End-of-Day report
Timeframe: Donnerstag 13-03-2025 18:00 - Freitag 14-03-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
News
New SuperBlack ransomware exploits Fortinet auth bypass flaws
A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack.
https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-exploits-fortinet-auth-bypass-flaws/
Ransomware gang creates tool to automate VPN brute-force attacks
The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs.
https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creates-automated-tool-to-brute-force-vpns/
Jailbreaking is (mostly) simpler than you think
Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards.
https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than-you-think/
CISA: We didnt fire red teams, we just unhired a bunch of them
Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams.
https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/
A New Era of Attacks on Encryption Is Starting to Heat Up
The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more -crude- than those in recent years, experts say.
https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-to-heat-up/
Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer
Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client.
https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfallstor-fuer-Angreifer-10315751.html
Off the Beaten Path: Recent Unusual Malware
Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework.
https://unit42.paloaltonetworks.com/unusual-malware/
Ransomware attack takes down health system network in Micronesia
One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline.
https://therecord.media/ransomware-attack-micronesia-health-system
Europes telecoms sector under increased threat from cyber spies, warns Denmark
State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government.
https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-report
Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court
Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said.
https://therecord.media/lockbit-alleged-russian-developer-extradited-us-israel
SocGholish-s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware
Trend Research analyzed SocGholish-s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks.
https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes
Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time
https://blog.hartwork.org/posts/expat-2-7-0-released/
Memory Corruption in Delphi
Our team at Include Security is often asked to examine applications coded in languages that are usually considered -unsafe-, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are ..
https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/
My Scammer Girlfriend: Baiting A Romance Fraudster
At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign.
https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.html
Vulnerabilities
ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162.
http://www.zerodayinitiative.com/advisories/ZDI-25-135/
ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431.
http://www.zerodayinitiative.com/advisories/ZDI-25-134/
ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174.
http://www.zerodayinitiative.com/advisories/ZDI-25-133/
ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159.
http://www.zerodayinitiative.com/advisories/ZDI-25-132/
ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160.
http://www.zerodayinitiative.com/advisories/ZDI-25-131/