End-of-Day report
Timeframe: Mittwoch 30-04-2025 18:00 - Freitag 02-05-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Jetzt patchen! Angreifer setzen erneut an älteren Sonicwall-Lücken an
Aufgrund von laufenden Attacken sollten Admins ihre Fernwartungslösungen der SMA-Serie von Sonicwall umgehend auf den aktuellen Stand bringen. [..] Beide Schwachstellen betreffen die SMA-Reihen SMA 200, 210, 400, 410 und 500v. Die Entwickler versichern, die Lücken ab der Firmware 10.2.1.14-75sv geschlossen zu haben. [..] Sind Attacken erfolgreich, können Angreifer Schadcode ausführen. Die "kritische" Lücke (CVE-2024-38475) betrifft die SMA-Komponente Apache HTTP Server.
https://www.heise.de/news/Jetzt-patchen-Angreifer-setzen-erneut-an-aelteren-Sonicwall-Luecken-an-10369484.html
SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
Another day, another edge device being targeted - it-s a typical Thursday! In today-s blog post, we-re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall-s SMA100 appliance. [..] Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's [..] As always, we-ve produced a Detection Artefact Generator to demonstrate and achieve pre-auth RCE.
https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/
Why MFA is getting easer to bypass and what to do about it
As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA.
https://arstechnica.com/security/2025/05/phishing-attacks-that-defeat-mfa-are-easier-than-ever-so-what-are-we-to-do/
Windows: Anmeldung mit alten Passwörtern durch RDP möglich
Laut Microsoft handelt es sich um eine "Design-Entscheidung, die sicherstellt, dass mindestens ein Nutzerkonto dazu in der Lage ist, sich anzumelden, ganz gleich, wie lange das System offline war". Daher treffe dieses Verhalten die Definition einer Schwachstelle nicht. Microsoft habe keine Pläne, etwas daran zu ändern.
https://www.heise.de/news/Windows-Log-in-ueber-RDP-mit-widerrufenen-Passwoerten-moeglich-10370025.html
Prolific RansomHub Operation Goes Dark
The chat infrastructure and data-leak site of the notorious ransomware-as-a-service group has been inactive since March 31, according to security vendors.
https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-dark
Softwareupdates manipuliert: Hacker missbrauchen IPv6-Feature für Cyberattacken
Spellbinder nutzt den Angaben nach einen Angriffsvektor, der schon mindestens seit 2008 bekannt ist und schon 2011 in einem Blogbeitrag unter der Bezeichnung "SLAAC-Attack" ausführlich beschrieben wurde. [..] Mit Spellbinder lassen sich demnach IPv6-Konfigurationen spoofen, die normalerweise automatisch über eine Methode namens SLAAC (Stateless Address Autoconfiguration) zugewiesen werden.
https://www.golem.de/news/softwareupdates-manipuliert-hacker-missbrauchen-ipv6-feature-fuer-cyberattacken-2505-195863.html
MintsLoader Drops GhostWeaver via Phishing, ClickFix - Uses DGA, TLS for Stealth Attacks
The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Futures Insikt Group said in a report shared with The Hacker News.
https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html
I StealC You: Tracking the Rapid Changes To StealC
StealC is a popular information stealer and malware downloader that has been sold since January 2023. In March 2025, StealC version 2 (V2) was introduced with key updates, including a streamlined command-and-control (C2) communication protocol and the addition of RC4 encryption (in the latest variants). The malware-s payload delivery options have been expanded to include Microsoft Software Installer (MSI) packages and PowerShell scripts.
https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc
Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Socket-s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor-s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages.
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10).
https://lwn.net/Articles/1019645/
Security updates for Friday
Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython).
https://lwn.net/Articles/1019869/
CISA Releases Two Industrial Control Systems Advisories
ICSA-25-121-01 KUNBUS GmbH Revolution Pi, ICSMA-25-121-01 MicroDicom DICOM Viewer
https://www.cisa.gov/news-events/alerts/2025/05/01/cisa-releases-two-industrial-control-systems-advisories
ZDI-25-267: GStreamer H265 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-267/
IBM Cognos Analytics: Angreifer können Schadcode hochladen
https://www.heise.de/news/IBM-Cognos-Analytics-Angreifer-koennen-Schadcode-hochladen-10369977.html
Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025)
https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpress-vulnerability-report-april-21-2025-to-april-27-2025/
Tenable: [R1] Sensor Proxy Version 1.2.0 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2025-08
f5: K000151130: GnuTLS vulnerability CVE-2024-12243
https://my.f5.com/manage/s/article/K000151130