SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast

Scans for pop3user with guessable password A particular IP assigned to a network that calls itself Unmanaged has been scanning telnet/ssh for a user called pop3user with passwords pop3user or 123456 . I assume they are looking for legacy systems that either currently run pop3 or ran pop3 in the past, and left the user enabled. https://isc.sans.edu/diary/Legacy%20May%20Kill/32166 Possible Sonicwall SSL VPN 0-Day Arcticwolf observed compromised Sonicwall SSL VPN devices used by the Akira group to install ransomware. These devices were fully patched, and credentials were recently rotated. https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/ PAM Based Linux Backdoor For over a year, attackers have used a PAM-based Linux backdoor that so far has gotten little attention from anti-malware vendors. PAM-based backdoors can be stealthy, and this one in particular includes various anti-forensics tricks. https://www.nextron-systems.com/2025/08/01/plague-a-newly-discovered-pam-based-backdoor-for-linux/

Scattered Spider Related Domain Names A quick demo of our domain feeds and how they can be used to find Scattered Spider related domains https://isc.sans.edu/diary/Scattered+Spider+Related+Domain+Names/32162 Excel External Workbook Links to Blocked File Types Will Be Disabled by Default Excel will discontinue allowing links to dangerous file types starting as early as October. https://support.microsoft.com/en-us/topic/external-workbook-links-to-blocked-file-types-will-be-disabled-by-default-6dd12903-0592-463d-9e68-0741cf62ee58 CISA Releases Thorium CISA announced that it released its malware analysis platform, Thorium, as open-source software. https://www.cisa.gov/news-events/alerts/2025/07/31/thorium-platform-public-availability

Securing Firebase: Lessons Re-Learned from the Tea Breach Inspried by the breach of the Tea app, Brendon Evans recorded a video to inform of Firebase security issues https://isc.sans.edu/diary/Securing%20Firebase%3A%20Lessons%20Re-Learned%20from%20the%20Tea%20Breach/32158 WebKit Vulnerability Exploited before Apple Patch A WebKit vulnerablity patched by Apple yesterday has already been exploited in Google Chrome. Google noted the exploit with its patch for the same vulnerability in Chrome. https://nvd.nist.gov/vuln/detail/CVE-2025-6558 Scattered Spider Update CISA released an update for its report on Scattered Spider, noting that the group also calls helpdesks impersonating users, not just the other way around. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

Apple Updates Everything: July 2025 Edition Apple released updates for all of its operating systems patching 89 different vulnerabilities. Many vulnerabilities apply to multiple operating systems. https://isc.sans.edu/diary/Apple%20Updates%20Everything%3A%20July%202025/32154 Python Triage A quick python script by Xavier to efficiently search through files, even compressed once, for indicators of compromise. https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/ PaperCut Attacks CISA added a 2024 Papercut vulnerability to the known exploited vulnerability list. https://www.cisa.gov/news-events/alerts/2025/07/28/cisa-adds-three-known-exploited-vulnerabilities-catalog

Parasitic SharePoint Exploits We are seeing attacks against SharePoint itself and attempts to exploit backdoors left behind by attackers. https://isc.sans.edu/diary/Parasitic%20Sharepoint%20Exploits/32148 Cisco ISE Vulnerability Exploited A recently patched vulnerability in Cisco ISE is now being exploited. The Zero Day Initiative has released a blog detailing the exploit chain to obtain code execution as an unauthenticated user. https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability MyAsus Vulnerablity The MyAsus tool does not store its access tokens correctly, potentially providing an attacker with access to sensitive functions https://www.asus.com/content/security-advisory/

Linux Namespaces Linux namespaces can be used to control networking features on a process-by-process basis. This is useful when trying to present a different network environment to a process being analysed. https://isc.sans.edu/diary/Sinkholing%20Suspicious%20Scripts%20or%20Executables%20on%20Linux/32144 Coyote in the Wild: First-Ever Malware That Abuses UI Automation Akamai identified malware that takes advantage of Microsoft s UI Automation Framework to programatically interact with the user s system and steal credentials. https://www.akamai.com/blog/security-research/active-exploitation-coyote-malware-first-ui-automation-abuse-in-the-wild Testing REST APIs with Autoswagger The tool Autoswagger can be used to automate the testing of REST APIs following the OpenAPI/Swagger standard. https://github.com/intruder-io/autoswagger/

New File Integrity Tool: ficheck.py Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions. https://isc.sans.edu/diary/New%20Tool%3A%20ficheck.py/32136 Mitel Vulnerability Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges. https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2025-0009 SonicWall SMA 100 Vulnerability SonicWall fixed an arbitrary file upload issue in its SMA 100 series firewalls. But exploitation will require credentials. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014

