===================== = End-of-Day report = =====================
Timeframe: Freitag 25-04-2025 18:00 − Montag 28-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a
===================== = News = =====================
∗∗∗ SAP patcht attackierte, kritische Schwachstelle außer der Reihe ∗∗∗ --------------------------------------------- Update 25.04.2025, 22:11 Uhr: Kriminelle missbauchen die Schwachstelle bereits im Internet. Details zu den Angriffen finden sich etwa bei Onapsis in einem Blog-Beitrag. Admins sollten schnellstmöglich aktualisieren, zumal offenbar viele SAP-Neatweaver-Installationen die verwundbare Komponente einsetzen, so die Einschätzung der IT-Sicherheitsforscher in der Analyse im Blog. --------------------------------------------- https://heise.de/-10361908
∗∗∗ DragonForce expands ransomware model with white-label branding scheme ∗∗∗ --------------------------------------------- The ransomware scene is re-organizing [..] DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort. A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations. [..] In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomwar...
∗∗∗ Cloudflare mitigates record number of DDoS attacks in 2025 ∗∗∗ --------------------------------------------- Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-n...
∗∗∗ VU#667211: Various GPT services are vulnerable to "Inception" jailbreak, allows for bypass of safety guardrails ∗∗∗ --------------------------------------------- Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. [..] These jailbreaks, while of low severity on their own, bypass the security and safety guidelines of all affected AI services, allowing an attacker to abuse them for instructions to create content on various illicit topics, such as controlled substances, weapons, phishing emails, and malware code generation. --------------------------------------------- https://kb.cert.org/vuls/id/667211
∗∗∗ Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers ∗∗∗ --------------------------------------------- Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year. --------------------------------------------- https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
∗∗∗ Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised ∗∗∗ --------------------------------------------- Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. [..] As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances have been identified, out of which nearly 300 have been allegedly compromised. --------------------------------------------- https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html
∗∗∗ WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead. --------------------------------------------- https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html
∗∗∗ Samsung: Android-Zwischenablage speichert Passwörter zwischen ∗∗∗ --------------------------------------------- Samsungs Android-Smartphones speichern in der Zwischenablage kopierte Inhalte. Im Zwischenablageverlauf finden sich gelegentlich auch alte, kopierte Passwörter. Samsung evaluiert das Problem derzeit. --------------------------------------------- https://heise.de/-10363941
∗∗∗ Navigating Through The Fog ∗∗∗ --------------------------------------------- An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. [..] Among the tools were SonicWall Scanner for exploiting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for abusing Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for exploiting Active Directory vulnerabilities like CVE-2020-1472. --------------------------------------------- https://thedfirreport.com/2025/04/28/navigating-through-the-fog/
===================== = Vulnerabilities = =====================
∗∗∗ Sicherheitsupdate: Unbefugte Zugriffe auf VMware Spring Boot möglich ∗∗∗ --------------------------------------------- Softwareentwickler nutzen Spring Boot zum effizienteren Erstellen von Java-Applikationen. Damit Angreifer an der Lücke (CVE-2025-22235 „hoch“) ansetzen zu können, müssen aber mehrere Voraussetzungen erfüllt sein. Unter anderem muss Spring Security eingesetzt werden und mit EndpointRequest.to () konfiguriert sein. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-VMware-Ta...
∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2). --------------------------------------------- https://lwn.net/Articles/1019212/