End-of-Day report
Timeframe: Donnerstag 24-04-2025 18:00 - Freitag 25-04-2025 18:00
Handler: Felician Fuchs
Co-Handler: Guenes Holler
News
Triada strikes back
Kaspersky expert has discovered a new version of the Triada Trojan, with custom modules for Telegram, WhatsApp, TikTok, and other apps.
https://securelist.com/triada-trojan-modules-analysis/116380
Example of a Payload Delivered Through Steganography, (Fri, Apr 25th)
In this diary, Ill show you a practical example of how steganography is used to hide payloads (or other suspicious data) from security tools and Security Analysts eyes. Steganography can be defined like this: It is the art and science of concealing a secret message, file, or image within an ordinary-looking carrier - such as a digital photograph, audio clip, or text - so that the very existence of the hidden data is undetectable to casual observers.
https://isc.sans.edu/diary/rss/31892
Zoom attack tricks victims into allowing remote access to install malware and steal money
Attackers are luring victims into a Zoom call and then taking over their PC to install malware, infiltrate their accounts, and steal their assets.
https://www.malwarebytes.com/blog/news/2025/04/zoom-attack-tricks-victims-into-allowing-remote-access-to-install-malware-and-steal-money
GitHub potential leaking of private emails and Hacker One
A bit over a month ago, I was crawling GitHub-s API while working on code input (-it is still in beta). I was compiling a list of repositories and pull requests to identify those with merge conflicts. At some point, while randomly checking some user profiles, I noticed email addresses appearing in the API that weren-t visible on the public profiles.
https://omarabid.com/hacker-one
How I Got Hacked: A Warning about Malicious PoCs
This is a reminder that even experienced security researchers and exploit developers can fall victim to well-disguised malware. Always verify PoCs manually, isolate them in a controlled environment, and never underestimate how creative attackers can be when hiding malicious payloads.
https://chocapikk.com/posts/2025/s1nk/
Step-by-Step Guide: SOC Automation - SMB Threat Hunting & Incident Response Lab
In this project, I will simulate a similar attack scenario in which an insider compromises a Windows server by delivering malware through the SMB protocol. By leveraging automation and the incident response lifecycle, the goal is to detect and contain the threat before it spreads, demonstrating best practices in threat detection and response.
https://detect.fyi/step-by-step-guide-soc-automation-smb-threat-hunting-incident-response-lab-b6e48da2750d
Vulnerabilities
Sicherheitsupdates: Nvidia-Grafikkartentreiber unter Linux und Windows löchrig
Besitzer einer Nvidia-Grafikkarte sollten zeitnah den GPU-Treiber aus Sicherheitsgründen auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter Linux an mehreren Schwachstellen ansetzen und Computer attackieren. Außerdem gibt es noch abgesicherte Versionen von Cloud Gaming und vGPU-Software unter Windows.
https://www.heise.de/news/Sicherheitsupdates-Nvidia-Grafikkartentreiber-unter-Linux-und-Windows-loechrig-10362053.html
Connectwise Screenconnect: Hochriskante Codeschmuggel-Lücke
Die Remote-Desktop-Software Screenconnect von Connectwise enthält eine Sicherheitslücke, die Angreifern das Einschleusen und Ausführen von Schadcode ermöglicht. Der Hersteller bietet Software-Updates zum Schließen des Sicherheitslecks an.
https://www.heise.de/news/Connectwise-Screenconnect-Hochriskante-Codeschmuggel-Luecke-10362307.html
Security updates for Friday
Security updates have been issued by AlmaLinux (thunderbird), Debian (libbpf), Fedora (golang-github-openprinting-ipp-usb, ImageMagick, mingw-libsoup, mingw-poppler, and pgbouncer), SUSE (glib2, govulncheck-vulndb, libsoup-2_4-1, libxml2-2, mozjs60, ruby2.5, and thunderbird), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-5.4, linux-oracle-5.15, openssh, and php-twig).
https://lwn.net/Articles/1018912/
CISA Releases Seven Industrial Control Systems Advisories
CISA released seven Industrial Control Systems (ICS) advisories on April 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS, including Schneider Electric Modicon Controllers, ALBEDO Telecom Net.Time - PTP/NTP Clock, Vestel AC Charger, Nice Linear eMerge E3, Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool, Planet Technology Network Products, and Fuji Electric Monitouch V-SFT (Update A). CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.
https://www.cisa.gov/news-events/alerts/2025/04/24/cisa-releases-seven-industrial-control-systems-advisories
Hacking My Coworker (In Minecraft)
Integrated Scripting is included in several of the largest modpacks on CurseForge. It has 3.5 million downloads, which also doesn-t include non CurseForge hosted downloads such as for Feed the Beast modpacks. Through the presented vulnerability, any public or semi public multiplayer server that includes Integrated Scripting is vulnerable to remote code execution by a player who is able to craft a few relatively simple items.
https://redvice.org/assets/pdfs/minecraft2025.pdf
Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Fixed: Actively Exploited in the Wild
SAP has recently released a critical security patch for a severe vulnerability in SAP NetWeaver Visual Composer that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-31324, was patched just hours ago with the release of SAP Security Note 3594142.
https://redrays.io/blog/critical-sap-netweaver-vulnerability-cve-2025-31324-fixed-actively-exploited-in-the-wild/
ZDI-25-252: (0Day) Cato Networks Cato Client for macOS Helper Service Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-25-252/
Three new vulnerabilities found related to IXON VPN client resulting in Local Privilege Escalation (LPE)
https://www.shelltrail.com/research/three-new-cves-related-to-ixon-vpn-client-resulting-in-local-privilege-escalation/
Bosch: Multiple ctrlX OS vulnerabilities
https://psirt.bosch.com/security-advisories/bosch-sa-640452.html