Reversing SharePoint Toolshell Exploits CVE-2025-53770 and CVE-2025-53771 A quick walk-through showing how to decode the payload of recent SharePoint exploits https://isc.sans.edu/diary/Analyzing%20Sharepoint%20Exploits%20%28CVE-2025-53770%2C%20CVE-2025-53771%29/32138 Compromised JavaScript NPM is Package The popular npm package is was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours. https://socket.dev/blog/npm-is-package-hijacked-in-expanding-supply-chain-attack Microsoft Quick Machine Recovery Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, it will boot to a rescue partition and attempt to find fixes from Microsoft. https://learn.microsoft.com/en-gb/windows/configuration/quick-machine-recovery/?tabs=intune

Microsoft Updates SharePoint Vulnerability Guidance CVE-2025-53770 and CVE-2025-53771 Microsoft released its update for SharePoint 2016, completing the updates across all currently supported versions. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ WinZip MotW Privacy Starting with version 7.10, WinZip introduced an option to no longer include the download URL in zip files as part of the Mark of the Web (MotW). https://isc.sans.edu/diary/WinRAR%20MoTW%20Propagation%20Privacy/32130 Interlock Ransomware Several government agencies collaborated to create an informative and comprehensive overview of the Interlock ransomware. Just like prior writeups, this writeup is very informative, including many technical details useful to detect and block this ransomware. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a Sophos Firewall Updates Sophos patched five different vulnerabilities in its firewalls. Two of them are critical, but these only affect a small percentage of users. https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce

Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771 Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability. https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/ How Quickly Are Systems Patched? Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough. https://isc.sans.edu/diary/How%20quickly%20do%20we%20patch%3F%20A%20quick%20look%20from%20the%20global%20viewpoint/32126 HP Enterprise Instant On Access Points Vulnerability HPE patched two vulnerabilities in its Instant On access points (aka Aruba). One allows for authentication bypass, while the second one enables arbitrary code execution as admin. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy AppLocker sample policies suffer from a simple bug that may enable some rule bypass, but only if signatures are not enforced. While reviewing Microsoft s suggested configuration, Varonis Threat Labs noticed a subtle but important issue: the MaximumFileVersion field was set to 65355 instead of the expected 65535. https://www.varonis.com/blog/applocker-bypass-risks Ghost Crypt Malware Leverages Zoho WorkDrive The Ghost malware tricks users into downloading by sending links to Zoho WorkDrive locations. https://www.esentire.com/blog/ghost-crypt-powers-purerat-with-hypnosis

SharePoint Servers Exploited via 0-day CVE-2025-53770 Late last week, CodeWhite found a new remote code execution exploit against SharePoint. This vulnerability is now actively exploited. https://isc.sans.edu/diary/Critical+Sharepoint+0Day+Vulnerablity+Exploited+CVE202553770+ToolShell/32122/ Veeam Voicemail Phishing Attackers appear to impersonate VEEAM in recent voicemail-themed phishing attempts. https://isc.sans.edu/diary/Veeam%20Phishing%20via%20Wav%20File/32120 Passkey Phishing Attack A currently active phishing attack takes advantage of the ability to use QR codes to complete the Passkey login procedure https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/

Hiding Payloads in Linux Extended File Attributes Xavier today looked at ways to hide payloads on Linux, similar to how alternate data streams are used on Windows. Turns out that extended file attributes do the trick, and he presents some scripts to either hide data or find hidden data. https://isc.sans.edu/diary/Hiding%20Payloads%20in%20Linux%20Extended%20File%20Attributes/32116 Cisco Patches Critical Identity Services Engine Flaw CVE-2025-20281, CVE-2025-20337, CVE-2025-20282 An unauthenticated user may execute arbitrary code as root across the network due to improperly validated data in Cisco s Identity Services Engine. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 Oracle Critical Patch Update Oracle patched 309 flaws across 111 products. 9 of these vulnerabilities have a critical CVSS score of 9.0 or higher. https://www.oracle.com/security-alerts/cpujul2025.html Broadcom releases VMware Updates Broadcom fixed a number of vulnerabilities for ESXi, Workstation, Fusion, and Tools. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

More Free File Sharing Services Abuse The free file-sharing service catbox.moe is abused by malware. While it officially claims not to allow hosting of executables, it only checks extensions and is easily abused https://isc.sans.edu/diary/More%20Free%20File%20Sharing%20Services%20Abuse/32112 Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor A group Google identifies as UNC6148 is exploiting the Sonicwall SMA 100 series appliance. The devices are end of life, but even fully patched devices are exploited. Google assumes that these devices are compromised because credentials were leaked during prior attacks. The attacker installs the OVERSTEP backdoor after compromising the device. https://cloud.google.com/blog/topics/threat-intelligence/sonicwall-secure-mobile-access-exploitation-overstep-backdoor Weaponizing Trust in File Rendering Pipelines RenderShock is a comprehensive zero-click attack strategy that targets passive file preview, indexing, and automation behaviours in modern operating systems and enterprise environments. It leverages built-in trust mechanisms and background processing in file systems, email clients, antivirus tools, and graphical user interfaces to deliver payloads without requiring any user interaction. https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/

