NEWS State Hackers Exploited 0Day to Breach US Clouds via Commvault

ExcalibuR

ExcalibuR

Legend
LEGEND
PREMIUM
MEMBER
Joined
Jan 17, 2025
Messages
4,031
Reaction score
7,797
Deposit
11,800$

State Hackers Exploited 0Day to Breach US Clouds via Commvault

1748267909144.png

A new SaaS attack campaign is underway—and Commvault was just the first stop.

A sophisticated cyberattack targeting Commvault’s cloud infrastructure allowed threat actors to access customer data backed up via its Metallic service for Microsoft 365. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the breach, linking it to malicious activity in Microsoft Azure environments.

What Happened?

  • Attackers exploited a zero-day (CVE-2025-3928) in Commvault’s web server, allowing authenticated remote users to execute web shells.
  • They stole customer secrets used to connect to M365 backups, potentially gaining access to internal corporate M365 environments.
  • The breach impacted Metallic, Commvault’s backup-as-a-service (SaaS) solution, suggesting a broader campaign against cloud providers with weak default configurations.

Key Findings

🔴 Initial Alert: Microsoft detected suspicious activity in February 2025.
🔴 Attack Method:

  • State-sponsored hackers (suspected APT) used advanced techniques to steal M365 authorization keys.
  • While backup data remained intact, some credentials were compromised.
    🔴 Response:
  • Commvault rotated all M365 credentials and tightened cloud security controls.
  • The company is working with CISA and industry partners to investigate.

CISA’s Mitigation Checklist

Companies using Commvault Metallic should:
1️⃣ Monitor Entra audit logs for unauthorized credential changes.
2️⃣ Analyze Microsoft logs (Entra sign-ins, unified audit logs) for anomalies.
3️⃣ Restrict Commvault service authentication to trusted IP ranges.
4️⃣ Audit Entra app registrations with elevated privileges.
5️⃣ Limit Commvault management interfaces to secure networks only.
6️⃣ Deploy a WAF to block path traversal and suspicious file uploads.

Why This Matters

  • Cloud backup providers are prime targets—they hold keys to critical data.
  • Supply-chain attacks via SaaS platforms are rising, with attackers exploiting trusted integrations.
  • State-backed hackers are increasingly abusing cloud misconfigurations and zero-days.
Lesson: If you use Commvault Metallic for M365 backups, check your logs now. This might be just the first wave of a larger cloud-focused offensive.
 
You must log in or register to reply here.

Similar threads

ExcalibuR
NEWS State Hackers Hacked ChatGPT and Claude. And This Is the Best Thing That Could Have Happened
Replies
0
Views
2K
ExcalibuR
ExcalibuR
ExcalibuR
How the state uses hackers
Replies
0
Views
2K
ExcalibuR
ExcalibuR
ExcalibuR
Xi Jinping's Plan: How to Turn Hackers into a State Asset
Replies
0
Views
2K
ExcalibuR
ExcalibuR
ExcalibuR
"State" tariff: the Ministry of Digital Development will introduce state rates for "white hackers"
Replies
0
Views
2K
ExcalibuR
ExcalibuR
ExcalibuR
Hacking of Judicial Systems: Washington State Paralyzed by Hackers
Replies
0
Views
2K
ExcalibuR
ExcalibuR
Top Bottom