End-of-Day report
Timeframe: Montag 19-05-2025 18:00 - Dienstag 20-05-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Hazy Hawk gang exploits DNS misconfigs to hijack trusted domains
A threat actor named Hazy Hawk has been using DNS CNAME hijacking to hijack abandoned cloud endpoints of domains belonging to trusted organizations and incorporate them in large-scale scam delivery and traffic distribution systems (TDS).
https://www.bleepingcomputer.com/news/security/hazy-hawk-gang-exploits-dns-misconfigs-to-hijack-trusted-domains/
100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads
An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.
https://thehackernews.com/2025/05/100-fake-chrome-extensions-found.html
Bypass SharePoint Restricted View to exfiltrate data using Copilot AI and more-
Overall, we-ve proven that although a fair amount of effort has been put into enforcing the restrictions of Restricted View there are plenty of ways to circumvent them. Therefore, it is important for administrators and users to understand that it can not be relied on to secure data against motivated attackers.
https://www.pentestpartners.com/security-blog/bypass-sharepoint-restricted-view-to-exfiltrate-data-using-copilot-ai-and-more/
Duping Cloud Functions: An emerging serverless attack vector
Cisco Talos built on Tenable-s discovery of a Google Cloud Platform vulnerability to uncover how attackers could exploit similar techniques across AWS and Azure.
https://blog.talosintelligence.com/duping-cloud-functions-an-emerging-serverless-attack-vector/
Compromised RVTools Installer Spreading Bumblebee Malware
RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads.
https://hackread.com/compromised-rvtools-installer-drop-bumblebee-malware/
Gehärtete Images von Docker verbessern die Sicherheit und entlasten Entwickler
Mit den Hardened Images (DHI) bietet Docker sichere, schlanke und Compliance-konforme Images. Mit dabei sind unter anderem Microsoft, Neo4J oder GitLab.
https://heise.de/-10388766
Vulnerabilities
TYPO3 Security Advisories Tue. 20th May, 2025
TYPO3 has released 11 new security advisories.
https://typo3.org/help/security-advisories
Security updates for Monday
Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp).
https://lwn.net/Articles/1021740/
Security updates for Tuesday
Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips).
https://lwn.net/Articles/1021812/
22,000 WordPress Sites Affected by Privilege Escalation Vulnerability in Motors WordPress Theme
https://www.wordfence.com/blog/2025/05/22000-wordpress-sites-affected-by-privilege-escalation-vulnerability-in-motors-wordpress-theme/
Danfoss AK-SM 8xxA Series
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-03
National Instruments Circuit Design Suite
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-02
ABUP IoT Cloud Platform
https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-01