Free technical content sponsored by Palo Alto Networks
 Symphony 2025 On Demand: The Ultimate Cybersecurity Transformation Event Symphony 2025 has set the standard as the ultimate cybersecurity event of the year. Now, you can access the keynote and exclusive technical deep dives from the product experts on Palo Alto Networks TV. Gain strategic insights on how Cortex® is transforming SecOps by delivering elite threat protection and SOC capabilities in a unified, AI-driven platform. https://www.sans.org/info/231960 | |
|
|
23andMe Files Chapter 11, CA AG Urges Users Delete Data
(March 21, 23, 24, & 26, 2025)
On Sunday, March 23, 2025, Genetic testing company 23andMe announced its initiation of voluntary Chapter 11 bankruptcy "to facilitate a sale process to maximize the value of its business." The company also explicitly intends this action to resolve legal consequences of the October 2023 data breach that allowed 6.4 million customers' sensitive information -- including but not limited to "origin estimation, phenotype, health information, photos, [and] identification data" -- to be sold on the dark web. Due to concerns over the vulnerability of customers' data in this transition, California Attorney General Rob Bonta has urged all users to request their data be deleted; Californians are additionally protected by the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA), vesting consumers with the right to delete personal information and the right to revoke consent for storage and use of biological samples after initial genetic testing. 23andMe is not bound by the Health Insurance Portability and Accountability Act (HIPAA). The Electronic Frontier Foundation (EFF) notes that fewer than half of US states have data privacy laws, only some of which would require consumers' consent for their genetic data to be transferred in the event of the company's sale as outlined in 23andMe's privacy policy. The company's announcement states, "We believe in the value of our people and our assets"; Suzanne Bernstein, counsel at the Electronic Privacy Information Center, comments that "23andMe’s most valuable asset is likely its trove of highly sensitive consumer personal data, including genetic data."
Editor's Note
[Neely]
The posts from the CA AG and the EEF include the steps to delete your 23andMe data. You also have an option to download your data if you wish. Make sure you review your settings for retaining your DNA sample (as in, destroy it), and your permissions for your genetic data to be used for research by third parties. Deleting your data also deletes your 23andMe account. If you decide to leave your data at 23andMe, keep an eye out for updated privacy/data protections, which will likely be accepted by your continued use of the service/leaving your data there.
[Honan]
It is interesting to note the any customers of 23andMe who are based in the EU can exercise their Right to Erasure (better known as the right to be forgotten) under the EU General Data Protection Regulation (GDPR). Also, under GDPR, individuals' person data is not a company's "most valuable asset" but rather belongs to the individual in question and is their data that has been entrusted to the company.
[Ullrich]
This is not the first time personal data has become an asset in bankruptcy proceedings. Back in 2009, Verified Identity Pass, Inc., which operated “Clear” then, sold all the registered traveler data it collected for its airport checkpoints as part of its bankruptcy. Only strong legal rights to delete the data will prevent such a sale in the future. It appears that 23andMe allows for data deletion. It will be interesting and likely entertaining to observe the outrage that will ensue in a couple of years as some data centers engaged in machine learning and AI will inevitably fold, and companies will realize that they may no longer have access to or be able to delete, their proprietary training data and models.
[Spitzner]
Incidents like this are why I really struggle and to be honest no longer teach people how to protect their privacy. In today’s highly connected world, it’s impossible. Anytime you touch anything that is “smart” or “connected”, your actions and lives are being recorded. Have Siri disabled on your phone? Doesn’t matter, everyone next to you has it enabled. Walk in a parking lot and just about every modern car is recording who walks by the car. Your data is actively being collected by every entity possible. Then that data is then either hacked or sold to other entities (in this case both with 23andMe). I now teach people how to protect their digital lives with the assumption that your data is already out there and there is nothing you can do to get it back. I focus on behaviors like securing and monitoring all your financial accounts, credit freezes and IP Tax Pins with the IRS. It is the reality of the world we now live in.
[Dukes]
Just remember, data is the new gold, and it will continue to be monetized even in bankruptcy. Laws aside, take charge of your information and request that it be removed from company systems.
[Pescatore]
Years ago my daughter gave my wife and me gifts of 23andMe testing, probably because during her teenage years I accused her of not being genetically related to me at all… After the results came in, I went through the deletion process. It wasn’t trivial to do but not that hard, worth doing.
