End-of-Day report
Timeframe: Donnerstag 15-05-2025 18:01 - Freitag 16-05-2025 18:01
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
FBI: US officials targeted in voice deepfake attacks since April
The FBI warned that cybercriminals using AI-generated audio deepfakes to target U.S. officials in voice phishing attacks that started in April.
https://www.bleepingcomputer.com/news/security/fbi-us-officials-targeted-in-voice-deepfake-attacks-since-april/
Ransomware gangs increasingly use Skitnet post-exploitation malware
Ransomware gang members increasingly use a new malware called Skitnet ("Bossnet") to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025.
https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/
Understanding CSRF: Cross-site Request Forgery Explained
Cross-Site Request Forgery, often called CSRF (or its other nicknames, Session Riding and XSRF), is a tricky type of attack. In short, it lets attackers make users do things on websites without their consent or knowledge. This attack works by misusing the trust a web application puts in a user-s browser once they-re logged in. By duping the browser into sending fake requests (usually through shady emails or misleading links), CSRF allows unauthorized commands to hit a website. And since these requests seem to come from a legitimate, logged-in user, the website has a hard time spotting the fakes, which can open the door to significant security problems.
https://blog.sucuri.net/2025/05/understanding-csrf-cross-site-request-forgery-explained.html
Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks
Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT.
https://thehackernews.com/2025/05/fileless-remcos-rat-delivered-via-lnk.html
VNC. RDP for all to see
VNC (Virtual Network Computing) is a widely deployed service in perhaps forgotten corners of legacy enterprise networks. This is mainly because it-s a tried and trusted protocol that simply works, however this is disregarding its security flaws and disadvantages in the modern age.
https://www.pentestpartners.com/security-blog/vnc-rdp-for-all-to-see/
Operation RoundPress
This blogpost introduces an operation that we named RoundPress, targeting high-value webmail servers with XSS vulnerabilities, and that we assess with medium confidence is run by the Sednit cyberespionage group. The ultimate goal of this operation is to steal confidential data from specific email accounts.
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
Commit Stomping
Commit Stomping is a technique inspired by timestomping, a well-known method used in offensive operations where file metadata is manipulated to hide the true timing of actions. In Git, Commit Stomping involves altering commit timestamps to mislead observers about when changes were introduced.
https://blog.zsec.uk/commit-stomping/
Vulnerabilities
Printer company provided infected software downloads for half a year
When Cameron Coward, the Youtuber behind the channel Serial Hobbyism, wanted to review a $6k UV printer and plugged in the USB flash drive with the printer software, the Antivirus software alerted him of a USB-spreading worm and a Floxif infection. Floxif is a file infector that attaches itself to Portable Executable files, so it can spread to network shares, removable drives like USB flash drives or backup storage systems.
https://feeds.feedblitz.com/~/918394763/0/gdatasecurityblog-en~Printer-company-provided-infected-software-downloads-for-half-a-year
Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup).
https://lwn.net/Articles/1021482/
Malicious -Checker- Packages on PyPI Probe TikTok and Instagram for Valid Accounts
We often hear about the importance of secure data. Have I Been Pwned and similar websites exist to see if passwords or emails are listed online. However, many people do not understand the ramifications of their own leaked data.
https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram?utm_medium=feed