Keylogger Data Stored in an ADS Xavier came across a keystroke logger that stores data in alternate data streams. The data includes keystroke logs as well as clipboard data https://isc.sans.edu/diary/Keylogger%20Data%20Stored%20in%20an%20ADS/32108 Malvertising Homebrew An attacker has been attempting to trick users into installing a malicious version of Homebrew. The fake software is advertised via paid Google ads and directs users to the attacker s GitHub repo. https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc CVE-2025-5333: Remote Code Execution in Broadcom Altiris IRM LRQA have discovered a critical unauthenticated remote code execution (RCE) vulnerability in the Broadcom Symantec Altiris Inventory Rule Management (IRM) component of Symantec Endpoint Management. https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/ Code highlighting with Cursor AI for $500,000 A syntax highlighting extension for Cursor AI was used to compromise a developer s workstation and steal $500,000 in cryptocurrency. https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-crypto-heist/116908/

DShield Honeypot Log Volume Increase Within the last few months, there has been a dramatic increase in honeypot log volumes and how often these high volumes are seen. This has not just been from Jesse s residential honeypot, which has historically seen higher log volumes, but from all of the honeypots that Jesse runs. https://isc.sans.edu/diary/DShield+Honeypot+Log+Volume+Increase/32100 Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware. Koi Security s investigation of a single verified color picker exposed a coordinated campaign of 18 malicious extensions that infected a massive 2.3 million users across Chrome and Edge. https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5 RDP Forensics Comprehensive overview of Windows RDP Forensics https://medium.com/@mathias.fuchs/chasing-ghosts-over-rdp-lateral-movement-in-tiny-bitmaps-328d2babd8ec

Experimental Suspicious Domain Feed Our new experimental suspicious domain feed uses various criteria to identify domains that may be used for phishing or other malicious purposes. https://isc.sans.edu/diary/Experimental%20Suspicious%20Domain%20Feed/32102 Wing FTP Server RCE Vulnerability Exploited CVE-2025-47812 Huntress saw active exploitation of Wing FTP Server remote code execution (CVE-2025-47812) on a customer on July 1, 2025. Organizations running Wing FTP Server should update to the fixed version, version 7.4.4, as soon as possible. https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ FortiWeb Pre-Auth RCE (CVE-2025-25257) An exploit for the FortiWeb RCE Vulnerability is now available and is being used in the wild. https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce NVIDIA Vulnerable to Rowhammer NVIDIA has received new research related to the industry-wide DRAM issue known as Rowhammer . The research demonstrates a potential Rowhammer attack against an NVIDIA A6000 GPU with GDDR6 Memory. The purpose of this notice is to reinforce already known mitigations to Rowhammer attacks. https://nvidia.custhelp.com/app/answers/detail/a_id/5671/~/security-notice%3A-rowhammer---july-2025

SSH Tunneling in Action: direct-tcp requests Attackers are compromising ssh servers to abuse them as relays. The attacker will configure port forwarding direct-tcp connections to forward traffic to a victim. In this particular case, the Yandex mail server was the primary victim of these attacks. https://isc.sans.edu/diary/SSH%20Tunneling%20in%20Action%3A%20direct-tcp%20requests%20%5BGuest%20Diary%5D/32094 Fortiguard FortiWeb Unauthenticated SQL injection in GUI (CVE-2025-25257) An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. https://www.fortiguard.com/psirt/FG-IR-25-151 Ruckus Virtual SmartZone (vSZ) and Ruckus Network Director (RND) contain multiple vulnerabilities Ruckus products suffer from a number of critical vulnerabilities. There is no patch available, and users are advised to restrict access to the vulnerable admin interface. https://kb.cert.org/vuls/id/613753

Setting up Your Own Certificate Authority for Development: Why and How. Some tips on setting up your own internal certificate authority using the smallstep CA. https://isc.sans.edu/diary/Setting%20up%20Your%20Own%20Certificate%20Authority%20for%20Development%3A%20Why%20and%20How./32092 Animation-Driven Tapjacking on Android Attackers can use a click-jacking like trick to trick victims into clicking on animated transparent dialogs opened from other applications. https://taptrap.click/usenix25_taptrap_paper.pdf Adobe Patches Adobe patched 13 different products yesterday. Most concerning are vulnerabilities in Coldfusion that include code execution and arbitrary file disclosure vulnerabilities. https://helpx.adobe.com/security/security-bulletin.html

Microsoft Patch Tuesday, July 2025 Today, Microsoft released patches for 130 Microsoft vulnerabilities and 9 additional vulnerabilities not part of Microsoft's portfolio but distributed by Microsoft. 14 of these are rated critical. Only one of the vulnerabilities was disclosed before being patched, and none of the vulnerabilities have so far been exploited. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%2C%20July%202025/32088 Opposum Attack If a TLS server is configured to allow switching from HTTP to HTTPS on a specific port, an attacker may be able to inject a request into the data stream. https://opossum-attack.com/ Ivanti Security Updates Ivanty fixed vulnerabilities in Ivanty Connect Secure, EPMM, and EPM. In particular the password decryption vulnerabliity may be interesting. https://www.ivanti.com/blog/july-security-update-2025