[Murray]
What could possibly go wrong? While 23andMe has been unable to find a legitimate and sustainable business model around this data, one expects that there will be multiple "data brokers" bidding for this data. When sharing your PII, consider the long term viability of the enterprise to which you are surrendering it. I tend to agree with my colleagues that, in the light of all the unregulated, not to say unscrupulous, data brokers, privacy is dead. However, in order to resist fraudulent use of our PII, I continue to urge everyone to lock access to their information on the three major credit bureaus and monitor all activity to their accounts on a timely, perhaps daily or even real time, basis. Prefer to pay online using proxies, e.g. PayPal, Apple Pay, Google Pay. Prefer financial institutions that confirm all transactions and changes out of band. (We really need a regulation that requires the credit bureaus to notify us whenever our information is accessed or sold in bulk.)
Read more in:
- investors.23andme.com: 23andMe Initiates Voluntary Chapter 11 Process to Maximize Stakeholder Value Through Court-Supervised Sale Process
- oag.ca.gov: Attorney General Bonta Urgently Issues Consumer Alert for 23andMe Customers
- www.eff.org: How to Delete Your 23andMe Data
- therecord.media: 23andMe files for bankruptcy, putting customers’ genetic data at risk
- www.theregister.com: 23andMe's genes not strong enough to avoid Chapter 11 | |
|
|
AI Crawlers Overwhelm FOSS, Defenders Build Mazes
(March 19, 20, 21, 25, & 26, 2025)
Developers of open-source software and infrastructure are experiencing an extreme burden of traffic from AI crawler bots, leading to increased bandwidth and maintenance costs and threatening service stability by "causing what amounts to persistent distributed denial-of-service (DDoS) attacks on vital public resources." Ars Technica's Benj Edwards characterizes the escalation as a "crisis for the digital ecosystem that underpins the modern Internet." Developer Xe Iaso created "Anubis", a proof-of-work challenge system designed to protect against AI crawlers, after efforts such as blocking known user-agents, filtering traffic, adjusting robots.txt, and using a VPN did not relieve his server; Anubis is now in use protecting GNOME developers' GitLab instance, permitting only 3% of requests in the first 2.5 hours as non-bot traffic. An anonymous developer has released self-described "deliberately malicious" tarpit software known as "Nepenthes," intended to indiscriminately trap all data-scraping bots in endless linked pages and potentially poison their data. On March 19, 2025, Cloudflare announced the "AI Labyrinth," a similar but less aggressive defensive security feature to protect sites from unauthorized scraping, noting that "AI Crawlers generate more than 50 billion requests to the Cloudflare network every day," which is nearly 1% of all traffic they process.
Editor's Note
[Neely]
This is reminiscent of the impact search engine crawlers had on the web 25+ years ago, which resulted in our current mitigations. All crawlers, to include the "smart" AI ones, need to honor traditional restrictions, such as robots.txt, user agent, etc. Considering that after GNOME implemented Anubis only 3% of traffic was able to access the site, this shows the volume of automated traffic sites have to contend with, which is doubly annoying as open-source projects often rely on a provider that has limits on bandwidth or other resources for their server. Keep an eye on the ai.robots.txt project which has premade robots.txt files which implement the Robots Exclusion Protocol as well as .htaccess files which return error pages when detecting AI crawler requests.
[Elgee]
The CAN-SPAM Act was landmark legislation addressing a vaguely similar threat 20+ years ago. Perhaps it's time we require web crawlers to obey robots.txt. Tell your representatives to support the CAN-BOTS Act! (I asked an LLM for a more creative name, and it completely let me down.)
