Afleveringen
-
Alternate Data Streams: Adversary Defense Evasion and Detection
Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse.
https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990
Connectwise Breach Affects ScreenConnect Customers
Connectwise s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions.
https://www.connectwise.com/company/trust/advisories
Mark Your Calendar: APT41 Innovative Tactics
Google detected attacks leveraging Google s calendar solution as a command and control channel.
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics
Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender
Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge.
https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/ -
Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack
Jennifer Wilson took a weird string found in a recent honeypot sample and worked with ChatGPT to figure out what it is all about.
https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Exploring%20a%20Use%20Case%20of%20Artificial%20Intelligence%20Assistance%20with%20Understanding%20an%20Attack/31980
Ransomware Deployed via SimpleHelp Vulnerabilities
Ransomware actors are using vulnerabilities in SimpleHelp to gain access to victim s networks via MSPs. The exploited vulnerabilities were patched in January.
https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/
OS Command Injection in Everetz Equipment
Broadcast equipment manufactured by Everetz is susceptible to an OS command injection vulnerability. Everetz has not responded to researchers reporting the vulnerability so far and there is no patch available.
https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009 -
Zijn er afleveringen die ontbreken?
-
SSH authorized_keys File
One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems.
https://isc.sans.edu/diary/Securing%20Your%20SSH%20authorized_keys%20File/31986
REMOTE COMMAND EXECUTION ON SMARTBEDDED METEOBRIDGE (CVE-2025-4008)
Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability
https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008
https://forum.meteohub.de/viewtopic.php?t=18687
Manageengine ADAuditPlus SQL Injection
Zoho patched two SQL Injection vulnerabilities in its ManageEngine ADAuditPlus product
https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html
https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html
Dero Miner Infects Containers through Docker API
Kaspersky found yet another botnet infecting docker containers to spread crypto coin miners. The initial access happens via exposed docker APIs.
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/ -
SVG Steganography
Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG.
https://isc.sans.edu/diary/SVG%20Steganography/31978
Fortinet Vulnerability Details CVE-2025-32756
Horizon3.ai shows how it was able to find the vulnerability in Fortinet s products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th
https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/
Remote Prompt Injection in GitLab Duo Leads to Source Code Theft
An attacker may leave instructions (prompts) for GitLab Duo embedded in the source code. This could be used to exfiltrate source code and secrets or to inject malicious code into an application.
https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo -
Resilient Secure Backup Connectivity for SMB/Home Users
Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse.
https://isc.sans.edu/diary/Resilient%20Secure%20Backup%20Connectivity%20for%20SMB%20Home%20Users/31972
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to.
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949
The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user
https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass -
New Variant of Crypto Confidence Scam
Scammers are offering login credentials for what appears to be high value crypto coin accounts. However, the goal is to trick users into paying for expensive VIP memberships to withdraw the money.
https://isc.sans.edu/diary/New%20Variant%20of%20Crypto%20Confidence%20Scam/31968
Malicious Chrome Extensions
Malicious Chrome extensions mimick popular services like VPNs to trick users into installing them. Once installed, the extensions will exfiltrate browser secrets
https://dti.domaintools.com/dual-function-malware-chrome-extensions/
Malicious VS Code Extensions
Malicious Visual Studio Code extensions target crypto developers to trick them into installing them to exfiltrate developer secrets.
https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#indicators-of-compromise -
Researchers Scanning the Internet
A newish RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today
https://isc.sans.edu/diary/Researchers%20Scanning%20the%20Internet/31964
Cloudy with a change of Hijacking: Forgotten DNS Records
Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to.
https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/
Message signature verification can be spoofed CVE-2025-47934
A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications.
https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8 -
RAT Dropped By Two Layers of AutoIT Code
Xavier explains how AutoIT was used to install a remote admin tool (RAT) and how to analyse such a tool
https://isc.sans.edu/diary/RAT%20Dropped%20By%20Two%20Layers%20of%20AutoIT%20Code/31960
RVTools compromise confirmed
Robware.net, the site behind the popular tool RVTools now confirmed that it was compromised. The site is currently offline.
