May 12, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
May 12, 2025
Kroll

This week’s briefing covers:

00:00 - Intro and Situational Awareness

Software Supply Chain Attack on Golang Leads to Wiper Malware
A supply-chain attack has been discovered that targeted Linux servers through malicious Golang modules, mimicking legitimate modules, that were posted on GitHub.

Continued Exploitation of Critical SAP NetWeaver Critical Vulnerability
Further to Kroll’s reporting in previous weeks regarding active exploitation of CVE-2025-31324, a critical vulnerability that allows a threat actor to execute code remotely.

03:08 [CAMPAIGN] Telephone Oriented Attack Delivery Campaigns Target Legal and Financial Sectors
Key Takeaways

  • KTA407 (Luna Moth, Silent Ransom) continues to use voice phishing and sophisticated lures to target the professional service industry.
  • This demonstrates the trend of 'malwareless' attacks that are used by groups such as KTA243(Scattered Spider) and KTA124 (LAPSUS) that leverage remote monitoring and management (RMM) tools and valid credentials to extort victims.

06:36 [CAMPAIGN] Bring Your Own Installer allowing EDR Bypass
Key Takeaways

  • An unknown threat actor was observed bypassing SentinelOne Endpoint Detection and Response (EDR) via a flaw in its local upgrade/downgrade functionality by Aon.
  • Local administrator privileges are required for the bypass to work.
  • The activity was observed on a publicly facing host that had a known vulnerability exploited.
  • SentinelOne has provided guidance which its customers can view by following links found here.
  • Kroll Responder MDR customers do not need to take any action, Kroll applied relevant remediation steps to managed SentinelOne instances in February.

Oligo Security Research has disclosed a major set of vulnerabilities in Apple's AirPlay Protocol and SDK, now collectively referred to as AirBorne. These flaws impact not only native Apple devices but also a wide range of third-party products that integrate AirPlay functionality.
Investigations continue into the threat group behind the backdoor.

08:32 [VULNERABILITY] Critical Remote Code Execution in Commvault Command Center (CVE-2025-34028)
A critical vulnerability has been identified in Commvault Command Center (Innovation Release), allowing for unauthenticated remote attackers to theoretically execute any code. Identified by CVE-2025-34028, with a CVS score of 10. The vulnerability is a path traversal vulnerability allowing for ZIP file uploads.Offers white-label services: affiliates use DragonForce tools but operate under their own brand.

11:26 [RANSOMWARE] LOCKBIT Blog Defaced and Database Leaked
Key Takeaways

  • On May 7, 2025, LockBit (KTA273)’s dark web infrastructure was breached and defaced with a mocking message and a link to a MySQL database dump.
  • The leak exposed 20 tables of sensitive data, including 4,442 negotiation messages, 75 plaintext affiliate passwords, and nearly 60,000 Bitcoin wallet addresses.
  • The breach likely occurred around April 29, 2025, and may have exploited a known PHP vulnerability (CVE-2024-4577).
  • Evidence suggests that some Ransomhub (KTA270) affiliates joined LockBit, and the defacement style resembled a recent Everest (KTA444) ransomware breach.
  • This incident follows the 2024 Operation Cronos takedown and further damages LockBit’s credibility and affiliate trust.

13:20 [CAMPAIGN] PLAY Ransomware Activity Uptick
Key Takeaways

  • The PLAY ransomware gang recently exploited the zero-day vulnerability CVE-2025-29824 in the Windows Common Log File System driver to gain SYSTEM-level privileges on targeted systems.
  • After gaining access, they deployed malware to further compromise affected networks.
  • Their tactics included likely initial access through exposed Cisco ASA devices, followed by privilege escalation, credential dumping and defense evasion.
  • On May 5, 2025, PLAY added 11 new victims to its data leak site, eight of which were U.S.-based companies, bringing the total number of PLAY’s victims to 22.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.