 2025 security bulletin, the chipmaker patched three flaws in its Adreno GPUs that could lead to memory corruption and a use-after-free flaw in the Adreno driver. The company now says that the flaws appear under limited, targeted exploitation, according to “indications from Google Threat Analysis Group.” There are no other details on the exploitation, but the phrasing could indicate spyware. The patches don’t go directly to devices, but to OEMs to push out to their phones. Qualcomm urged phone makers to push these updates “as soon as possible.”
Fire panel security flaws could put OT systems in hot water
Consilium Safety makes fire- and gas-detection systems used across various sectors with an estimated installed base of 85,000. CISA issued an advisory about two flaws impacting its CS5000 Fire Panel. One flaw allows for a device takeover using a default account preinstalled. While owners can change this account over SSH, CISA found “t has remained unchanged on every installed system observed.” The other flaw comes from a hardcoded password that runs on a VNC server, which is, you know, bad. Consilium said it was aware of the flaws but chose not to mitigate them. Instead, it recommended that customers upgrade to its newer line of products.
New details on proposed CISA cuts
A new document produced by the Department of Homeland Security details already announcd cuts in President Trump’s fiscal 2026 budget proposal. This would marginally increase the cuts to $495 million. This would include removing 325 positions through early retirement and voluntary separation payment programs, as well as not funding 301 current vacant positions. Of these cuts, CISAs, “Mission Support Enterprise Services” and “Stakeholder Engagement Consolidation” divisions would each cut over 100 roles. Other cuts would come from regional operations and the cancellation of federal funding for bombing prevention and federal school safety programs. The budget proposal awaits Congressional approval.
Huge thanks to our sponsor, Conveyor
It’s not answering questions – most of you have automation software for that.
It’s all of the manual back and forth that becomes a slog like communicating between teams, tracking people down to get their review, updating sources and updating systems.
Conveyor just launched an AI agent, Sue, to do all of these things and more for you.
Learn about Sue at www.conveyor.com.
Chrome removes support for two Certificate Authorities
Google announced that starting with version 139, Chrome will no longer trust TLS server authentication certificates issued by Chunghwa Telecom and Netlock, citing “patterns of concerning behavior observed over the past year”. Google found both companies failed to meet compliance requirements and didn’t take meaningful steps to respond to publicly disclosed incidents. Existing certificates won’t be impacted, but those issued after July 31, 2025, will show a “potential security threat” warning in Chrome.
Black Owl group poses a threat to Russia
Researchers at Kaspersky released a report on the threat group Black Owl, also known as BO Team, which recently carried out a cyberattack in Russia that wiped out a large part of the Russian national electronic court filing system. The group first appeared online in 2024, operating exclusively against organizations in Russia. Unlike typical pro-Ukrainian hacktivists, Black Owl seems to work independently, showing no signs of coordination, collaboration, or tool-sharing with others. The group typically gains access through phishing emails, and can wait up to months to set up an attack. They use backdoors DarkGate, BrockenDoor and Remcos, and have been known to deploy Babuk ransomware as well.
Preinstalled apps opens the door to device resets
Security researchers at CERT Polska released details on security vulnerabilities found in preinstalled apps on phones sold by Ulefone and Krüger&Matz. One flaw exposes a service in an app that would allow any installed app on the system to perform a factory reset. Two other flaws in a preinstalled applock app allow another app to steal PIN codes, and inject arbitrary intent with system-level privileges to a protected app. All three require some other malicious app on the phone to be effective, but don’t require any Android system permissions. No word on if either company plans to patch the issues.
New cryptojacking campaign targets DevOps web servers
Researchers at Wiz began tracking a campaign called JINX-0132, which looks to exploit a range of misconfigurations and vulnerabilities on web servers associated with HashiCorp’s Consul and Nomad offerings, as well as Docker and Gitea. The attacks download off-the-shelf tooling directly from GitHub repositories rather than using independent infrastructure. Noman seems particularly vulnerable to these attacks, with the researchers noting, “This default configuration effectively means that unrestricted access to the server API can be tantamount to remote code execution (RCE) capabilities on the server itself and all connected nodes.”