https://www.robware.net/readMore
Trojaned Version of Keepass used to install info stealer and Cobalt Strike beacon
A backdoored version of KeePass was used to trick victims into installing Cobalt Strike and other malware. In this case, Keepass itself was not compromised and the malicious version was advertised via search engine optimization tricks
https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign
Procolored UV Printer Software Compromised
The official software offered by the makers of the Procolored UV printer has been compromised, and versions with malware were distributed for about half a year.
https://www.hackster.io/news/the-maker-s-toolbox-procolored-v11-pro-dto-uv-printer-review-680d491e17e3
https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads -
xorsearch.py: Python Functions
Didier s xorsearch tool now supports python functions to filter output
https://isc.sans.edu/diary/xorsearch.py%3A%20Python%20Functions/31858
Pwn2Own Berlin 2025
Last weeks Pwn2Own contest in Berlin allowed researchers to demonstrate a number of new exploits with a large focus on privilege escalation and virtual machine escape.
https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results
Senior US Officials Impersonated in Malicious Messaging Campaign
The FBI warns of senior US officials being impersonated in text and voice messages.
https://www.ic3.gov/PSA/2025/PSA250515
Scattered Spider: TTP Evolution in 2025
Pushscurity provided an update on how Scattered Spider evolved. One thing they noted was that Scattered Spider takes advantage of legit dynamic domain name systems to make detection more difficult
https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/ -
Web Scanning SonicWall for CVE-2021-20016 - Update
Scans for SonicWall increased by an order of magnitude over the last couple of weeks. Many of the attacks appear to originate from Global Host , a low-cost virtual hosting provider.
https://isc.sans.edu/diary/Web%20Scanning%20SonicWall%20for%20CVE-2021-20016%20-%20Update/31952
Google Update Patches Exploited Chrome Flaw
Google released an update for Chrome. The update fixes two specific flaws reported by external researchers, CVE-2025-4664 and CVE-2025-4609. The first flaw is already being exploited in the wild.
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
https://x.com/slonser_/status/1919439373986107814
RVTools Bumblebee Malware Attack
Zerodaylabs published its analysis of the RV-Tools Backdoor attack. It suggests that this may not be solely a search engine optimization campaign directing victims to the malicious installer, but that the RVTools distribution site was compromised.
https://zerodaylabs.net/rvtools-bumblebee-malware/
Operation RoundPress
ESET Security wrote up a report summarizing recent XSS attacks against open-source webmail systems
https://www.welivesecurity.com/en/eset-research/operation-roundpress/ -
Another day, another phishing campaign abusing google.com open redirects
Google s links from it s maps page to hotel listings do suffer from an open redirect vulnerability that is actively exploited to direct users to phishing pages.
https://isc.sans.edu/diary/Another%20day%2C%20another%20phishing%20campaign%20abusing%20google.com%20open%20redirects/31950
Adobe Patches
Adobe patched 12 different applications. Of particular interest is the update to ColdFusion, which fixes several arbitrary code execution and arbitrary file read problems.
https://helpx.adobe.com/security/security-bulletin.html
Samsung Patches magicInfo 9 Again
Samsung released a new patch for the already exploited magicInfo 9 CMS vulnerability. While the description is identical to the patch released last August, a new CVE number is used.
https://security.samsungtv.com/securityUpdates#SVP-MAY-2025
Ivanti Patches Critical Ivanti Neurons Flaw
Ivanti released a patch for Ivanti Neurons for ITSM (on-prem only) fixing a critical authentication bypass vulnerability. Ivanti also points to its guidance to secure the underlying IIS server to make exploitation of flaws like this more difficult -
Microsoft Patch Tuesday
Microsoft patched 70-78 vulnerabilities (depending on how you count them). Five of these vulnerabilities are already being exploited. In particular, a remote code execution vulnerability in the scripting engine should be taken seriously. It requires the Microsoft Edge browser to run in Internet Explorer mode.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20May%202025/31946
Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)
Ivanti patched an authentication bypass vulnerability and a remote code execution vulnerability. The authentication bypass can exploit the remote code execution vulnerability without authenticating first.
