Tageszusammenfassung - 05.03.2025

End-of-Day report

Timeframe: Dienstag 04-03-2025 18:00 - Mittwoch 05-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl

News

Text-basiertes QR Code Phishing im Umlauf

Über den neuen Ansatz hatten wir 2024 in unseren Newslettern berichtet, nun erhalten wir auch direkt Meldungen über "bildlose" QR-Code Phishs. Kurz umrissen: der QR-Code wird nicht wie oft üblich als Bilddatei übermittelt, sondern aus einzelnen ASCII-/Unicode Block-Zeichen zusammengesetzt. Dadurch kann der im QR-Code enthaltene Inhalt Sicherheitslösungen verborgen bleiben, für optische QR-Code Scanner jedoch funktional bleiben.

https://www.cert.at/de/aktuelles/2025/3/text-basiertes-qr-code-phishing-im-umlauf

Use one Virtual Machine to own them all - active exploitation of ESXicape

Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226. Although the advisory doesn-t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor.

https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exploitation-of-esxicape-0091ccc5bdfc?source=rss8343faddf0ec4

BadBox malware disrupted on 500K infected Android devices

The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. [..] The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads.

https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-500k-infected-android-devices/

Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool

Attackers blackmail YouTubers with complaints and account blocking threats, forcing them to distribute a miner disguised as a bypass tool.

https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/

The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure

This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-ukraine-cyber-war-part-3-attacks-on-telecom-and-critical-infrastructure/

BAMF: Skurrile Testkonten ermöglichten unautorisierten Datenzugriff

Anhand von Screenshots der Web-Applikation sei ersichtlich gewesen, dass im Test- und Integrationssystem offenbar ein Account mit der Nutzerkennung "max.mustermann@testtraeger.de" existierte. Die Domain sei noch frei gewesen.

https://www.heise.de/news/BAMF-Skurrile-Testkonten-ermoeglichten-unautorisierten-Datenzugriff-10305691.html

Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems

Adversaries widely abuse TDS infrastructure to build dynamic and resilient network infrastructure for malicious web services. These redirection networks enhance resilience against takedowns and enable scaling and cloaking of malicious content.

https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribution-systems/

CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy

The following is a portion of their write-up covering CVE-2024-43639, with a few minimal modifications. [..] This vulnerability was patched by the vendor in November. To date, no attacks have been detected in the wild.

https://www.thezdi.com/blog/2025/3/3/cve-2024-43639

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses.

https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/

LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan

Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. [..] The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn-s branding, convincingly creating legitimacy.

https://hackread.com/scammers-fake-linkedin-inmail-deliver-connectwise-trojan/

GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities

On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild. [..] CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection) Hitachi Vantara Pentaho BA Server [..] CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability.

https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-added-kev-vulnerabilities

GoStringUngarbler: Deobfuscating Strings in Garbled Binaries

In this blog post, we'll detail garble-s string transformations and the process of automatically deobfuscating them.

https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-deobfuscating-strings-in-garbled-binaries/

Trigon: developing a deterministic kernel exploit for iOS

CVE-2023-32434 was an integer overflow in the VM subsystem of the XNU kernel. It was patched in iOS 16.5.1 after being found in-the-wild as part of the Operation Triangulation spyware chain, discovered after it was used to infect a group of security researchers at Kaspersky. These researchers then captured and reverse-engineered the entire chain, leading to the patching of a WebKit bug, a kernel bug, a userspace PAC bypass and a PPL (and, technically, a KTRR) bypass. [..] This writeup simply shows the steps involved in the final, working exploit. It does not, however, convey just how many failed ideas and attempts there were during the process.

https://alfiecg.uk/2025/03/01/Trigon.html

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop).

https://lwn.net/Articles/1013063/

Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL Hijacking Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-secure-dll-injection-AOyzEqSg