End-of-Day report
Timeframe: Mittwoch 12-03-2025 18:00 - Donnerstag 13-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
No Project Is an Island: Why You Need SBOMs and Dependency Management
The system you develop and maintain does not exist in isolation. Providing SBOMs for our work is our way to show we care. Software is a relatively recent phenomenon. For a long time, you could credibly say most of its existence, software was poorly understood by society and industry at large. There was ..
https://bsdly.blogspot.com/2025/03/no-project-is-island-why-you-need-sboms.html
Facebook discloses FreeType 2 flaw exploited in attacks
Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks.
https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-2-flaw-exploited-in-attacks/
Flugticketgroßhändler: Cyberangriff legt Buchungssystem von Aerticket lahm
Nach einem Hackerangriff ist das Buchungssystem von Aerticket vorerst unbrauchbar. Eine schnelle Wiederherstellung ist wohl nicht zu erwarten.
https://www.golem.de/news/flugticketgrosshaendler-cyberangriff-legt-buchungssystem-von-aerticket-lahm-2503-194251.html
Head Mare and Twelve join forces to attack Russian entities
We analyze the activities of the Head Mare hacktivist group, which has been attacking Russian companies jointly with Twelve.
https://securelist.com/head-mare-twelve-collaboration/115887/
Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware ..
https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
Medusa ransomware affiliate tried triple extortion scam - up from the usual double demand
Feds warn gang still rampant and now cracked 300+ victims around the world A crook who distributes the Medusa ransomware tried to make a victim cough up three payments instead of the usual two, according to a government advisory on how to defend against the malware and the gangs who wield it.
https://www.theregister.com/2025/03/13/medusa_ransomware_infects_300_critical/
DeepSeek can be gently persuaded to spit out malware code
It might need polishing, but a useful find for any budding cybercrooks out there DeepSeeks flagship R1 model is capable of generating a working keylogger and basic ransomware code, just as long as a techie is on hand to tinker with it a little.
https://www.theregister.com/2025/03/13/deepseek_malware_code/
Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update
Es sind wichtige Sicherheitsupdates für die Softwareentwicklungsplattform Gitlab erschienen.
https://www.heise.de/news/Sicherheitsluecken-Gitlab-Entwickler-raten-zu-zuegigem-Update-10314280.html
Sicherheitsupdates: Root-Sicherheitslücke bedroht Cisco-ASR-Router
Der Netzwerkausrüster Cisco hat mehrere Schwachstellen geschlossen, über die Angreifer etwa ASR-Router attackieren können.
https://www.heise.de/news/Sicherheitsupdates-Root-Sicherheitsluecke-bedroht-Cisco-ASR-Router-10314262.html
Schadcode-Sicherheitslücken bedrohen FortiOS, FortiSandbox & Co.
Mehrere Produkte von Fortinet sind attackierbar. Sicherheitspatches schaffen Abhilfe.
https://www.heise.de/news/Schadcode-Sicherheitsluecken-bedrohen-FortiOS-FortiSandbox-Co-10314664.html
Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims
We identified a campaign spreading thousands of sca crypto investment platforms through websites and mobile apps, possibly through a standardized toolkit.
https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/
#StopRansomware: Medusa Ransomware
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
Signal no longer cooperating with Ukraine on Russian cyberthreats, official says
The encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyberthreats, a Ukrainian official claimed, warning that the shift is aiding Moscow-s intelligence efforts.
https://therecord.media/signal-no-longer-cooperating-with-ukraine
Abusing with style: Leveraging cascading style sheets for evasion and tracking
Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking.
https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/
Statement on CISAs Red Team
CISA-s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed.
https://www.cisa.gov/news-events/news/statement-cisas-red-team
PCI DSS FAQ SAQ WTF BBQ...
I was trying to come up with a sensible title for this blog post, but I feel this one mirrors the thoughts and feelings of many of us about recent events in the PCI DSS compliance space! There have been some significant changes in ..
https://scotthelme.ghost.io/pci-dss-faq-saq-wtf-bbq/
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials
Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, well shed light on how these vulnerabilities that rely on a parser differential were uncovered.
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
Vulnerabilities
Security updates for Thursday
Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, ..
https://lwn.net/Articles/1014042/
ZDI-25-129: PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2231.
http://www.zerodayinitiative.com/advisories/ZDI-25-129/