What s My File Name Malware may use the GetModuleFileName API to detect if it was renamed to a name typical for analysis, like sample.exe or malware.exe https://isc.sans.edu/diary/What%27s%20My%20%28File%29Name%3F/32084 Atomic macOS infostealer adds backdoor for persistent attacks Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as 'AMOS') that comes with a backdoor, to attackers persistent access to compromised systems. https://moonlock.com/amos-backdoor-persistent-access HOUKEN SEEKING A PATH BY LIVING ON THE EDGE WITH ZERO-DAYS At the beginning of September 2024, an attacker repeatedly exploited vulnerabilities CVE-2024- 8190, CVE-2024-8963, and CVE-2024-9380 vulnerabilities to remotely execute arbitrary code on vulnerable Ivanti Cloud Service Appliance devices. https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf SEO Scams Targeting Putty, WinSCP, and AI Tools Paid Google ads are advertising trojaned versions of popuplar tools like ssh and winscp https://arcticwolf.com/resources/blog-uk/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-and-trojanized-tools/

Interesting ssh/telnet usernames Some interesting usernames observed in our honeypots https://isc.sans.edu/diary/A%20few%20interesting%20and%20notable%20ssh%20telnet%20usernames/32080 More sudo trouble The host option in Sudo can be exploited to execute commands on unauthorized hosts. https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host CitrixBleed2 PoC Posted (CVE-2025-5777) WatchTwer published additional details about the recently patched CitrixBleed vulnerability, including a PoC exploit. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ Instagram Using Six Day Certificates Instagram changes their TLS certificates daily and they use certificates that are just about to expire in a week. https://hereket.com/posts/instagram-single-day-certificates/

Sudo chroot Elevation of Privilege The sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no sudo rules are defined for that user. https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot Polymorphic ZIP Files A zip file with a corrupt End of Central Directory Record may extract different data depending on the tool used to extract the files. https://hackarcana.com/article/yet-another-zip-trick Cisco Unified Communications Manager Static SSH Credentials Vulnerability A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7

Scattered Spider Update The threat actor known as Scattered Spider is in the news again, this time focusing on airlines. But the techniques used by Scattered Spider, social engineering, are still some of the most dangerous techniques used by various threat actors. https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations?e=48754805 AMI BIOS Vulnerability Exploited CVE-2024-54085 A vulnerability in the Redfish remote access software, including AMI s BIOS, is now being exploited. https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf https://eclypsium.com/blog/ami-megarac-vulnerabilities-bmc-part-3/ Act now: Secure Boot certificates expire in June 2026 The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856 The Windows Resiliency Initiative: Building resilience for a future-ready enterprise Microsoft announced more details about its future security and resilience strategy for Windows. In particular, security tools will no longer have kernel access, which is supposed to prevent a repeat of the Cloudflare issue, but may also restrict security tools functionality. https://blogs.windows.com/windowsexperience/2025/06/26/the-windows-resiliency-initiative-building-resilience-for-a-future-ready-enterprise/

Open-VSX Flaw Puts Developers at Risk A flaw in the open-vsx extension marketplace could have let to the compromise of any extension offered by the marketplace. https://blog.koi.security/marketplace-takeover-how-we-couldve-taken-over-every-developer-using-a-vscode-fork-f0f8cf104d44 Bluetooth Vulnerability Could Allow Eavesdropping A vulnerability in the widely used Airoha Bluetooth chipset can be used to compromise devices and use them for eavesdropping. https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/ Critical Cisco Identity Services Engine Vulnerability Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-6543 Citrix patched a memory overflow vulnerability leading to unintended control flow and denial of service. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 Remote code execution in CentOS Web Panel - CVE-2025-48703 An arbitrary file upload vulnerability in the user (not admin) part of Web Panel can be used to execute arbitrary code https://fenrisk.com/rce-centos-webpanel Gogs Arbitrary File Deletion Vulnerability Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the .git directory and achieve remote command execution. https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7 Let s Encrypt Will Soon Issue IP Address-Based Certs Let s Encrypt is almost ready to issue certificates for IP address SANs from Let's Encrypt's production environment. They'll only be available under the short-lived profile (which has a 6-day validity period), and that profile will remain allowlist-only for a while. https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777

Quick Password Brute Forcing Evolution Statistics After collecting usernames and passwords from our ssh and telnet honeypots for about a decade, I took a look back at how scans changed. Attackers are attempting more passwords in each scans than they used to, but the average length of passwords did not change. https://isc.sans.edu/diary/Quick%20Password%20Brute%20Forcing%20Evolution%20Statistics/32068 Introducing FileFix A New Alternative to ClickFix Attacks Attackers may trick the user into copy/pasting strings into file explorer, which will execute commands similar to the ClickFix attack that tricks users into copy pasting the command into the start menu s cmd feature. https://www.mobile-hacker.com/2025/06/24/introducing-filefix-a-new-alternative-to-clickfix-attacks/ Threat Actors Modify and Re-Create Commercial Software to Steal User s Information A fake Sonicwall Netextender clone will steal user s credentials https://www.sonicwall.com/blog/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information

