Avsnitt
-
Microsoft Entra User Lockout
Multiple organizations reported widespread alerts and account lockouts this weekend from Microsoft Entra. The issue is caused by a new feature Microsoft enabled. This feature will lock accounts if Microsoft believes that the password for the account was compromised.
https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/
https://learn.microsoft.com/en-us/entra/identity/authentication/feature-availability
Erlang/OTP SSH Exploit
An exploit was published for the Erlang/OTP SSH vulnerability. The vulnerability is easy to exploit, and the exploit and a Metasploit module allow for easy remote code execution.
https://github.com/exa-offsec/ssh_erlangotp_rce/blob/main/ssh_erlangotp_rce.rb
Sonicwall Exploited
An older command injection vulnerability is now exploited on Sonicwall devices after initially gaining access by brute-forcing credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
Unpatched Vulnerability in Bubble.io
An unpatched vulnerability in the no-code platform bubble.io can be used to access any project hosted on the site.
https://github.com/demon-i386/pop_n_bubble -
RedTail: Remnux and Malware Management
A description showing how to set up a malware analysis in the cloud with Remnux and Kasm. RedTail is a sample to illustrate how the environment can be used.
https://isc.sans.edu/diary/RedTail%2C%20Remnux%20and%20Malware%20Management%20%5BGuest%20Diary%5D/31868
Critical Erlang/OTP SSH Vulnerability
Researchers identified a critical vulnerability in the Erlang/OTP SSH library. Due to this vulnerability, SSH servers written in Erlang/OTP allow arbitrary remote code execution without prior authentication
https://www.openwall.com/lists/oss-security/2025/04/16/2
Brickstorm Analysis
An analysis of a recent instance of the Brickstorm backdoor. This backdoor used to be more known for infecting Linux systems, but now it also infects Windows.
https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf
OpenAI GPT 4.1 Controversy
OpenAI released its latest model, GPT 4.1, without a safety report and guardrails to prevent malware creation.
https://opentools.ai/news/openai-stirs-controversy-with-gpt-41-release-lacking-safety-report -
Saknas det avsnitt?
-
Apple Updates
Apple released updates for iOS, iPadOS, macOS, and VisionOS. The updates fix two vulnerabilities which had already been exploited against iOS.
https://isc.sans.edu/diary/Apple%20Patches%20Exploited%20Vulnerability/31866
Oracle Updates
Oracle released it quarterly critical patch update. The update addresses 378 security vulnerabilities. Many of the critical updates are already known vulnerabilities in open-source software like Apache and Nginx ingress.
https://www.oracle.com/security-alerts/cpuapr2025.html
Oracle Breach Guidance
CISA released guidance for users affected by the recent Oracle cloud breach. The guidance focuses on the likely loss of passwords.
https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise
Google Chrome Update
A Google Chrome update released today fixes two security vulnerabilities. One of the vulnerabilities is rated as critical.
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_15.html
CVE Updates
CISA extended MITRE s funding to operate the CVE numbering scheme. However, a number of other organizations announced that they may start alternative vulnerability registers.
https://euvd.enisa.europa.eu/
https://gcve.eu/
https://www.thecvefoundation.org/ -
Online Services Again Abused to Exfiltrate Data
Attackers like to abuse free online services that can be used to exfiltrate data. From the originals , like pastebin,
to past favorites like anonfiles.com. The latest example is gofile.io. As a defender, it is important to track these services to detect exfiltration early
https://isc.sans.edu/diary/Online%20Services%20Again%20Abused%20to%20Exfiltrate%20Data/31862
OpenSSH 10.0 Released
OpenSSH 10.0 was released. This release adds quantum-safe ciphers and the separation of authentication services into a separate binary to reduce the authentication attack surface.
https://www.openssh.com/releasenotes.html#10.0p1
Apache Roller Vulnerability
Apache Roller addressed a vulnerability. Its CVSS score of 10.0 appears inflated, but it is still a vulnerability you probably want to address.
https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
CVE Funding Changes
Mitre s government contract to operate the CVE system may run out tomorrow. This could lead to a temporary disruption of services, but the system is backed by a diverse board of directors representing many large companies. It is possible that non-government funding sources may keep the system afloat for now.
