End-of-Day report
Timeframe: Freitag 28-03-2025 18:00 - Montag 31-03-2025 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
News
New Crocodilus malware steals Android users- crypto wallet keys
A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access.
https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steals-android-users-crypto-wallet-keys/
Smoked out - Emmenhtal spreads SmokeLoader malware
We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal [..] also referred to by Google as Peaklight.
https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-Emmenhtal-spreads-SmokeLoader-malware
Hidden Malware Strikes Again: Mu-Plugins Under Attack
Recently, we-ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks.
https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-under-attack.html
BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability
In whats an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process.
https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html
BSI-Studie: Zahlreiche Schwachstellen in Krankenhausinformationssystemen
IT-Sicherheitsforscher haben im BSI-Auftrag IT-Systemen für Kliniken auf den Zahn gefühlt und Lücken gefunden, etwa bei Verschlüsselung und Zertifikaten.
https://www.heise.de/news/BSI-Studie-Zahlreiche-Schwachstellen-in-Krankenhausinformationssystemen-10333354.html
Backdoor in the Backplane. Doing IPMI security better
IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs - especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access.
https://www.pentestpartners.com/security-blog/backdoor-in-the-backplane-doing-ipmi-security-better/
Preparing for the EU Radio Equipment Directive security requirements
UK & EU IoT manufacturers have more security regulation coming. [..] From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU-s Radio Equipment Directive (2014/53/EU), or RED.
https://www.pentestpartners.com/security-blog/preparing-for-the-eu-radio-equipment-directive-security-requirements/
Oracle Health gehackt, US-Patientendaten abgeflossen
Cyberkriminelle sind laut Berichten nach dem 22. Januar 2025 in die Server des US-Tech-Unternehmens Cerner Oracle Health eingedrungen. Es besteht der Verdacht, dass Patientendaten von US-Bürgern abgezogen wurden. Das FBI untersucht den Vorfall, der Fragen nach der Sicherheit bei Oracle aufkommen lässt. Denn es ist der zweite Sicherheitsvorfall binnen weniger Tage, der bekannt wird.
https://www.borncity.com/blog/2025/03/30/oracle-health-gehackt-us-patientendaten-abgeflossen/
SVG Phishing Malware Being Distributed with Analysis Obstruction Feature
AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format.
https://asec.ahnlab.com/en/87078/
Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities - including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers.
https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a
Vulnerabilities
Security updates for Monday
Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper).
https://lwn.net/Articles/1015968/
IBM InfoSphere Information Server: Unbefugte Zugriffe möglich
Die Datenintegrationsplattform IBM InfoSphere Information Server ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen.
https://www.heise.de/news/IBM-InfoSphere-Information-Server-Unbefugte-Zugriffe-moeglich-10334026.html
ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4
Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched.
https://projectblack.io/blog/zendto-nday-vulnerabilities/