Scans for Ichano AtHome IP Cameras A couple days ago, a few sources started scanning for the username super_yg and the password 123. This is associated with Ichano IP Camera software. https://isc.sans.edu/diary/Scans%20for%20Ichano%20AtHome%20IP%20Cameras/32062 Critical Netscaler Security Update CVE-2025-5777 CVE 2025-5777 is a critical severity vulnerability impacting NetScaler Gateway, i.e. if NetScaler has been configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. https://www.netscaler.com/blog/news/critical-security-updates-for-netscaler-netscaler-gateway-and-netscaler-console/ WinRar Vulnerability CVE-2025-6218 WinRar may be tricked into extracting files into attacker-determined locations, possibly leading to remote code execution https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9

ADS & Python Tools Didier explains how to use his tools cut-bytes.py and filescanner to extract information from alternate data streams. https://isc.sans.edu/diary/ADS%20%26%20Python%20Tools/32058 Enhanced security defaults for Windows 365 Cloud PCs Microsoft announced more secure default configurations for its Windows 365 Cloud PC offerings. https://techcommunity.microsoft.com/blog/windows-itpro-blog/enhanced-security-defaults-for-windows-365-cloud-pcs/4424914 CVE-2025-34508: Another File Sharing Application, Another Path Traversal Horizon3 reveals details of a recently patched directory traversal vulnerability in zend.to. https://horizon3.ai/attack-research/attack-blogs/cve-2025-34508-another-file-sharing-application-another-path-traversal/ Unexpected security footguns in Go's parsers Go parsers for JSON and XML are not always compatible and can parse data in unexpected ways. This blog by Trails of Bits goes over the various security implications of this behaviour. https://blog.trailofbits.com/2025/06/17/unexpected-security-footguns-in-gos-parsers/

How Long Until the Phishing Starts? About Two Weeks After setting up a Google Workspace and adding a new user, it took only two weeks for the new employee to receive somewhat targeted phishing emails. https://isc.sans.edu/diary/How%20Long%20Until%20the%20Phishing%20Starts%3F%20About%20Two%20Weeks/32052 Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone numbers Scammers are placing Google ads that point to legitimate companies sites, but are injecting malicious text into the page advertising fake tech support numbers https://www.malwarebytes.com/blog/news/2025/06/scammers-hijack-websites-of-bank-of-america-netflix-microsoft-and-more-to-insert-fake-phone-number What s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia Targeted attacks are tricking victims into creating app-specific passwords to Google resources. https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia

Extracting Data From JPEGs Didier shows how to efficiently extract data from JPEGs using his tool jpegdump.py https://isc.sans.edu/diary/A%20JPEG%20With%20A%20Payload/32048 Windows Recall Export in Europe In its latest insider build for Windows 11, Microsoft is testing an export feature for data stored by Recall. The feature is limited to European users and requires that you note an encryption key that will be displayed only once as Recall is enabled. https://blogs.windows.com/windows-insider/2025/06/13/announcing-windows-11-insider-preview-build-26120-4441-beta-channel/ Anubis Ransomware Now Wipes Data The Anubis ransomware, usually known for standard double extortion, is now also wiping data preventing any recovery even if you pay the ransom. https://www.trendmicro.com/en_us/research/25/f/anubis-a-closer-look-at-an-emerging-ransomware.html Mitel Vulnerabilities CVE-2025-47188 Mitel this week patched a critical path traversal vulnerability (sadly, no CVE), and Infoguard Labs published a PoC exploit for an older file upload vulnerability. https://labs.infoguard.ch/posts/cve-2025-47188_mitel_phone_unauthenticated_rce/ https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0007

Katz Stealer in JPG Xavier found some multistage malware that uses an Excel Spreadsheet and an HTA file to load an image that includes embeded a copy of Katz stealer. https://isc.sans.edu/diary/More+Steganography/32044 https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/ JavaScript obfuscated with JSF*CK is being used on over 200,000 websites to direct victims to malware Expired Discord Invite Links Used for Malware Distribution Expired discord invite links are revived as vanity links to direct victims to malware sites https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery/

Automated Tools to Assist with DShield Honeypot Investigations https://isc.sans.edu/diary/Automated%20Tools%20to%20Assist%20with%20DShield%20Honeypot%20Investigations%20%5BGuest%20Diary%5D/32038 EchoLeak: Zero-Click Microsoft 365 Copilot Data Leak Microsoft fixed a vulnerability in Copilot that could have been abused to exfiltrate data from Copilot users. Copilot mishandled instructions an attacker included in documents inspected by Copilot and executed them. https://www.aim.security/lp/aim-labs-echoleak-blogpost Thunderbolt Vulnerability Thunderbolt users may be tricked into downloading arbitrary files if an email includes a mailbox:/// URL. https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/

