Tageszusammenfassung - 08.04.2025

End-of-Day report

Timeframe: Montag 07-04-2025 18:00 - Dienstag 08-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs

News

Malicious VSCode extensions infect Windows with cryptominers

Nine VSCode extensions on Microsofts Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-infect-windows-with-cryptominers/

Dangerous, Windows-Hijacking Neptune RAT Scurries Into Telegram, YouTube

The malwares creators insist a new open source version of Neptune is for educational use by pen testers, but a raft of sophisticated backdoor and evasion capabilities says otherwise.

https://www.darkreading.com/cloud-security/windows-hijacking-neptune-rat-telegram-youtube

100 Days of YARA: Writing Signatures for .NET Malware

If YARA signatures for .NET assemblies only rely on strings, they are very limited. We explore more detection opportunities, including IL code, method signature definitions and specific custom attributes. Knowledge about the underlying .NET metadata structures, tokens and streams helps to craft more precise and efficient signatures, even in cases where relevant malware samples might be unavailable.

https://feeds.feedblitz.com/~/916366745/0/gdatasecurityblog-en~Days-of-YARA-Writing-Signatures-for-NET-Malware

Attackers distributing a miner and the ClipBanker Trojan via SourceForge

Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques.

https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/

Inside Black Basta: Uncovering the Secrets of a Ransomware Powerhouse

In February 2025, the cybersecurity community witnessed an unprecedented leak that exposed the internal operations of Black Basta, a prolific ransomware group.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/inside-black-basta-uncovering-the-secrets-of-a-ransomware-powerhouse/

Vorsicht beim Autoverkauf: Betrug mit gefälschten Fahrzeugberichten

Sie wollen Ihr Auto online verkaufen? Dann kann es vorkommen, dass potenzielle Käufer:innen einen Fahrzeugbericht verlangen, angeblich um den Zustand Ihres Gebrauchtwagens besser einschätzen zu können. Doch Vorsicht: Hinter dieser Aufforderung steckt oft der Versuch, Sie auf unseriöse Websites zu locken. Diese liefern gefälschte Berichte und führen Sie in teure Kostenfallen.

https://www.watchlist-internet.at/news/betrug-mit-gefaelschten-fahrzeugberichten/

2025 Ransomware: Business as Usual, Business is Booming

Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far-and what you can do now to reduce your attack surface against ransomware.

https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/

PyTorch Lightning Exposes Users to Remote Code Execution via Deserialization Vulnerabilities

PyTorch Lightning, a widely adopted deep learning framework developed by Lightning AI, has been impacted by multiple critical deserialization vulnerabilities, disclosed under VU#252619. These issues affect all versions up to and including 2.4.0 and may lead to arbitrary code execution when loading untrusted model files.The vulnerabilities were reported by Kasimir Schulz of HiddenLayer and coordinated by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

https://socket.dev/blog/pytorch-lightning-deserialization-vulnerabilities?utm_medium=feed

Vulnerabilities

Spionage möglich: Google patcht teils aktiv ausgenutzte Android-Lücken

Mit den Android-Updates für April schließt Google mehr als 60 Sicherheitslücken. Vier davon sind kritisch, zwei werden bereits aktiv ausgenutzt.

https://www.golem.de/news/spionage-moeglich-google-patcht-teils-aktiv-ausgenutzte-android-luecken-2504-195120.html

Ivanti: Security Advisory April 2025 for Ivanti EPM 2024 and EPM 2022 SU6

Ivanti has released updates for Ivanti Endpoint Manager which addresses medium and high vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6

HCL: Sicherheitslücken in BigFix, DevOps und mehr Produkten

Zum Stopfen von Sicherheitslücken in HCL BigFix, DevOps, Traveler und Connections stellt HCL Software nun Updates bereit. Die Lücken gelten teils als kritisch. IT-Verantwortliche sollten die Updates zügig anwenden. Am schwersten hat es HCL BigFix WebUI, also die Management-Oberfläche für BigFix, getroffen. Mehrere Schwachstellen sind in den darin verwendeten Open-Source-Komponenten, davon ist eine in canvg 4.0.2 als kritisch eingestuft (CVE-2025-25977, CVSS 9.8) sowie zwei in xml-crypto (CVE-2025-29774, CVE-2025-29775, beide CVSS 9.3).

https://www.heise.de/news/HCL-Sicherheitsluecken-in-BigFix-DevOps-und-mehr-Produkten-10344571.html

Security updates for Tuesday

Security updates have been issued by AlmaLinux (gimp, libxslt, python3.11, python3.12, and tomcat), Debian (ghostscript and libnet-easytcp-perl), Fedora (openvpn, perl-Data-Entropy, and webkitgtk), Red Hat (python-jinja2), SUSE (giflib, pam, and xen), and Ubuntu (apache2, binutils, expat, fis-gtm, linux-azure, linux-azure-6.8, linux-nvidia-lowlatency, linux-azure, linux-azure-fde, linux-azure-5.15, linux-azure-fde-5.15, linux-azure-fips, linux-gcp-fips, linux-hwe-5.4, linux-nvidia, linux-nvidia-tegra-igx, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and vim).

https://lwn.net/Articles/1016774/

ZDI-25-206: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-25-206/

ZDI-25-205: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-25-205/