Read more in:
- thelibre.news: FOSS infrastructure is under attack by AI companies
- xeiaso.net: Amazon's AI crawler is making my git server unstable
- blog.cloudflare.com: Trapping misbehaving bots in an AI Labyrinth
- arstechnica.com: Open source devs say AI crawlers dominate traffic, forcing blocks on entire countries
- arstechnica.com: Cloudflare turns AI against itself with endless maze of irrelevant facts
- arstechnica.com: AI haters build tarpits to trap and trick AI scrapers that ignore robots.txt (January 28, 2025) | |
|
|
|
|
|
|
|
|
|
Sponsored Links
Webcast | ICS Security and Management of Change: Risks and Resilience | April 16, 10:30 ET
Join us for an in-depth webcast exploring the intersection of ICS security and management of change (MoC). Learn how organizations can implement proactive and reactive strategies to identify, evaluate, and mitigate risks associated with change. Whether dealing with scheduled upgrades or unexpected shifts in the operational environment, having a measurable control process is key to maintaining security and stability. https://www.sans.org/info/231925
Survey | 2025 SANS Multicloud Survey – Securing Multiple Clouds at Scale
The SANS 2025 Multicloud Survey uncovers key trends, challenges, and best practices in securing multi-cloud environments. Your insights drive industry benchmarks and guide future security strategies. Take the survey & shape the future of cloud security. Complete the survey today to be entered into a drawing for one of four $100 gift cards. https://www.sans.org/info/231930
Survey | 2025 SANS AI Survey: AI and Its Growing Role in Cybersecurity
Help us uncover key trends, challenges, and the evolving role of AI in cybersecurity. Your expertise strengthens industry-wide security strategies. Share your insights today. Complete the survey today to be entered into a drawing for one of four $100 gift cards. https://www.sans.org/info/231935 | |
|
|
|
|
US Defense Contractor MORSE Will Pay $4.6M to Settle False Claims Act Case
(March 26 & 27, 2025)
Massachusetts-based US defense contractor MORSE Corp. has agreed to pay $4.6 million to settle allegations that they violated the False Claims Act by failing to comply with federal government cybersecurity requirements as laid out in their contracts with the Army and Air Force. Specifically, MORSE used a third-party email host without ensuring it met established cybersecurity requirements; MORSE also “did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems;” they failed to implement all cybersecurity controls in NIST Special Publication (SP) 800-171; and they grossly misrepresented their score for implementation of those cybersecurity controls. The issues were brought to the attention of the public in January 2023 by a whistleblower.
Editor's Note
[Neely]
Flow-down of security requirements is important, and properly representing the state of requirements passed down to you even more so. Better to have an audit finding and CAP (POA&M) than be cited for violating the False Claims act of 1863. If you're unsure, hire a third party to audit your security against the relevant standards; remember this engagement is working for you and is to get you where you need to be, and far less painful than an external audit. If you're working as a DOD contractor, brush up on CMMC 2.0 requirements, as these are real and have teeth.
[Honan]
With more and more companies outsourcing to third parties, the area of managing cybersecurity risk in the supply is becoming increasingly more and more challenging. All the questionnaires in the world won't prove what a supplier answers. The old adage of "Trust but verify" rings true, and companies need to look at ways to independently verify vendors' cybersecurity postures such as right to audits, independent audits, or appropriate certification schemes.
[Dukes]
Having difficulty implementing cybersecurity contractual requirements is one thing, intentionally fudging cybersecurity self-assessment scores is another. Pretty easy case to argue they didn’t exhibit a ‘standard duty of care’ in protecting customer information.
Read more in:
- therecord.media: Defense contractor to pay $4.6 million over third-party provider’s security weakness
- www.theregister.com: US defense contractor cops to sloppy security, settles after infosec lead blows whistle
- www.securityweek.com: Defense Contractor MORSE to Pay $4.6M to Settle Cybersecurity Failure Allegations
- www.justice.gov: Settlement Agreement (PDF)
- www.justice.gov: Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations
- www.whistleblowerllc.com: Whistleblower Law Collaborative Client Settles Landmark Cybersecurity False Claims Act Case | |
|
|
IT Services Company Fined £3m for Ransomware Attack That Compromised Personal Information
(March 26 & 27, 2025)
The UK Information Commissioner’s Office (ICO) has fined IT and software services company Advanced Computer Software Group Ltd nearly £3.1 million (US $4 million) over a ransomware attack that "put the personal information of 79,404 people at risk." The attack on Advanced occurred in August 2022 through an account at an Advanced subsidiary that was not protected with multi-factor authentication (MFA). Advanced provides services to UK healthcare providers; the attack "caused enormous disruption across the United Kingdom, including taking down the NHS 111 critical service used to triage non-emergency but urgent medical calls."
Editor's Note
[Neely]
One of the things that came out in the investigation is that while MFA had been implemented, it had not been implemented completely, leaving entry points which were compromised. That means don't omit any users from MFA requirements, doubly so the admin user who has to authenticate N times a day and says MFA is inconvenient, as well as only implementing MFA on some entry points.
