End-of-Day report
Timeframe: Montag 28-04-2025 18:00 - Dienstag 29-04-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
Hitachi Vantara takes servers offline after Akira ransomware attack
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack.
https://www.bleepingcomputer.com/news/security/hitachi-vantara-takes-servers-offline-after-akira-ransomware-attack/
The one interview question that will protect you from North Korean fake workers
"My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that," he told a panel session at the RSA Conference in San Francisco Monday. [..] "One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it."
https://go.theregister.com/feed/www.theregister.com/2025/04/29/north_korea_worker_interview_questions/
Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
The Wordfence Threat Intelligence team recently discovered an interesting malware variant that appears in the file system as a normal WordPress plugin, often with the name -WP-antymalwary-bot.php-, and contains several functions that allow attackers to maintain access to your site, hide the plugin from the dashboard, and execute remote code. [..] In today-s blog post, we highlighted an interesting piece of malware that masquerades as a legitimate plugin.
https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disguised-as-legitimate-anti-malware-plugin/
So schützen Sie sich vor den häufigsten Betrugsmaschen auf booking.com
Der Sommer naht und damit beginnt die Hochsaison für Reisebuchungen. Ob Städtetrip, Strandurlaub oder Bergtour: Viele buchen ihre Unterkunft über die Buchungsplattform booking.com. Doch Vorsicht! Kriminelle nutzen die erhöhte Reiselust aus und versuchen Urlaubsfreudige zu täuschen. Wir zeigen Ihnen die häufigsten Maschen und wie Sie sich davor schützen können.
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-den-haeufigsten-betrugsmaschen-auf-bookingcom/
Gremlin Stealer: New Stealer on Sale in Underground Forum
Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication. [..] We have monitored Gremlin Stealer since we initially discovered it in March 2025. The functions of this stealer from Figure 1 are listed below.
https://unit42.paloaltonetworks.com/new-malware-gremlin-stealer-for-sale-on-telegram/
Unlocking New Jailbreaks with AI Explainability
In this post, we introduce our -Adversarial AI Explainability- research, a term we use to describe the intersection of AI explainability and adversarial attacks on Large Language Models (LLMs). Much like using an MRI to understand how a human brain might be fooled, we aim to decipher how LLMs can be manipulated.
https://www.cyberark.com/resources/threat-research-blog/unlocking-new-jailbreaks-with-ai-explainability
Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). [..] We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies.
https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends/
Cybercrime-Marktplatz: Strafverfolger enterten BreachForums über Zero-Day-Lücke
Derzeit ist der Cybercrime-Marktplatz BreachForums offline. Als Grund nennen die Hintermänner, dass Strafverfolger das Forum über eine Zero-Day-Sicherheitslücke gehackt und sich so Zugriff dazu verschafft haben.
https://heise.de/-10365208
Spike in Git Config Crawling Highlights Risk of Codebase Exposure
GreyNoise observed a significant increase in crawling activity targeting Git configuration files. While the crawling itself is reconnaissance, successful discovery of exposed Git configuration files can lead to exposure of internal codebases, developer workflows, and potentially sensitive credentials.
https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebase-exposure
Vulnerabilities
Mozilla Foundation Security Advisories April 29, 2025
Thunderbird and Firefox
https://www.mozilla.org/en-US/security/advisories/
Seiko-Epson-Druckertreiber ermöglicht Rechteausweitung auf System
Die Windows-Druckertreiber von Seiko-Epson reißen eine Sicherheitslücke auf, durch die Angreifer ihre Rechte auf SYSTEM-Ebene ausweiten können. Aktualisierte Software steht bereit, die die zugrundeliegende Schwachstelle ausbessert.
https://www.heise.de/news/Seiko-Epson-Druckertreiber-ermoeglicht-Rechteausweitung-auf-System-10365989.html
Multiple Vulnerabilities in HP Wolf Security Controller / HP Sure Access Enterprise / HP Sure Click Enterprise
The HP Wolf Security Controller, the HP Sure Access Enterprise Client and the HP Sure Click Enterprise Client might be vulnerable to attacks if not configured according to HP's Best Practices.
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-hp-wolf-security-controller-hp-sure-access-enterprise-hp-sure-click-enterprise/
Security updates for Tuesday
Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver).
https://lwn.net/Articles/1019272/
Docker: Rechteausweitungslücke in Desktop für Windows
In den Release-Notes schreiben die Docker-Entwickler, dass die Version 4.41.0 eine Sicherheitslücke schließt, die Angreifern mit Zugriff auf die Maschine die Ausweitung der Zugriffsrechte ermöglicht, wenn Docker Desktop Updates installiert (CVE-2025-3224, CVSS 7.3, Risiko "hoch").
https://heise.de/-10366320
Daikin Security Gateway v214 Remote Password Reset
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
ABB: 2025-04-29: Cyber Security Advisory - Ekip Com IEC61850 Vulnerability in third-party library
https://search.abb.com/library/Download.aspx?DocumentID=2CRT000007&LanguageCode=en&DocumentPartId=PDF&Action=Launch