End-of-Day report
Timeframe: Mittwoch 14-05-2025 18:01 - Donnerstag 15-05-2025 18:01
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Spies hack high-value mail servers using an exploit from yesteryear
XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now.
https://arstechnica.com/security/2025/05/spies-hack-high-value-mail-servers-using-an-exploit-from-yesteryear/
Critical Infrastructure Under Siege: OT Security Still Lags
With critical infrastructure facing constant cyber threats from the Typhoons and other corners, federal agencies and others are warning security for the OT network, a core technology in many critical sectors, is not powered up enough.
https://www.darkreading.com/ics-ot-security/critical-infrastructure-ot-security-still-lags
Beyond the kill chain: What cybercriminals do with their money (Part 1)
Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled.
https://news.sophos.com/en-us/2025/05/15/beyond-the-kill-chain-what-cybercriminals-do-with-their-money-part-1/
Technical Analysis of TransferLoader
Zscaler ThreatLabz has identified a new malware loader that we have named TransferLoader, which has been active since at least February 2025. ThreatLabz has identified three different components (a downloader, a backdoor, and a specialized loader for the backdoor) embedded in TransferLoader binaries. In addition, ThreatLabz has observed TransferLoader being used to deliver Morpheus ransomware. All components of TransferLoader share similarities including various anti-analysis techniques and code obfuscation.
https://www.zscaler.com/blogs/security-research/technical-analysis-transferloader
USA: Bösartige Kommunikationsgeräte in chinesischen Solar-Wechselrichtern
Bei der Untersuchung von Wechselrichtern aus China durch Experten in den USA wurden in einigen Geräten nicht dokumentierte Kommunikationsgeräte gefunden. US-Energiebehörden wollen das Risiko dieser chinesischen Inverter Medienberichten zufolge neu beurteilen.
https://www.heise.de/news/Boesartige-Kommunikationsgeraete-in-Solar-Wechselrichtern-in-den-USA-entdeckt-10384536.html
Angeblicher Steam-Hack: Datenleck enthält SMS-Sendeprotokolle
Ein angebliches Datenleck bei der Spieleplattform Steam soll 89 Millionen Datensätze enthalten - ein Unbekannter versucht seit vergangenem Samstag, sie im Darknet für 5.000 US-Dollar zu verkaufen. Doch die Resonanz ist mau und die Brisanz der Daten fraglich.
https://heise.de/-10383892
Vulnerabilities
Drupal Security Advisories 2025-05-14
Drupal has released 7 new security advisories.
https://www.drupal.org/security
Palo Alto Networks Security Advisories 2025-05-14
Palo Alto has released 11 new security advisories.
https://security.paloaltonetworks.com/
Mozilla Foundation Security Advisories 2025-05-13
For Thunderbird 138.0.1 and Thunderbird 128.10.1.
https://www.mozilla.org/en-US/security/advisories/
Security updates for Thursday
Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack).
https://lwn.net/Articles/1021379/
Patchday: Lücken in Intel-Software und -Treibern gestopft
Angreifer können Computer mit Hard- und Software von Intel attackieren. Sind Attacken erfolgreich, können sie unter anderem Denial-of-Service-Zustände (DoS) erzeugen, die in der Regel zu Abstürzen führen.
https://heise.de/-10384160
Google warnt: Gefährliche Chrome-Lücke wird aktiv ausgenutzt
Im weit verbreiteten Webbrowser Chrome klaffen mehrere gefährliche Sicherheitslücken, von denen eine bereits aktiv von Angreifern ausgenutzt wird. Davor warnt Google in den Release Notes zu einem am Mittwoch bereitgestellten Update. Betroffen ist nicht nur die Windows-Variante von Google Chrome, sondern auch jene für Mac und Linux. Anwender sollten den Browser zeitnah aktualisieren, um sich vor möglichen Angriffen zu schützen.
https://www.golem.de/news/google-warnt-gefaehrliche-chrome-luecke-wird-aktiv-ausgenutzt-2505-196219.html
Fortinet dichtet mehrere Lücken ab, Angriffe auf FortiVoice beobachtet
CVE-2025-32756 is a critical stack-based buffer overflow vulnerability affecting multiple Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted HTTP requests, posing a severe security risk.
https://www.heise.de/news/Fortinet-dichtet-mehrere-Luecken-ab-Angriffe-auf-FortiVoice-beobachtet-10383506.html
WebKitGTK and WPE WebKit Security Advisory WSA-2025-0004
https://webkitgtk.org/security/WSA-2025-0004.html
Reflected cross-site scripting vulnerability in Ricoh laser printers and MFPs which implement Web Image Monitor
https://jvn.jp/en/jp/JVN20474768/
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025)
https://www.wordfence.com/blog/2025/05/wordfence-intelligence-weekly-wordpress-vulnerability-report-may-5-2025-to-may-11-2025/