End-of-Day report
Timeframe: Dienstag 27-05-2025 18:00 - Mittwoch 28-05-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers
GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know.
https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-routers
DragonForce Ransomware Strikes MSP in Supply Chain Attack
DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs.
https://www.darkreading.com/application-security/dragonforce-ransomware-msp-supply-chain-attack
Zanubis in motion: Tracing the active evolution of the Android banking malware
A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts.
https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/
Fake Java Update Popup Found in Malicious WordPress Plugin
We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment.
https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-wordpress-plugin.html
OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users- Entire OneDrive
Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user-s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp - meaning millions of users may have already granted these apps access to their OneDrive.
https://www.oasis.security/resources/blog/onedrive-file-picker-security-flaw-oasis-research
Chinese spies blamed for attempted hack on Czech government network
Czech authorities said they assessed with -a high degree of certainty- that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network.
https://therecord.media/czechia-accuses-china-cyber-espionage-apt31
New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know
ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.
https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/
Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users
ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users.
https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning.
https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points
Vulnerabilities
Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer
Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe.
https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-als-Einfallstor-fuer-Angreifer-10417869.html
Security updates for Wednesday
Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools).
https://lwn.net/Articles/1022853/
Security Vulnerabilities fixed in Thunderbird 128.11
https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/
Security Vulnerabilities fixed in Thunderbird 139
https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/
F5: K000151516, Python urllib vulnerability CVE-2019-9947
https://my.f5.com/manage/s/article/K000151516
F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040
https://my.f5.com/manage/s/article/K000151520