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
Fortinet Patches Exploited Vulnerability in API (CVE-2025-32756)
Fortinet patched an already exploited stack-based buffer overflow vulnerability in the API of multiple Fortinet products. The vulnerability is exploited via crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-25-254 -
Apple Updates Everything
Apple patched all of its operating systems. This update ports a patch for a recently exploited vulnerability to older versions of iOS and macOS.
https://isc.sans.edu/diary/31942
It Is 2025, And We Are Still Dealing With Default IoT Passwords And Stupid 2013 Router Vulnerabilities
Versions of the Mirai botnet are attacking devices made by Unipi Technology. These devices are using a specific username and password combination. In addition, this version of the Mirai botnet will also attempt exploits against an old Netgear vulnerability.
https://isc.sans.edu/diary/It%20Is%202025%2C%20And%20We%20Are%20Still%20Dealing%20With%20Default%20IoT%20Passwords%20And%20Stupid%202013%20Router%20Vulnerabilities/31940
Output Messenger Vulnerability
The internal messenger application Output Messenger is currently used in sophisticated attacks. Attackers are exploiting a path traversal vulnerability that has not been fixed.
https://www.outputmessenger.com/cve-2025-27920/
Commvault Correction
Commvault s patch indeed fixes the recent vulnerability. The Pioneer Release Will Dormann used to experiment will only offer patches after it has been registered, which leads to an error when assessing the patch s efficacy.
https://www.darkreading.com/application-security/commvault-patch-works-as-intended -
Steganography Challenge
Didier revealed the solution to last weekend s cryptography challenge. The image used the same encoding scheme as Didier described before, but the columns and rows were transposed.
https://isc.sans.edu/forums/diary/Steganography%20Challenge%3A%20My%20Solution/31912/
FBI Warns of End-of-life routers
The FBI is tracking larger botnets taking advantage of unpatched routers. Many of these routers are end-of-life, and no patches are available for the exploited vulnerabilities. The attackers are turning the devices into proxies, which are resold for various criminal activities.
https://www.ic3.gov/PSA/2025/PSA250507
ASUS Driverhub Vulnerability
ASUS Driverhub software does not properly check the origin of HTTP requests, allowing a CSRF attack from any website leading to arbitrary code execution.
https://mrbruh.com/asusdriverhub/
RV-Tools SEO Poisoning
Varonis Threat Labs observed SEO poisoning being used to trick system administrators into installing a malicious version of RV Tools. The malicious version includes a remote access tool leading to the theft of credentials
https://www.varonis.com/blog/seo-poisoning#initial-access-and-persistence -
No Internet Access: SSH to the Rescue
If faced with restrictive outbound network access policies, a single inbound SSH connection can quickly be turned into a tunnel or a full-blown VPN
https://isc.sans.edu/diary/No%20Internet%20Access%3F%20SSH%20to%20the%20Rescue!/31932
SAMSUNG magicINFO 9 Server Flaw Still exploitable
The SAMSUNG magicINFO 9 Server Vulnerability we found being exploited last week is apparently still not completely patched, and current versions are vulnerable to the exploit observed in the wild.
https://www.huntress.com/blog/rapid-response-samsung-magicinfo9-server-flaw
Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption
SentinelOne s installer is vulnerable to an exploit allowing attackers to shut down the end point protection software
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
Commvault Still Exploitable
A recent patch for Commvault is apparently ineffective and the PoC exploit published by watchTowr is still working against up to date patched systems
https://infosec.exchange/@wdormann/114458913006792356 -
Example of Modular Malware
Xavier analyzes modular malware that downloads DLLs from GitHub if specific features are required. In particular, the webcam module is inspected in detail.
https://isc.sans.edu/diary/Example%20of%20%22Modular%22%20Malware/31928
Sysaid XXE Vulnerabilities
IT Service Management Software Sysaid patched a number of XXE vulnerabilities. Without authentication, an attacker is able to obtain confidential data and completely compromise the system. watchTowr published a detailed analysis of the flaws including exploit code.