Quasar RAT Delivered Through Bat Files Xavier is walking you through a quick reverse analysis of a script that will injection code extracted from a PNG image to implement a Quasar RAT. https://isc.sans.edu/diary/Quasar%20RAT%20Delivered%20Through%20Bat%20Files/32036 Delayed Windows 11 24H2 Rollout Microsoft slightly throttled the rollout of windows 11 24H2 due to issues stemming from the patch Tuesday fixes. https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#3570 An In-Depth Analysis of CVE-2025-33073 Patch Tuesday fixed an already exploited SMB client vulnerability. A blog by Synacktiv explains the nature of the issue and how to exploit it. https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 Connectwise Rotating Signing Certificates Connectwise is rotating signing certificates after a recent compromise, and will release a new version of its Screen share software soon to harden its configuration. https://www.connectwise.com/company/trust/advisories KDE Telnet URL Vulnerablity The Konsole delivered as part of KDE may be abused to execute arbitrary code via telnet URLs. https://kde.org/info/security/advisory-20250609-1.txt

Microsoft Patch Tuesday Microsoft today released patches for 67 vulnerabilities. 10 of these vulnerabilities are rated critical. One vulnerability has already been exploited and another vulnerability has been publicly disclosed before today. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20June%202025/32032 Adobe Vulnerabilities Adobe released patches for 7 different applications. Two significant ones are Adobe Commerce and Adobe Acrobat Reader. All vulnerabilities patched for Adobe Commerce can only be exploited by an authenticated user. The Adobe Acrobat Reader vulnerabilities are exploited by a user opening a crafted PDF, and the exploit may execute arbitrary code. https://helpx.adobe.com/security/Home.html

OctoSQL & Vulnerability Data OctoSQL is a neat tool to query files in different formats using SQL. This can, for example, be used to query the JSON vulnerability files from CISA or NVD and create interesting joins between different files. https://isc.sans.edu/diary/OctoSQL+Vulnerability+Data/32026 Mirai vs. Wazuh The Mirai botnet has now been observed exploiting a vulnerability in the open-source EDR tool Wazuh. https://www.akamai.com/blog/security-research/botnets-flaw-mirai-spreads-through-wazuh-vulnerability DNS4EU The European Union created its own public recursive resolver to offer a public resolver compliant with European privacy laws. This resolver is currently operated by ENISA, but the intent is to have a commercial entity operate and support it by a commercial entity. https://www.joindns4.eu/ WordPress FAIR Package Manager Recent legal issues around different WordPress-related entities have made it more difficult to maintain diverse sources of WordPress plugins. With WordPress plugins usually being responsible for many of the security issues, the Linux Foundation has come forward to support the FAIR Package Manager, a tool intended to simplify the management of WordPress packages. https://github.com/fairpm

Extracting With pngdump.py Didier extended his pngdump.py script to make it easier to extract additional data appended to the end of the image file. https://isc.sans.edu/diary/Extracting%20With%20pngdump.py/32022 16 React Native Packages for GlueStack Backdoored Overnight 16 npm packages with over a million weekly downloads between them were compromised. The compromised packages include a remote admin tool that was seen before in similar attacks. https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem Atomic MacOS Stealer Exploits Clickfix MacOS users are now also targeted by fake captchas, tricking users into running exploit code. https://www.cloudsek.com/blog/amos-variant-distributed-via-clickfix-in-spectrum-themed-dynamic-delivery-campaign-by-russian-speaking-hackers Microsoft INETPUB Script Microsoft published a simple PowerShell script to restore the inetpub folder in case you removed it by mistake. https://www.powershellgallery.com/packages/Set-InetpubFolderAcl/1.0

Be Careful With Fake Zoom Client Downloads Miscreants are tricking victims into downloading fake Zoom clients (and likely other meeting software) by first sending them fake meeting invites that direct victims to a page that offers malware for download as an update to the Zoom client. https://isc.sans.edu/diary/Be%20Careful%20With%20Fake%20Zoom%20Client%20Downloads/32014 Python tarfile Vulnerability Recently, the Python tarfile module introduced a filter option to help mitigate some of the insecure behavior common to software unpacking archives. This filter is, however, not working quite as well as it should. https://mail.python.org/archives/list/security-announce@python.org/thread/MAXIJJCUUMCL7ATZNDVEGGHUMQMUUKLG/ Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability HP fixed, among other vulnerabilities, a critical remote code execution vulnerability in Insight Remote Support (IRS) https://www.zerodayinitiative.com/advisories/ZDI-25-325/

Phishing e-mail that hides malicious links from Outlook users Jan found a phishing email that hides the malicious link from Outlook users. The email uses specific HTML comment clauses Outlook interprets to render or not render specific parts of the email s HTML code. Jan suggests that the phishing email is intented to not expose users of https://isc.sans.edu/diary/Phishing%20e-mail%20that%20hides%20malicious%20link%20from%20Outlook%20users/32010 Amazon changing default logging from blocking to non-blocking Amazon will change the default logging mode from blocking to non-blocking. Non-blocking logging will not stop the application if logging fails, but may result in a loss of logs. https://aws.amazon.com/blogs/containers/preventing-log-loss-with-non-blocking-mode-in-the-awslogs-container-log-driver/ Cisco Removes Backdoor Cisco fixed a Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7 Infoblox Vulnerability Details disclosed Details regarding several vulnerabilities recently patched in Infoblox s NetMRI have been made public. In particular an unauthenticated remote code execution issue should be considered critical. https://rhinosecuritylabs.com/research/infoblox-multiple-cves/