https://www.cve.org/ -
xorsearch Update
Diedier updated his "xorsearch" tool. It is now a python script, not a compiled binary, and supports Yara signatures. With Yara support also comes support for regular expressions.
https://isc.sans.edu/diary/xorsearch.py%3A%20Searching%20With%20Regexes/31854
Shorter Lived Certificates
The CA/Brower Forum passed an update to reduce the maximum livetime of
certificates. The reduction will be implemented over the next four years. EFF also released an update to certbot introducing profiles that can be used to request shorter lived certificates.
https://www.eff.org/deeplinks/2025/04/certbot-40-long-live-short-lived-certs
https://groups.google.com/a/groups.cabforum.org/g/servercert-wg/c/bvWh5RN6tYI
New Malware Harvesting Data from USB drives and infecting them.
Kaspersky is reporting that they identified new malware that not only harvests data from USB drives, but also spread via USB drives by replacing existing documents with malicious files.
https://securelist.com/goffee-apt-new-attacks/116139/ -
Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248)
After spotting individaul attempts to exploit the recent Langflow vulnerability late last weeks, we now see more systematic internet wide scans attempting to verify the vulnerability.
https://isc.sans.edu/forums/diary/Exploit+Attempts+for+Recent+Langflow+AI+Vulnerability+CVE20253248/31850/
Fortinet Analysis of Threat Actor Activity
Fortinet oberved recent vulnerablities in its devices being used to add a symlink to ease future compromise. The symlink is not removed by prior patches, and Fortinet released additional updates to detect and remove this attack artifact.
https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
MSFT Inetpub
Microsoft clarrified that its April patches created the inetpub directory on purpose. Users should not remove it.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21204#exploitability
SANSFIRE
https://isc.sans.edu/j/sansfire -
Network Infraxploit
Our undergraduate intern, Matthew Gorman, wrote up a walk through of
CVE-2018-0171, an older Cisco vulnerability, that is still actively being
exploited. For example, VOLT TYPHOON recently exploited this problem.
https://isc.sans.edu/diary/Network+Infraxploit+Guest+Diary/31844
Windows Update Issues / Windows 10 Update
Microsoft updated its "Release Health" notes with details regarding issues
users experiences with Windows Hello, Citrix, and Roblox. Microsoft also released an emergency update for Office 2016 which has stability problems after applying the most recent update.
https://support.microsoft.com/en-us/topic/april-8-2025-kb5055523-os-build-26100-3775-277a9d11-6ebf-410c-99f7-8c61957461eb
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3521
https://support.microsoft.com/en-us/topic/april-10-2025-update-for-office-2016-kb5002623-d60c1f31-bb7c-4426-b8f4-69186d7fc1e5
Dell Updates
Dell releases critical updates for it's Powerscale One FS product. In particular, it fixes a default password problem.
https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities
Langflow Vulnerablity (possible exploit scans sighted) CVE-2025-3248
Langflow addressed a critical vulnerability end of March. This writeup by Horizon3 demonstrates how the issue is possibly exploited. We have so far seen one "hit" in our honeypot logs for the vulnerable API endpoint URL.
https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/ -
Getting Past PyArmor
PyArmor is a python obfuscation tool used for malicious and non-malicious software. Xavier is taking a look at a sample to show what can be learned from these obfuscated samples with not too much work.
https://isc.sans.edu/diary/Obfuscated%20Malicious%20Python%20Scripts%20with%20PyArmor/31840
CenterStack RCE CVE-2025-30406
Gladinet s CenterStack secure file-sharing software suffers from an inadequately protected machine key vulnerability that can be used to modify ViewState data. This vulnerability may lead to remote code execution, which is already exploited.
https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
Google Patches two zero-day vulnerabilities CVE-2024-53150 CVE-2024-53197
Google released its monthly patches for Android. Two of the patched vulnerabilities are already exploited. One of them was used by Serbian law enforcement.
https://www.malwarebytes.com/blog/news/2025/04/google-fixes-two-actively-exploited-zero-day-vulnerabilities-in-android
Broadcom VMWare Tenzu Updates
Broadcom released updates for VMWare Tenzu. Many vulnerabilities affect the backup component and allow for arbitrary command execution.
https://support.broadcom.com/web/ecx/security-advisory?
