===================== = End-of-Day report = =====================
Timeframe: Montag 07-04-2025 18:00 − Dienstag 08-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs
===================== = News = =====================
∗∗∗ Malicious VSCode extensions infect Windows with cryptominers ∗∗∗ --------------------------------------------- Nine VSCode extensions on Microsofts Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-i...
∗∗∗ Dangerous, Windows-Hijacking Neptune RAT Scurries Into Telegram, YouTube ∗∗∗ --------------------------------------------- The malwares creators insist a new open source version of Neptune is for educational use by pen testers, but a raft of sophisticated backdoor and evasion capabilities says otherwise. --------------------------------------------- https://www.darkreading.com/cloud-security/windows-hijacking-neptune-rat-tel...
∗∗∗ 100 Days of YARA: Writing Signatures for .NET Malware ∗∗∗ --------------------------------------------- If YARA signatures for .NET assemblies only rely on strings, they are very limited. We explore more detection opportunities, including IL code, method signature definitions and specific custom attributes. Knowledge about the underlying .NET metadata structures, tokens and streams helps to craft more precise and efficient signatures, even in cases where relevant malware samples might be unavailable. --------------------------------------------- https://feeds.feedblitz.com/~/916366745/0/gdatasecurityblog-en~Days-of-YARA-...
∗∗∗ Attackers distributing a miner and the ClipBanker Trojan via SourceForge ∗∗∗ --------------------------------------------- Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques. --------------------------------------------- https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/
∗∗∗ Inside Black Basta: Uncovering the Secrets of a Ransomware Powerhouse ∗∗∗ --------------------------------------------- In February 2025, the cybersecurity community witnessed an unprecedented leak that exposed the internal operations of Black Basta, a prolific ransomware group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/inside-black...
∗∗∗ Vorsicht beim Autoverkauf: Betrug mit gefälschten Fahrzeugberichten ∗∗∗ --------------------------------------------- Sie wollen Ihr Auto online verkaufen? Dann kann es vorkommen, dass potenzielle Käufer:innen einen Fahrzeugbericht verlangen, angeblich um den Zustand Ihres Gebrauchtwagens besser einschätzen zu können. Doch Vorsicht: Hinter dieser Aufforderung steckt oft der Versuch, Sie auf unseriöse Websites zu locken. Diese liefern gefälschte Berichte und führen Sie in teure Kostenfallen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-gefaelschten-fahrzeugberic...
∗∗∗ 2025 Ransomware: Business as Usual, Business is Booming ∗∗∗ --------------------------------------------- Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far—and what you can do now to reduce your attack surface against ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usua...
∗∗∗ PyTorch Lightning Exposes Users to Remote Code Execution via Deserialization Vulnerabilities ∗∗∗ --------------------------------------------- PyTorch Lightning, a widely adopted deep learning framework developed by Lightning AI, has been impacted by multiple critical deserialization vulnerabilities, disclosed under VU#252619. These issues affect all versions up to and including 2.4.0 and may lead to arbitrary code execution when loading untrusted model files.The vulnerabilities were reported by Kasimir Schulz of HiddenLayer and coordinated by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. --------------------------------------------- https://socket.dev/blog/pytorch-lightning-deserialization-vulnerabilities?ut...
===================== = Vulnerabilities = =====================
∗∗∗ Spionage möglich: Google patcht teils aktiv ausgenutzte Android-Lücken ∗∗∗ --------------------------------------------- Mit den Android-Updates für April schließt Google mehr als 60 Sicherheitslücken. Vier davon sind kritisch, zwei werden bereits aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/spionage-moeglich-google-patcht-teils-aktiv-ausgen...
∗∗∗ Ivanti: Security Advisory April 2025 for Ivanti EPM 2024 and EPM 2022 SU6 ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Endpoint Manager which addresses medium and high vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. --------------------------------------------- https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM...
∗∗∗ HCL: Sicherheitslücken in BigFix, DevOps und mehr Produkten ∗∗∗ --------------------------------------------- Zum Stopfen von Sicherheitslücken in HCL BigFix, DevOps, Traveler und Connections stellt HCL Software nun Updates bereit. Die Lücken gelten teils als kritisch. IT-Verantwortliche sollten die Updates zügig anwenden. Am schwersten hat es HCL BigFix WebUI, also die Management-Oberfläche für BigFix, getroffen. Mehrere Schwachstellen sind in den darin verwendeten Open-Source-Komponenten, davon ist eine in canvg 4.0.2 als kritisch eingestuft (CVE-2025-25977, CVSS 9.8) sowie zwei in xml-crypto (CVE-2025-29774, CVE-2025-29775, beide CVSS 9.3). --------------------------------------------- https://www.heise.de/news/HCL-Sicherheitsluecken-in-BigFix-DevOps-und-mehr-P...
∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gimp, libxslt, python3.11, python3.12, and tomcat), Debian (ghostscript and libnet-easytcp-perl), Fedora (openvpn, perl-Data-Entropy, and webkitgtk), Red Hat (python-jinja2), SUSE (giflib, pam, and xen), and Ubuntu (apache2, binutils, expat, fis-gtm, linux-azure, linux-azure-6.8, linux-nvidia-lowlatency, linux-azure, linux-azure-fde, linux-azure-5.15, linux-azure-fde-5.15, linux-azure-fips, linux-gcp-fips, linux-hwe-5.4, linux-nvidia, linux-nvidia-tegra-igx, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and vim). --------------------------------------------- https://lwn.net/Articles/1016774/
∗∗∗ ZDI-25-206: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-206/
∗∗∗ ZDI-25-205: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-205/
∗∗∗ Fortinet: No certificate name verification for fgfm connection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-046
∗∗∗ Fortinet: Unverified password change via set_password endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-435
∗∗∗ f5 K000150744: PostgreSQL vulnerability CVE-2025-1094 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150744
∗∗∗ f5 K000150749: Python vulnerability CVE-2024-4032 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150749
∗∗∗ SAP Security Patch Day – April 2025 ∗∗∗ --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-april-2025/