End-of-Day report
Timeframe: Donnerstag 10-04-2025 18:00 - Freitag 11-04-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Fortinet FortiOS: Angreifende installierten persistenten Lesezugriff auf Firewalls
Am 10. April 2025 veröffentlichte der Hersteller Fortinet einen PSIRT-Blogbeitrag über beobachtete Kompromittierungen durch mehrere bekannte Schwachstellen im Betriebssystem FortiOS der Firewall- Serie FortiGate [FORT25]. [..] Fortinet konnte beobachten, wie Angreifende die genannten Schwachstellen nutzten, um sich persistenten Lesezugriff auf verwundbaren FortiGates zu verschaffen. [..] IT-Sicherheitsverantwortliche sollten prüfen, ob sie selbst betroffen waren oder sind und weitere Schutzmaßnahmen ergreifen.
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2025/2025-238765-1032.pdf?__blob=publicationFile&v=2
Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs
Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal.
https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sketchy-chrome-extensions-with-4-million-installs/
Tycoon2FA New Evasion Technique for 2025
The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. This blog takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-new-evasion-technique-for-2025/
Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks
Ever thought an image file could be part of a cyber threat? The Trustwave SpiderLabs Email Security team has identified a major spike in SVG image-based attacks, where harmless-looking graphics are being used to hide dangerous links.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfect-trap-the-surge-of-svg-borne-phishing-attacks/
Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways
Palo Alto Networks has revealed that its observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances.
https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.html
Vorsicht vor gefälschten card complete Anrufen!
Derzeit kommt es zu betrügerischen Anrufen im Namen der Kreditkartenfirma card complete. Kriminelle setzen dabei Spoofing ein, um vorzutäuschen, dass es sich um seriöse Anrufe handelt. Ihr Ziel ist es, an sensible Daten wie Passwörter und Codes zu gelangen. Sollten Sie so einen Anruf erhalten, legen Sie sofort auf und blockieren Sie die Nummer.
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-card-complete-anrufen/
Malicious NPM Packages Targeting PayPal Users
FortiGuard Labs has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users. [..] These attacks function by using a "preinstall hook" in malicious NPM packages, automatically running a script when the package is installed.
https://feeds.fortinet.com/~/916527947/0/fortinet/blogs~Malicious-NPM-Packages-Targeting-PayPal-Users
Security audit of PHP-SRC
The Open Source Technology Improvement Fund, Inc, thanks to funding provided by Sovereign Tech Fund, engaged with Quarkslab to perform a security audit of PHP-SRC, the interpreter of the PHP language. The audit aimed to assist PHPs core developers and the community in strengthening the projects security ahead of the upcoming PHP 8.4 release.
http://blog.quarkslab.com/security-audit-of-php-src.html
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (delve and golang and go-toolset:rhel8), Debian (webkit2gtk), Fedora (openvpn, thunderbird, uboot-tools, and zabbix), SUSE (expat, fontforge, govulncheck-vulndb, and kernel), and Ubuntu (haproxy and libsoup2.4, libsoup3).
https://lwn.net/Articles/1017197/
Sonicwall Netextender: Sicherheitslecks gefährden Windows-Client
In der Sicherheitsmitteilung schreiben die Sonicwall-Entwickler, dass insbesondere der Windows-Client der SSL-VPN-Software Netextender betroffen ist. Das größte Risiko geht von einer unzureichenden Rechteverwaltung in Sonicwall Netextender Windows, sowohl in der 32- als auch der 64-Bit-Version, aus. Angreifer mit niedrigen Rechten können dadurch Konfigurationen verändern (CVE-2025-23008, CVSS 7.2, Risiko "hoch").
https://heise.de/-10349117
Subnet Solutions PowerSYSTEM Center
https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08
Rockwell Automation Arena
https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-07
INFINITT Healthcare INFINITT PACS
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01
F5: K000150813: Linux kernel vulnerability CVE-2024-50252
https://my.f5.com/manage/s/article/K000150813