Contents

Commvault’s Zero-Day Drama. 2

Harrods Joins the Cyber Hit List 3

The Malware Love Story You Didn’t Swipe Right On. 4

When Your Router Turns Against You. 5

Links

Commvault’s Zero-Day Drama

• Executive Summary
  • Commvault, a leading enterprise backup and data protection provider, confirmed a security breach stemming from the exploitation of a previously unknown vulnerability (CVE-2025-3928) in its web server software. A nation-state threat actor leveraged this flaw to deploy webshells and gain unauthorized access to Commvault’s Microsoft Azure-hosted environment.
• Details
  • CVE-2025-3928
    • Commvault Web Server
    • CVSS Score 8.7/10
    • Remote exploit
    • authenticated attacker
    • Remote Code Execution
  • Initial Detection
    • February 20, 2025
    • Microsoft alerted Commvault to unauthorized activity.
    • Incident Response Plan Activated
    • Rotated Credentials
    • March 7^th released an Advisory
  • Attribution
    • Nation State Actor
      • None particularly named
• Impact
  • No customer data was compromised.
  • No material operational disruption.
  • vulnerability is being actively exploited in the wild.
  • CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
• Defense
  • Update to version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms
  • Apply conditional access policies for Microsoft 365, Dynamics 365, Azure AD apps.
    • Block the IoC Ips (though subject to rotate)
  • Rotate client secrets every 90 days in Azure & Commvault.
  • Monitor for logins from suspicious IP addresses above.
  • Report suspicious access to Commvault Support.

Harrods Joins the Cyber Hit List

• Executive Summary
  • Harrods, the iconic UK luxury retailer, confirmed it was hit by a cyberattack, joining Marks & Spencer and Co-op in what experts suspect may be a coordinated assault on the UK retail sector. While Harrods’ stores and online operations remain unaffected, the company hasn’t disclosed whether customer data was compromised.
• Uk Retailer Attack
  • The third major UK retailer affected within a week, following Marks & Spencer (M&S) and the Co-operative Group (Co-op).
• What is known
  • physical and online stores remain operational.
  • not disclosed the full extent of the breach or whether customer data was compromised
• Trend?
  • Information Commissioner’s Office
    • reported a 40% rise in data breaches across retail
    • cybercriminals exploiting outdated software
    • weak authentication protocols.
  • Co-op shut-off systems
  • M&S shutdown
• Defense
  • For Consumers:
    • Monitor Financial Statements: Regularly check bank and credit card statements for unauthorized transactions.
    • Update Passwords: Change passwords for online retail accounts, especially if reused across multiple platforms.
    • Enable Two-Factor Authentication (2FA): Where available, activate 2FA for an added layer of security.
  • For Businesses:
    • Conduct Security Audits: Regularly assess systems for vulnerabilities and patch known issues promptly.
    • Employee Training: Educate staff on recognizing phishing attempts and other social engineering tactics.
    • Incident Response Plan: Develop and routinely update a comprehensive incident response strategy.
    • Collaborate with Authorities: Engage with cybersecurity agencies like the NCSC for guidance and support.
  •  

The Malware Love Story You Didn’t Swipe Right On

• Executive Summary
  • A sophisticated cyber-espionage campaign by the threat actor group Nebulous Mantis is actively deploying the RomCom Remote Access Trojan (RAT) to target organizations worldwide. The attackers use spear-phishing emails to deliver multi-stage malware.
• Nebulous Mantis
  • Russian Speaking Group
  • spear-phishing emails that mimic trusted services
  • Their goal is stealing sensitive data, credentials, and intellectual property
  • Targets: government, military, and high-profile private sector organizations
• Attack
  • Spear-phishing emails containing OneDrive-themed download links
    • malicious executables hosted on platforms like Mediafire or DropBox.
  •  injects a malicious DLL into explorer.exe
    • Survives reboots
  • Recon
    • Hostname and OS Version
    • username
    • Installed software
    • Running processes
    • Time zone, network settings
  • C2 Coms
    • Uses IPFS – InterPlanetary File System
    • IPFS is decentralized.
    • Attackers send commands and receive stolen data through this encrypted channel.
  • FUN!
    • Run remote commands
    • Upload/download files
    • Deploy additional malware
    • Steal credentials or sensitive files
    • Potentially pivot deeper into the network
  • Defense
    • Educate employees about phishing tactics and encourage reporting of suspicious emails.
    • Use application allowlisting to only allow trusted application to run.
    • Deploy advanced endpoint detection and response (EDR) solutions to identify and mitigate threats.
    • Monitor network traffic for unusual activities, such as connections to IPFS domains or unexpected data exfiltration.
    • Use a Zero-trust controls, Network Segmentation and privilege management to limit movement on your network.

When Your Router Turns Against You

• Executive Summary
  • A China-aligned APT group known as “TheWizards” has been exploiting IPv6’s Stateless Address Autoconfiguration (SLAAC) to conduct Adversary-in-the-Middle (AiTM) attacks using a tool called Spellbinder. By sending spoofed Router Advertisement messages, they redirect network traffic through attacker-controlled gateways, enabling interception of sensitive data and deployment of the WizardNet backdoor. This technique bypasses traditional IPv4-focused security measures, posing a significant threat to organizations with IPv6-enabled networks.
• IPv6 SLAAC
  • automatic way for devices on an IPv6 network to give themselves an IP address without needing a manual setup or a DHCP server
  • How it works
    • It listens for Router Advertisement (RA) messages broadcast by routers.
    • Those RA messages tell the device:
      • “Here’s the network prefix (kind of like the area code of the IP address).”
      • “You can build your own full address by combining this prefix with your unique hardware identifier (like your MAC address).”
    • The device then self-assigns an IPv6 address and starts communicating on the network.
  • Why SLAAC
    • Cuts out the need for a DHCP server for basic address assignment.
    • Super useful in large, dynamic networks (think universities, enterprise campuses, etc.).
    • Makes IPv6 feel “plug and play.”
• Attack
  • devices trust those Router Advertisement messages by default
  • tricks devices into routing traffic through a malicious gateway controlled by the attacker
    • MITM
  • They deploy WizardNet
    • C2 server communication
    • it executes .NET modules in memory
• Defense
  • Disable IPv6: If not in use, consider disabling IPv6 to eliminate the attack vector.
  • Implement RA Guard: Deploy Router Advertisement Guard to filter out unauthorized RA messages.
  • Monitor IPv6 Traffic: Ensure security tools are configured to inspect IPv6 traffic and ICMPv6 messages.
  • Secure Update Mechanisms: Verify the integrity of software updates and employ code-signing verification.
  • Employee Training: Educate staff about the risks associated with IPv6 and the importance of network security hygiene.

Phish, RATs, and Rogue Routers: This Week’s Cyber Soap Opera