End-of-Day report
Timeframe: Freitag 25-04-2025 18:00 - Montag 28-04-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
SAP patcht attackierte, kritische Schwachstelle außer der Reihe
Update 25.04.2025, 22:11 Uhr: Kriminelle missbauchen die Schwachstelle bereits im Internet. Details zu den Angriffen finden sich etwa bei Onapsis in einem Blog-Beitrag. Admins sollten schnellstmöglich aktualisieren, zumal offenbar viele SAP-Neatweaver-Installationen die verwundbare Komponente einsetzen, so die Einschätzung der IT-Sicherheitsforscher in der Analyse im Blog.
https://heise.de/-10361908
DragonForce expands ransomware model with white-label branding scheme
The ransomware scene is re-organizing [..] DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort. A group's representative told BleepingComputer that they-re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations. [..] In exchange for using their malware and infrastructure, the developer charges affiliates a fee from received ransoms that is normally up to 30%.
https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomware-model-with-white-label-branding-scheme/
Cloudflare mitigates record number of DDoS attacks in 2025
Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase.
https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-record-number-of-ddos-attacks-in-2025/
VU#667211: Various GPT services are vulnerable to "Inception" jailbreak, allows for bypass of safety guardrails
Two systemic jailbreaks, affecting a number of generative AI services, were discovered. These jailbreaks can result in the bypass of safety protocols and allow an attacker to instruct the corresponding LLM to provide illicit or dangerous content. [..] These jailbreaks, while of low severity on their own, bypass the security and safety guidelines of all affected AI services, allowing an attacker to abuse them for instructions to create content on various illicit topics, such as controlled substances, weapons, phishing emails, and malware code generation.
https://kb.cert.org/vuls/id/667211
Storm-1977 Hits Education Clouds with AzureChecker, Deploys 200+ Crypto Mining Containers
Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year.
https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised
Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. [..] As of April 18, 2025, an estimated 13,000 vulnerable Craft CMS instances have been identified, out of which nearly 300 have been allegedly compromised.
https://thehackernews.com/2025/04/hackers-exploit-critical-craft-cms.html
WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors
Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead.
https://thehackernews.com/2025/04/woocommerce-users-targeted-by-fake.html
Samsung: Android-Zwischenablage speichert Passwörter zwischen
Samsungs Android-Smartphones speichern in der Zwischenablage kopierte Inhalte. Im Zwischenablageverlauf finden sich gelegentlich auch alte, kopierte Passwörter. Samsung evaluiert das Problem derzeit.
https://heise.de/-10363941
Navigating Through The Fog
An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. [..] Among the tools were SonicWall Scanner for exploiting VPN credentials, DonPAPI for extracting Windows DPAPI-protected credentials, Certipy for abusing Active Directory Certificate Services (AD CS), Zer0dump, and Pachine/noPac for exploiting Active Directory vulnerabilities like CVE-2020-1472.
https://thedfirreport.com/2025/04/28/navigating-through-the-fog/
Vulnerabilities
Sicherheitsupdate: Unbefugte Zugriffe auf VMware Spring Boot möglich
Softwareentwickler nutzen Spring Boot zum effizienteren Erstellen von Java-Applikationen. Damit Angreifer an der Lücke (CVE-2025-22235 -hoch-) ansetzen zu können, müssen aber mehrere Voraussetzungen erfüllt sein. Unter anderem muss Spring Security eingesetzt werden und mit EndpointRequest.to () konfiguriert sein.
https://www.heise.de/news/Sicherheitsupdate-Unbefugte-Zugriffe-auf-VMware-Tanzu-Spring-Boot-moeglich-10364138.html
Security updates for Monday
Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2).
https://lwn.net/Articles/1019212/