CyberSecurity news
FlagThis - #commvault
|
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a potential broader campaign targeting Software-as-a-Service (SaaS) providers. This alert follows the discovery of unauthorized activity within Commvault's Microsoft Azure environment. CISA believes threat actors may have gained access to client secrets for Commvault's Metallic Microsoft 365 (M365) backup SaaS solution hosted in Azure. This access could allow the threat actors to compromise Commvault's customers' M365 environments where application secrets are stored by Commvault.
The suspected campaign exploits default configurations and elevated permissions in cloud applications, making SaaS companies with weak security a prime target. The initial incident involved a zero-day vulnerability, CVE-2025-3928, in Commvault's Web Server, allowing remote, authenticated attackers to create and execute web shells. Commvault confirmed that Microsoft notified them of the unauthorized activity in February 2025, leading to an investigation and remediation efforts. Despite the breach, Commvault assured customers that there was no unauthorized access to their backup data, and they have rotated app credentials for M365 as a preventative measure. CISA has provided recommendations for users and administrators to mitigate such threats, including monitoring Entra audit logs for unauthorized modifications, reviewing Microsoft logs for suspicious activity, and implementing conditional access policies to restrict application service principal authentication to approved IP addresses. They also advise reviewing Application Registrations and Service Principals in Entra, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts. These steps aim to strengthen the security posture of SaaS applications and prevent further exploitation of vulnerabilities.
Share:
References :
Classification:
@industrialcyber.co
//
A joint cybersecurity advisory has been issued by intelligence and cybersecurity agencies from multiple Western nations, including the United States, the United Kingdom, Germany, and France, warning of an aggressive cyber espionage campaign orchestrated by a Russian military cyber unit. The advisory directly implicates the Russian General Staff Main Intelligence Directorate (GRU) unit 26165, also known as APT28, Fancy Bear, and Forest Blizzard. This group has been actively targeting logistics and technology companies that are involved in providing aid to Ukraine. Their operations, ongoing for over two years, involve infiltrating networks to spy on arms shipments and logistics operations.
The GRU hackers are targeting a range of entities critical to the supply chain supporting Ukraine, including defense contractors, transport hubs like airports and ports, air traffic control systems, maritime operators, and IT service providers. Affected countries include the United States, Germany, Poland, France, Romania, Ukraine, the Netherlands, and others. The attackers not only infiltrate the main target company but also go after partners and connected firms, abusing trust relationships to spread deeper. In one instance, hackers stole credentials, gaining access to sensitive information on shipments, such as train schedules and shipping manifests. The Russian hackers are employing a mix of both established and novel tactics to breach security. These tactics include credential guessing, brute-force attacks, and spearphishing emails disguised as legitimate login pages from Western email platforms. The GRU unit is also known for exploiting IP cameras in Ukraine and bordering NATO countries, likely to gather intelligence and monitor activities. Cybersecurity agencies urge logistics entities and technology companies to enhance monitoring, proactively hunt for known tactics and indicators of compromise, and fortify their network defenses, presuming they are targets.
Share:
References :
Classification:
CISA@All CISA Advisories
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding cyber threat activity targeting Commvault's SaaS Cloud Application (Metallic), which is hosted in Microsoft Azure. CISA believes this activity may be part of a broader campaign aimed at SaaS companies exploiting default configurations and elevated permissions in their cloud applications. This warning comes after Commvault disclosed an incident where a nation-state threat actor, later identified as Silk Typhoon, gained unauthorized access to their Azure environment in February 2025, exploiting a zero-day vulnerability (CVE-2025-3928) in the Commvault Web Server.
Commvault confirmed that the objective of the attackers was to acquire app credentials that could be used to breach companies' M365 environments. While Commvault has taken remedial actions, including rotating app credentials for M365, they emphasized that there has been no unauthorized access to customer backup data. The zero-day vulnerability, now added to CISA's Known Exploited Vulnerabilities Catalog, allows remote, authenticated attackers to create and execute web shells, posing a significant risk to affected systems. The vulnerability requires authenticated credentials in order to make use of it. To mitigate these threats, CISA recommends that users and administrators closely monitor Entra audit logs for unauthorized modifications or additions of credentials to service principals initiated by Commvault applications. They also advise reviewing Microsoft logs (Entra audit, Entra sign-in, unified audit logs) and conducting internal threat hunting. Additionally, CISA suggests implementing conditional access policies that limit authentication of application service principals to approved IP addresses within Commvault's allowlisted range, restricting access to Commvault management interfaces, and deploying a Web Application Firewall to detect and block path-traversal attempts and suspicious file uploads. For single tenant apps, implement a conditional access policy that limits authentication of an application service principal to an approved IP address that is listed within Commvault's allowlisted range of IP addresses.
Share:
References :
Classification:
|