[Dukes]
Seems like a relatively small amount to pay for an incident that caused so much harm... but then they did work with the relevant authorities. So let that be a lesson, don’t walk, but rather run to inform authorities and you may, just may get a discount on your poor cyber hygiene implementation.
[Murray]
I cannot think of any other crime in which there has been so little sympathy for the victims. None of your constituents is likely to side with you if you fall victim to a crime in which the threat was obvious, the risk great, and the mitigation efficient. Think strong authentication and "zero trust." What's not to like?
Read more in:
- ico.org.uk: Software provider fined £3m following 2022 ransomware attack
- therecord.media: British company Advanced fined £3m by privacy regulator over ransomware attack
- www.bleepingcomputer.com: UK fines software provider £3.07 million for 2022 ransomware breach
- www.theregister.com: Ransomwared NHS software supplier nabs £3M discount from ICO for good behavior
- techcrunch.com: NHS vendor Advanced to pay £3M fine following 2022 ransomware attack
- www.techmonitor.ai: UK ICO fines Advanced Computer Software £3m after NHS data breach
- www.bbc.com: NHS software provider fined £3m over data breach after ransomware attack | |
|
|
Vedere Labs Researchers Detail Solar Inverter Vulnerabilities
(March 27, 2025)
Researchers from Forescout’s Vedere Labs discovered 46 vulnerabilities in solar inverters from multiple vendors, including Sungrow, Growatt, and SMA. Solar inverters are the component of solar power systems that convert direct current (DC) power generated by the solar panels to alternating current (AC) power so it can be sent to commercial grids or used by the system owner. The Vedere Labs report describes the vulnerabilities, lays out potential attack scenarios that could compromise user privacy, hijack smart devices, or disrupt power grids, and offers solar power system mitigation suggestions for users and manufacturers.
Editor's Note
[Neely]
The good news is Sungrow, SMA, and Growatt all acknowledged and fixed their issues, and they didn't require any action by consumers. Businesses need to consider these as another ICS with the corresponding controls, and all of us need to make sure that we're changing default passwords, our inverters are configured to update regularly, and they are on isolated networks. Many SOHO guest networks force device isolation, which would make an easy-button option for your Inverter, spa, and other IOT devices which don't need to communicate with any other devices on that network.
[Spitzner]
Just for context, in most Solar installations an “inverter” is far more than just a device that just converts DC to AC. In many Solar installations, the inverter is the brains of the installation, connecting panels, batteries, backup generator, grid, etc. Think of it as an intelligent switching station that determines what power goes where, and in what format. It also monitors all systems to ensure the health of the installation, can do emergency switch-down when needed. The gotcha is due to the complexity of these systems, the inverters are often connected and continuously monitor. Even off-grid installations in rural areas will often have their solar installation connected to the internet (using Starlink or Cellular Internet connection) making them vulnerable.
[Dukes]
Function aside, it’s another ICS device accessible from the Internet and the same cyber security guidance applies. These sorts of gaps in basic secure by design will continue until Cyber Informed Engineering (CIE) takes hold at manufacturing companies. Till then, OT environments will continue to be targets for exploitation.
Read more in:
- www.securityweek.com: More Solar System Vulnerabilities Expose Power Grids to Hacking
- www.bleepingcomputer.com: Dozens of solar inverter flaws could be exploited to attack power grids
- www.forescout.com: Forescout Vedere Labs Uncovers Severe Systemic Security Risks in Global Solar Power Infrastructure (press release)
- www.forescout.com: SUN:DOWN | Destabilizing the Grid vis Orchestrated Exploitation of Solar Power Systems (PDF) | |
|
|
Oracle Denies Cloud Breach, Though Leaked Data are Genuine
(March 25 & 26, 2025)
Oracle has told multiple news sources "There has been no breach of Oracle Cloud," responding to the leak and sale on Thursday, March 20, 2025, of over six million lines of data possibly associated with over 140,000 Oracle Cloud tenants -- including JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys -- allegedly stolen by a threat actor. In the intervening week, the threat actor demonstrated their ability to create a text file on an Oracle Cloud login server, which researchers at CloudSEK suggest had not been patched against a known critical flaw in Oracle Fusion Middleware's Oracle Access Manager. CloudSEK's analysis of sample data found that "the volume and structure of the leaked information make it extremely difficult to fabricate, reinforcing the credibility of the breach." While Oracle's statement claims, "No Oracle Cloud customers experienced a breach or lost any data," Alon Gal, CTO of Hudson Rock, has received confirmation from three of his firm's customers that the leaked data, some as recent as 2023, is genuine; BleepingComputer has also had confirmations from company representatives wishing to remain anonymous. CloudSEK notes that such a breach would increase risk of unauthorized access, espionage, further breaches across Oracle Cloud environments, extortion, and supply chain attacks; the company has created a tool for companies to check if their data are mentioned in the attack list. Recommended remediation is to rotate all SSO, LDAP, and associated credentials and enforce MFA; investigate systems thoroughly for unauthorized access; and monitor threat intelligence. Oracle has not responded to requests for comment.