Windows 11 April Update ads inetpub directory
The April Windows 11 update appears to create a new /inetpub directory. It is unclear why, and removing it appears to have no bad effects.
https://www.bleepingcomputer.com/news/microsoft/windows-11-april-update-unexpectedly-creates-new-inetpub-folder/
WhatsApp File Type Confusion/Spoofing
WhatsApp patched a file type confusion vulnerability. A victim may be tricked into downloading n
https://www.whatsapp.com/security/advisories/2025/
SANS Critical AI Security Guidelines
https://www.sans.org/mlp/critical-ai-security-guidelines -
Microsoft Patch Tuesday
Microsoft patched over 120 vulnerabilities this month. 11 of these were rated critical, and one vulnerability is already being exploited.
https://isc.sans.edu/diary/Microsoft%20April%202025%20Patch%20Tuesday/31838
Adobe Updates
Adobe released patches for 12 different products. In particular important are patches for Coldfusion addressing several remote code execution vulnerabilities. Adobe Commercse got patches as well, but none of the vulnerabilities are rated critical.
https://helpx.adobe.com/security/security-bulletin.html
OpenSSL 3.5 Released
OpenSSL 3.5 was released with support to post quantum ciphers. This is a long term support release.
https://groups.google.com/a/openssl.org/g/openssl-project/c/9ZYdIaExmIA
Fortiswitch Update
Fortinet released an update for Fortiswitch addressing a vulnerability that may be used to reset a password without verification.
https://fortiguard.fortinet.com/psirt/FG-IR-24-435 -
XORsearch: Searching With Regexes
Didier explains a workaround to use his tool XORsearch to search for regular expressions instead of simple strings.
https://isc.sans.edu/diary/XORsearch%3A%20Searching%20With%20Regexes/31834
MCP Security Notification: Tool Poisoning Attacks
Invariant labs summarized a critical weakness in the Model Context Protocol (MCP) that allows for "Tool Poisoning Attacks." Many major providers such as Anthropic and OpenAI, workflow automation systems like Zapier, and MCP clients like Cursor are susceptible to this attack
https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks
Making :visited more private
Google Chrome changed how links are marked as visited . This new partitioning scheme was introduced to improve privacy. Instead of marking a link as visited on any page where it is displayed, it is only marked as visited if the user clicks on the link while visiting the particular site where the link is displayed.
https://developer.chrome.com/blog/visited-links -
New SSH Username Report
A new ssh/telnet username reports makes it easier to identify new usernames attackers are using against our telnet and ssh honeypots
https://isc.sans.edu/diary/New%20SSH%20Username%20Report/31830
Quickshell Sharing is Caring: About an RCE Attack Chain on Quick Share
The Google Quick Share protocol is susceptible to several vulnerabilities that have not yet been fully patched, allowing for some file overwrite issues that could lead to the accidental execution of malicious code.
https://www.blackhat.com/asia-25/briefings/schedule/index.html#quickshell-sharing-is-caring-about-an-rce-attack-chain-on-quick-share-43874
Apache Traffic Director Request Smuggling Vulnerability
https://www.openwall.com/lists/oss-security/2025/04/02/4 -
Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive
Using frequency analysis, and training the model with honeypot data as well as log data from legitimate websites allows for a fairly simple and reliable triage of web server logs to identify possible malicious activity.
https://isc.sans.edu/diary/Exploring%20Statistical%20Measures%20to%20Predict%20URLs%20as%20Legitimate%20or%20Intrusive%20%5BGuest%20Diary%5D/31822
Critical Unexploitable Ivanti Vulnerability Exploited CVE-2025-22457
In February, Ivanti patched CVE-2025-22457. At the time, the vulnerability was not considered to be exploitable. Mandiant now published a blog disclosing that the vulnerability was exploited as soon as mid-march
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/
WinRAR MotW Vulnerability CVE-2025-31334
WinRAR patched a vulnerability that would not apply the Mark of the Web correctly if a compressed file included symlinks. This may make it easier to trick a victim into executing code downloaded from a website.