vBulletin Exploits CVE-2025-48827, CVE-2025-48828 We do see exploit attempts for the vBulletin flaw disclosed about a week ago. The flaw is only exploitable if vBulltin is run on PHP 8.1, and was patched over a year ago. However, vBulltin never disclosed the type of vulnerability that was patched. https://isc.sans.edu/diary/vBulletin%20Exploits%20%28CVE-2025-48827%2C%20CVE-2025-48828%29/32006 Google Chrome 0-Day Patched Google released a security update for Google Chrome patching three flaws. One of these is already being exploited. https://chromereleases.googleblog.com/ Roundcube Update Roundcube patched a vulnerability that allows any authenticated user to execute arbitrary code. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 HP Vulnerabilities in StoreOnce HP patched multiple vulnerabilities in StoreOnce. These issues could lead to remote code execution https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US

Simple SSH Backdoor Xavier came across a simple SSH backdoor taking advantage of the ssh client preinstalled on recent Windows systems. The backdoor is implemented via an SSH configuration file that instructs the SSH client to connect to a remote system and forward a shell on a random port. This will make the shell accessible to anybody able to connect to the C2 host. https://isc.sans.edu/diary/Simple%20SSH%20Backdoor/32000 Google Chrome to Distrust CAs Google Chrome will remove the Chunghwa Telecom and Netlock certificate authorities from its list of trusted CAs. Any certificates issued after July 31st will not be trusted. Certificates issued before the deadline will be trusted until they expire. https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html Microsoft Emergency Update to Fix Crashes Caused by May Patch Microsoft released an emergency update for a bug caused by one of the patches released in May. Due to the bug, systems may not restart after the patch is applied. This affects, first of all, virtual systems running in Azure and HyperV but apparently has also affected some physical systems. https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#kb5058405-might-fail-to-install-with-recovery-error-0xc0000098-in-acpi-sys Qualcomm Adreno Graphics Processing Unit Patch (Exploited!) Qualcomm released an update for the driver for its Adreno GPU. The patched vulnerability is already being exploited against Android devices. https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

A PNG Image With an Embedded Gift Xavier shows how Python code attached to a PNG image can be used to implement a command and control channel or a complete remote admin kit. https://isc.sans.edu/diary/A+PNG+Image+With+an+Embedded+Gift/31998 Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis Horizon3 analyzed a recently patched flaw in Cisco Wireless Controllers. This arbitrary file upload flaw can easily be used to execute arbitrary code. https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/ Don't Call That "Protected" Method: Dissecting an N-Day vBulletin RCE A change in PHP 8.1 can expose methods previously expected to be safe . vBulletin fixed a related flaw about a year ago without explicitly highlighting the security impact of the fix. A blog post now exposed the flaw and provided exploit examples. We have seen exploit attempts against honeypots starting May 25th, two days after the blog was published. https://karmainsecurity.com/dont-call-that-protected-method-vbulletin-rce

Alternate Data Streams: Adversary Defense Evasion and Detection Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse. https://isc.sans.edu/diary/Alternate%20Data%20Streams%20%3F%20Adversary%20Defense%20Evasion%20and%20Detection%20%5BGuest%20Diary%5D/31990 Connectwise Breach Affects ScreenConnect Customers Connectwise s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions. https://www.connectwise.com/company/trust/advisories Mark Your Calendar: APT41 Innovative Tactics Google detected attacks leveraging Google s calendar solution as a command and control channel. https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge. https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/

Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack Jennifer Wilson took a weird string found in a recent honeypot sample and worked with ChatGPT to figure out what it is all about. https://isc.sans.edu/diary/%5BGuest%20Diary%5D%20Exploring%20a%20Use%20Case%20of%20Artificial%20Intelligence%20Assistance%20with%20Understanding%20an%20Attack/31980 Ransomware Deployed via SimpleHelp Vulnerabilities Ransomware actors are using vulnerabilities in SimpleHelp to gain access to victim s networks via MSPs. The exploited vulnerabilities were patched in January. https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/ OS Command Injection in Everetz Equipment Broadcast equipment manufactured by Everetz is susceptible to an OS command injection vulnerability. Everetz has not responded to researchers reporting the vulnerability so far and there is no patch available. https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009

SSH authorized_keys File One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems. https://isc.sans.edu/diary/Securing%20Your%20SSH%20authorized_keys%20File/31986 REMOTE COMMAND EXECUTION ON SMARTBEDDED METEOBRIDGE (CVE-2025-4008) Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008 https://forum.meteohub.de/viewtopic.php?t=18687 Manageengine ADAuditPlus SQL Injection Zoho patched two SQL Injection vulnerabilities in its ManageEngine ADAuditPlus product https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html Dero Miner Infects Containers through Docker API Kaspersky found yet another botnet infecting docker containers to spread crypto coin miners. The initial access happens via exposed docker APIs. https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/