Editor's Note
[Neely]
Some of the reports indicate the entry point is a login node which was unpatched, and running an old version of Oracle Fusion Middleware, which would be out of character for Oracle. That server is now offline. Regardless of their acknowledging the breach, you can verify that you're implementing MFA, reviewing access controls, monitoring for inappropriate access, as well as resetting any credentials you're uncertain about. This is also a story to bring to the table when discussing updates to SSO or ERP systems, which are typically slow or hands-off when it comes to updates.
[Honan]
While we are still no wiser (at time of writing) as to whether this breach is real or not, Oracle's communication around this issue has been very poor and leaves their customers in a very awkward position. I regularly say "You won't be judged for being a victim of a breach, but you will be judged based on how you respond to it."
[Dukes]
Well now, isn’t this a bit of a sticky wicket for Oracle. Denied the breach, yet some customers confirm. What’s even more concerning is that the purported vulnerability is in, ready for it… Oracle Access Manager. If true, Oracle couldn’t be bothered to patch its own product. While this gets sorted out, do the responsible thing, and rotate your credentials.
[Murray]
Hardly seems likely that there is so much smoke and no fire. Oracle would not be the first victim to refuse to believe that it had happened to them. | |
|
|
Update VMware Tools for Windows to Fix Authentication Bypass
(March 25 & 27, 2025)
Broadcom urges that users update to 12.5.1 of VMware Tools for Windows, to fix a high-severity authentication bypass flaw. CVE-2025-22230, CVSS score 7.8, would allow a user with non-administrative privileges to perform high privilege operations on a guest virtual machine (VM) due to improper access control. "VMware tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine." Linux and macOS versions of VMware Tools are unaffected.
Editor's Note
[Pescatore]
A quick check of the last dozen or so CVEs announced by Broadcom/VMware shows that all were found by external parties, including some well-known poor programming practice errors such as cross site scripting that should have been found by VMware before releasing the software.
[Neely]
Does your patch program include updating VMware tools on endpoints? If not, you should, it's not that intrusive, particularly if you're applying updates which already require a reboot. If you're doing this yourself, it only takes about 5 minutes, but you're going to want to reboot. Broadcom provides this for free. | |
|
|
Critical Unauthenticated HTTP(S) Port Access Vulnerability in CrushFTP
(March 25, 26, & 27, 2025)
A critical unauthenticated HTTP(S) port access vulnerability in CrushFTP "could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing servers (and likely the data stored on them)." The flaw affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. CrushFTP notified users of the vulnerability by email on March 21 and urges users to update their servers as soon as possible. CrushFTP also notes that "some versions of CrushFTP had a problem applying an update automatically. They would fail to rename ".jar" files on Windows operating systems." The company’s write-up provides instructions for addressing this update bug.
Editor's Note
[Neely]
CVE-2025-2825, unauthorized access, CVSS score 9.8, is fixed in CrushFTP 10.8.4+ and 11.3.1+. Note you need a CrushFTP 11 license to update version 10 or earlier. If you have automatic updates enabled, you need to double check they worked and didn't leave behind a .jar_tmp which needs to be renamed .jar - note you only have to fix that one last time, it's been fixed to prevent recurrence once you're on current versions. Beyond updating, implement the DMZ feature of CrushFTP.
[Ullrich]
CrushFTP had issues assigning a CVE to the vulnerability. At this point, the CVE assigned by Vulncheck can be used for this issue, but there were some disputes with CrushFTP around issuing the CVE number. Too bad you never know until it is too late if your vendors have reasonable vulnerability management processes. The somewhat flawed automatic update doesn’t make life better for administrators dealing with this issue.