https://nvd.nist.gov/vuln/detail/CVE-2025-31334
Microsoft Warns of Tax-Related Scam
With the US personal income tax filing deadline only about a week out, Microsoft warns of commonly deployed scams that they are observing related to income tax filings
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
Oracle Breach Update
https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen -
Surge in Scans for Juniper t128 Default User
Lasst week, we dedtect a significant surge in ssh scans for the username t128 . This user is used by Juniper s Session Smart Routing, a product they acquired from 128 Technologies which is the reason for the somewhat unusual username.
https://isc.sans.edu/diary/Surge%20in%20Scans%20for%20Juniper%20%22t128%22%20Default%20User/31824
Vulnerable Verizon API Allowed for Access to Call Logs
An API Verizon offered to users of its call filtering application suffered from an authentication bypass vulnerability allowing users to access any Verizon user s call history. While using a JWT to authenticate the user, the phone number used to retrieve the call history logs was passed in a not-authenticated header.
https://evanconnelly.github.io/post/hacking-call-records/
Google Offering End-to-End Encryption to G-Mail Business Users
Google will add an end-to-end encryption feature to commercial GMail users. However, for non GMail users to read the emails they first must click on a link and log in to Google.
https://workspace.google.com/blog/identity-and-security/gmail-easy-end-to-end-encryption-all-businesses -
Apple Patches Everything
Apple released updates for all of its operating systems. Most were released on Monday with WatchOS patches released today on Tuesday. Two already exploited vulnerabilities, which were already patched in the latest iOS and macOS versions, are now patched for older operating systems as well. A total of 145 vulnerabilities were patched.
https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20March%2031st%202025%20Edition/31816
VMWare Workstation and Fusion update check broken
VMWare s automatic update check in its Workstation and Fusion products is currently broken due to a redirect added as part of the Broadcom transition
https://community.broadcom.com/vmware-cloud-foundation/question/certificate-error-is-occured-during-connecting-update-server
NIM Postgres Vulnerability
NIM Developers using prepared statements to send SQL queries to Postgres may expose themselves to a SQL injection vulnerability. NIM s Postgres library does not appear to use actual prepared statements; instead, it assembles the code and the user data as a string and passes them on to the database. This may lead to a SQL injection vulnerability
https://blog.nns.ee/2025/03/28/nim-postgres-vulnerability/ -
Apache Camel Exploit Attempt by Vulnerability Scans
A recently patched vulnerability in Apache Camel has been integrated into some vulnerability scanners, like for example OpenVAS. We do see some exploit attempts in our honeypots, but they appear to be part of internal vulnerablity scans
https://isc.sans.edu/diary/Apache%20Camel%20Exploit%20Attempt%20by%20Vulnerability%20Scan%20%28CVE-2025-27636%2C%20CVE-2025-29891%29/31814
New Security Requirements for Certificate Authorities
Starting in July, certificate authorities need to verify domain ownership data from multiple viewpoints around the internet. They will also have to use linters to verify certificate requests.
https://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html
Possible Oracle Breach
Oracle still denies being the victim of a data berach as leaked data may show different.
https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a
https://www.theregister.com/2025/03/30/infosec_news_in_brief/
https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist -
A Tale of Two Phishing Sties
Two phishing sites may use very different backends, even if the site itself appears to be visually very similar. Phishing kits are often copied and modified, leading to sites using similar visual tricks on the user facing site, but very different backends to host the sites and reporting data to the miscreant.
https://isc.sans.edu/diary/A%20Tale%20of%20Two%20Phishing%20Sites/31810
A Phihsing Tale of DOH and DNS MX Abuse
Infoblox discovered a new variant of the Meerkat phishing kit that uses DoH in Javascript to discover MX records, and generate better customized phishing pages.
https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
Using OpenID Connect for SSH
Cloudflare opensourced it's OPKSSH too. It integrates SSO systems supporting OpenID connect with SSH.