https://labs.watchtowr.com/sysowned-your-friendly-rce-support-ticket/
Cisco IOS XE Wireless Controller Software Arbitrary File Upload Vulnerability
Cisco Patched a vulnerability in its wireless controller software that may be used to not only upload files but also execute code as root without authentication.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wlc-file-uplpd-rHZG9UfC
Unifi Protect Camera Vulnerability
Ubiquity patched a vulnerability in its Protect camera firmware fixing a buffer overflow flaw.
https://community.ui.com/releases/Security-Advisory-Bulletin-047-047/cef86c37-7421-44fd-b251-84e76475a5bc -
Python InfoStealer with Embedded Phishing Webserver
Didier found an interesting infostealer that, in addition to implementing typical infostealer functionality, includes a web server suitable to create local phishing sites.
https://isc.sans.edu/diary/Python%20InfoStealer%20with%20Embedded%20Phishing%20Webserver/31924
Android Update Fixes Freetype 0-Day
Google released its monthly Android update. As part of the update, it patched a vulnerability in Freetype that is already being exploited. Android is not alone in using Freetype. Freetype is a very commonly used library to parse fonts like Truetype fonts.
https://source.android.com/docs/security/bulletin/2025-05-01
CISA Warns of Unsophistacted Cyber Actors
CISA released an interesting title report warning operators of operational technology networks of ubiquitous attacks by unsophisticated actors. It emphasizes how important it is to not forget basic security measures to defend against these attacks.
https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology -
Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399
The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in Samsung s MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far.
https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920
New Kali Linux Signing Key
The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that will be used going forward.
https://www.kali.org/blog/new-kali-archive-signing-key/
The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster
Many out-of-the-box Helm charts for Kubernetes applications deploy vulnerable configurations with exposed ports and no authentication
https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/the-risk-of-default-configuration-how-out-of-the-box-helm-charts-can-breach-your/4409560 -
Steganography Challenge
Didier published a fun steganography challenge. A solution will be offered on Saturday.
https://isc.sans.edu/diary/Steganography+Challenge/31910
Microsoft Makes Passkeys Default Authentication Method
Microsoft is now encouraging new users to use Passkeys as the default and only login method, further moving away from passwords
https://www.microsoft.com/en-us/security/blog/2025/05/01/pushing-passkeys-forward-microsofts-latest-updates-for-simpler-safer-sign-ins/
Microsoft Authenticator Autofill Changes
Microsoft will no longer support the use of Microsoft authenticator as a password safe. Instead, it will move users to the password prefill feature built into Microsoft Edge. This change will start in June and should be completed in August at which point you must have moved your credentials out of Microsoft Authenticator
https://support.microsoft.com/en-gb/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6
Backdoor found in popular e-commerce components
SANSEC identified several backdoored Magento e-commerce components. These backdoors were installed as far back as 2019 but only recently activated, at which point they became known. Affected vendors dispute any compromise at this point.
https://sansec.io/research/license-backdoor -
Steganography Analysis With pngdump.py: Bitstreams
More details from Didiear as to how to extract binary content hidden inside images
https://isc.sans.edu/diary/Steganography%20Analysis%20With%20pngdump.py%3A%20Bitstreams/31904
Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Attackers are using typosquatting to trick developers into installing malicious python packages. These python packages will use GMail as a command and control channel by sending email to hard coded GMail accounts
https://socket.dev/blog/using-trusted-protocols-against-you-gmail-as-a-c2-mechanism
Security Brief: French BEC Threat Actor Targets Property Payments
A French business email compromise threat actor is targeting property management firms to send emails to tenents tricking them into sending rent payments to fake bank accounts
https://www.proofpoint.com/us/blog/threat-insight/security-brief-french-bec-threat-actor-targets-property-payments
SANS.edu Research Journal
https://isc.sans.edu/j/research - Laat meer zien