[Murray]
After all these decades file transfer remains risky. We have seen a handful of tools prove to be vulnerable. Consider alternatives to FTP tools for sensitive data. Consider that your tool itself may be vulnerable. | |
|
|
DrayTek Routers Reportedly in Reboot Loops
(March 24 & 25, 2025)
Last weekend, a number of DrayTek routers appeared to be stuck in reboot loops. DrayTek’s advice is to disconnect the WAN and try to upgrade the firmware, adding that users should "try the TFTP firmware upgrade if the normal upgrade using the WEB UI does not work." The advice suggests that the issue is due to a vulnerability, though this has not been confirmed. The issue is affecting DrayTek routers around the world.
Editor's Note
[Neely]
If you have a DrayTek router, make sure you're on the latest firmware. Make sure you don't have remote management enabled for your routers unless absolutely necessary. Even so, restrict your management access to authorized systems and require 2FA. | |
|
|
|
|
|
|
|
|
|
Internet Storm Center StormCast Friday, March 28, 2025
Sitecore Exploited; Blasting Past Webp; Splunk and Firefox Vulnerabilities
https://isc.sans.edu/podcastdetail/9384
Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218
Our honeypots detected a deserialization attack against the CMS Sitecore using a “thumnailaccesstoken” header. The underlying vulnerability was patched in January, and security firm Searchlight Cyber revealed details about this vulnerability a couple of weeks ago.
https://isc.sans.edu
Blasting Past Webp
Google’s Project Zero revealed details how the NSO BLASTPASS exploit took advantage of a Webp image parsing vulnerability in iOS. This zero-click attack was employed in targeted attack back in 2023 and Apple patched the underlying vulnerability in September 2023. But this is the first “byte by byte” description showing how the attack worked.
https://googleprojectzero.blogspot.com
Splunk Vulnerabilities
Splunk patched about a dozen of vulnerabilities. None of them are rated critical, but a vulnerability rated “High” allows authenticated users to execute arbitrary code.
https://advisory.splunk.com
Firefox 0-day Patched
Mozilla patched a sandbox escape vulnerability that is already being exploited.
https://www.mozilla.org | |
Internet Storm Center StormCast Thursday, March 27, 2025
Classifying Malware with ML; Malicious NPM Packages; Google Chrome 0-day
https://isc.sans.edu/podcastdetail/9382
Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest
This diary explores a novel methodology for classifying malware by integrating entropy-driven feature selection with a specialized Convolutional Neural Network (CNN). Motivated by the increasing obfuscation tactics used by modern malware authors, we will focus on capturing high-entropy segments within files, regions most likely to harbor malicious functionality, and feeding these distinct byte patterns into our model.
https://isc.sans.edu
Malware found on npm infecting local package with reverse shell
Researchers at Reversinglabs found two malicious NPM packages, ethers-provider2, and ethers-providerz that patch the well known (and not malicious) ethers package to add a reverse shell and downloader.
https://www.reversinglabs.com
Google Patched Google Chrome 0-day
Google patched a vulnerability in Chrome that was already exploited in attacks against media and educational organizations in Russia.
https://chromereleases.googleblog.com | |
Internet Storm Center StormCast Wednesday, March 26, 2025
XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details
https://isc.sans.edu/podcastdetail/9380
XWiki Search Vulnerability Exploit Attempts (CVE-2024-3721)
Our honeypot detected an increase in exploit attempts for an XWiki command injection vulnerability. The vulnerability was patched last April, but appears to be exploited more these last couple days. The vulnerability affects the search feature and allows the attacker to inject Groovy code templates.
https://isc.sans.edu
Correction: FBI Image Converter Warning
The FBI's Denver office warned of online file converters, not downloadable conversion tools
https://www.fbi.gov
VMWare Vulnerability
Broadcom released a fix for a VMWare Tools vulnerability. The vulnerability allows users of a Windows virtual machine to escalate privileges within the machine.
https://support.broadcom.com
Draytek Reboots
Over the weekend, users started reporting Draytek routers rebooting and getting stuck in a reboot loop. Draytek now published advice as to how to fix the problem.
https://faq.draytek.com.au
Microsoft Management Console Exploit CVE-2025-26633
TrendMicro released details showing how the MMC vulnerability Microsoft patched as part of its patch Tuesday this month was exploited.
https://www.trendmicro.com | |
|
|
|