https://github.com/openpubkey/opkssh/ -
Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218
Our honeypots detected a deserialization attack against the CMS Sitecore using a thumnailaccesstoken header. The underlying vulnerability was patched in January, and security firm Searchlight Cyber revealed details about this vulnerability a couple of weeks ago.
https://isc.sans.edu/diary/Sitecore%20%22thumbnailsaccesstoken%22%20Deserialization%20Scans%20%28and%20some%20new%20reports%29%20CVE-2025-27218/31806
Blasting Past Webp
Google s Project Zero revealed details how the NSO BLASTPASS exploit took advantage of a Webp image parsing vulnerability in iOS. This zero-click attack was employed in targeted attack back in 2023 and Apple patched the underlying vulnerability in September 2023. But this is the first byte by byte description showing how the attack worked.
https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html
Splunk Vulnerabilities
Splunk patched about a dozen of vulnerabilities. None of them are rated critical, but a vulnerability rated High allows authenticated users to execute arbitrary code.
https://advisory.splunk.com/
Firefox 0-day Patched
Mozilla patched a sandbox escape vulnerability that is already being exploited.
https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ -
Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest
This diary explores a novel methodology for classifying malware by integrating entropy-driven feature selection with a specialized Convolutional Neural Network (CNN). Motivated by the increasing obfuscation tactics used by modern malware authors, we will focus on capturing high-entropy segments within files, regions most likely to harbor malicious functionality, and feeding these distinct byte patterns into our model.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Leveraging%20CNNs%20and%20Entropy-Based%20Feature%20Selection%20to%20Identify%20Potential%20Malware%20Artifacts%20of%20Interest/31790
Malware found on npm infecting local package with reverse shell
Researchers at Reversinglabs found two malicious NPM packages, ethers-provider2, and ethers-providerz that patch the well known (and not malicious) ethers package to add a reverse shell and downloader.
https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell
Google Patched Google Chrome 0-day
Google patched a vulnerability in Chrome that was already exploited in attacks against media and educational organizations in Russia
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html -
XWiki Search Vulnerablity Exploit Attempts (CVE-2024-3721)
Our honeypot detected an increase in exploit attempts for an XWiki command injection vulnerablity. The vulnerability was patched last April, but appears to be exploited more these last couple days. The vulnerability affects the search feature and allows the attacker to inject Groovy code templates.
https://isc.sans.edu/diary/X-Wiki%20Search%20Vulnerability%20exploit%20attempts%20%28CVE-2024-3721%29/31800
Correction: FBI Image Converter Warning
The FBI's Denver office warned of online file converters, not downloadable conversion tools
https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam
VMWare Vulnerability
Broadcom released a fix for a VMWare Tools vulnerability. The vulnerability allows users of a Windows virtual machine to escalate privileges within the machine.
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518
Draytek Reboots
Over the weekend, users started reporting Draytek routers rebooting and getting stuck in a reboot loop. Draytek now published advise as to how to fix the problem.
https://faq.draytek.com.au/docs/draytek-routers-rebooting-how-to-solve-this-issue/
Microsoft Managemnt Console Exploit CVE-2025-26633
TrendMicro released details showing how the MMC vulnerability Microsoft patched as part of its patch tuesday this month was exploited.
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html -
Privacy Aware Bots
A botnet is using privacy as well as CSRF prevention headers to better blend in with normal browsers. However, in the process they may make it actually easier to spot them.
https://isc.sans.edu/diary/Privacy%20Aware%20Bots/31796
Critical Ingress Nightmare Vulnerability
ingress-nginx fixed four new vulnerabilities, one of which may lead to a Kubernetes cluster compromise. Note that at the time I am making this live, not all of the URLs below are available yet, but I hope they will be available shortly after publishing this podcast
https://www.darkreading.com/application-security/critical-ingressnightmare-vulns-kubernetes-environments
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
https://kubernetes.io/blog/
FBI Warns of File Converter Scams
File converters may include malicious ad ons. Be careful where you get your software from.
https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam
VSCode Extension Includes Ransomware
https://x.com/ReversingLabs/status/1902355043065500145 - Visa fler