SVG Steganography Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG. https://isc.sans.edu/diary/SVG%20Steganography/31978 Fortinet Vulnerability Details CVE-2025-32756 Horizon3.ai shows how it was able to find the vulnerability in Fortinet s products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/ Remote Prompt Injection in GitLab Duo Leads to Source Code Theft An attacker may leave instructions (prompts) for GitLab Duo embedded in the source code. This could be used to exfiltrate source code and secrets or to inject malicious code into an application. https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo

Resilient Secure Backup Connectivity for SMB/Home Users Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse. https://isc.sans.edu/diary/Resilient%20Secure%20Backup%20Connectivity%20for%20SMB%20Home%20Users/31972 BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to. https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949 The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass

New Variant of Crypto Confidence Scam Scammers are offering login credentials for what appears to be high value crypto coin accounts. However, the goal is to trick users into paying for expensive VIP memberships to withdraw the money. https://isc.sans.edu/diary/New%20Variant%20of%20Crypto%20Confidence%20Scam/31968 Malicious Chrome Extensions Malicious Chrome extensions mimick popular services like VPNs to trick users into installing them. Once installed, the extensions will exfiltrate browser secrets https://dti.domaintools.com/dual-function-malware-chrome-extensions/ Malicious VS Code Extensions Malicious Visual Studio Code extensions target crypto developers to trick them into installing them to exfiltrate developer secrets. https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/#indicators-of-compromise

Researchers Scanning the Internet A newish RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today https://isc.sans.edu/diary/Researchers%20Scanning%20the%20Internet/31964 Cloudy with a change of Hijacking: Forgotten DNS Records Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to. https://blogs.infoblox.com/threat-intelligence/cloudy-with-a-chance-of-hijacking-forgotten-dns-records-enable-scam-actor/ Message signature verification can be spoofed CVE-2025-47934 A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications. https://github.com/openpgpjs/openpgpjs/security/advisories/GHSA-8qff-qr5q-5pr8

RAT Dropped By Two Layers of AutoIT Code Xavier explains how AutoIT was used to install a remote admin tool (RAT) and how to analyse such a tool https://isc.sans.edu/diary/RAT%20Dropped%20By%20Two%20Layers%20of%20AutoIT%20Code/31960 RVTools compromise confirmed Robware.net, the site behind the popular tool RVTools now confirmed that it was compromised. The site is currently offline. https://www.robware.net/readMore Trojaned Version of Keepass used to install info stealer and Cobalt Strike beacon A backdoored version of KeePass was used to trick victims into installing Cobalt Strike and other malware. In this case, Keepass itself was not compromised and the malicious version was advertised via search engine optimization tricks https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign Procolored UV Printer Software Compromised The official software offered by the makers of the Procolored UV printer has been compromised, and versions with malware were distributed for about half a year. https://www.hackster.io/news/the-maker-s-toolbox-procolored-v11-pro-dto-uv-printer-review-680d491e17e3 https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads

xorsearch.py: Python Functions Didier s xorsearch tool now supports python functions to filter output https://isc.sans.edu/diary/xorsearch.py%3A%20Python%20Functions/31858 Pwn2Own Berlin 2025 Last weeks Pwn2Own contest in Berlin allowed researchers to demonstrate a number of new exploits with a large focus on privilege escalation and virtual machine escape. https://www.zerodayinitiative.com/blog/2025/5/17/pwn2own-berlin-2025-day-three-results Senior US Officials Impersonated in Malicious Messaging Campaign The FBI warns of senior US officials being impersonated in text and voice messages. https://www.ic3.gov/PSA/2025/PSA250515 Scattered Spider: TTP Evolution in 2025 Pushscurity provided an update on how Scattered Spider evolved. One thing they noted was that Scattered Spider takes advantage of legit dynamic domain name systems to make detection more difficult https://pushsecurity.com/blog/scattered-spider-ttp-evolution-in-2025/

Web Scanning SonicWall for CVE-2021-20016 - Update Scans for SonicWall increased by an order of magnitude over the last couple of weeks. Many of the attacks appear to originate from Global Host , a low-cost virtual hosting provider. https://isc.sans.edu/diary/Web%20Scanning%20SonicWall%20for%20CVE-2021-20016%20-%20Update/31952 Google Update Patches Exploited Chrome Flaw Google released an update for Chrome. The update fixes two specific flaws reported by external researchers, CVE-2025-4664 and CVE-2025-4609. The first flaw is already being exploited in the wild. https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html https://x.com/slonser_/status/1919439373986107814 RVTools Bumblebee Malware Attack Zerodaylabs published its analysis of the RV-Tools Backdoor attack. It suggests that this may not be solely a search engine optimization campaign directing victims to the malicious installer, but that the RVTools distribution site was compromised. https://zerodaylabs.net/rvtools-bumblebee-malware/ Operation RoundPress ESET Security wrote up a report summarizing recent XSS attacks against open-source webmail systems https://www.welivesecurity.com/en/eset-research/operation-roundpress/