Free technical content sponsored by Broadcom
 Webcast | Be a DLP Hero: How to Quickly Deliver Value from Your DLP Program and Set It Up for Future Success | June 4, 1:00 ET
Join us for this practical, insight-packed webcast and learn how to confidently launch or strengthen your DLP program for immediate value and long-term success. Save your seat today: https://www.sans.org/info/232515 | |
|
|
Windows Server 2025 Vulnerability
(May 21 & 22, 2025)
In a blog post, Akamai researcher Yuval Gordon describes a privilege elevation vulnerability affecting Windows Server 2025 that can be exploited to compromise users in Active Directory (AD). Dubbed BadSuccessor, "the attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement." There is currently no fix available for this vulnerability. Gordon's write-up includes detection and mitigation strategies.
Editor's Note
[Ullrich]
This is an interesting vulnerability, and I appreciate Akami coming forward with details. Even Microsoft appears to have lost track of how “legacy AD” actually works. This is a typical business logic flaw that automated tools (and AI!) will not find. It takes someone who understands the overall system to actually identify these types of problems. Luckily, this flaw was discovered and made public before Server 2025 was widely adopted.
[Neely]
You likely don't have a lot of Server 2025 deployed, and this only applies to that version and legacy AD. Microsoft categorized the need for response as Moderate and the patch is timed accordingly. In the meantime, follow the mitigation and detection guidance, auditing dMSA creation, and auditing and limiting assignment of dMSA creating privileges.
[Dukes]
Interesting timing for the announcement by Akamai. They did the responsible thing by notifying MSFT, and MSFT is working on a fix. Yet, they decided to go ahead and publish certain details on the vulnerability before a patch is available. Now it’s known to the world and the clock has started for evildoers to discover the vulnerability and potentially act. | |
|
|
“Likely Exploited Vulnerabilities” Metric Proposed to Augment EPSS and KEV
(May 19, 20, & 21, 2025)
On May 19, 2025, Peter Mell of the US National Institute of Standards and Technology (NIST) and Jonathan Spring of the US Cybersecurity and Infrastructure Security Agency (CISA) published a white paper proposing a new security calculation dubbed the "Likely Exploited Vulnerabilities" (LEV) metric, using Exploit Prediction Scoring System (EPSS) data and associated variables to provide "a daily-updated probability for each CVE with the likelihood that the CVE has been observed to be exploited in the wild at some point in the past." LEV is meant to augment and refine the use of EPSS and Known Exploited Vulnerabilities (KEV), not to replace them, and the white paper offers initial use cases for LEV: to measure the expected number and proportion of CVEs that have been exploited; to estimate KEV list comprehensiveness; and to enhance the process of prioritizing vulnerabilities for remediation by identifying high priority flaws that may be missing from KEV lists or under-scored by EPSS. The authors note that "collaboration with industry is necessary to provide necessary performance measurements."
Editor's Note
[Neely]
One of the ongoing frustrations is which of the thousands of vulnerabilities published every year will be exploited. The LEV should help, if properly implemented, with this determination as well as with that tricky transition between limited exploitation and widespread exploitation. To measure the performance of LEV calculations, NIST is seeking industry partners with relevant datasets to empirically measure the LEV probability performance. The LEV equation has been implemented in Python and downloads data from several resources prior to computing probabilities: NVD, CISA KEV, and EPSS.
[Ullrich]
I am not sure if at some point we will spend more time prioritizing vulnerabilities than actually fixing them. KEV is a nice idea, but often “behind”. In the end, reducing the friction inherent in patching will probably be the only thing that will move the needle to more secure systems.
[Dukes]
Mm, ok, perhaps it has some value if the metric is kept up to date. Therein lies the rub: will it be kept up to date by government and industry? The reality is that organizations need to focus on patch management, automating where possible.
Read more in:
- csrc.nist.gov: Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability
- www.darkreading.com: NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited
- www.securityweek.com: Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers | |
|
|
Marks & Spencer Estimates Losses From Breach at £300M
(May 21 & 22, 2025)
British retailer Marks & Spencer (M&S) says it expects to record losses of £300M (US$400M) as a result of a cyberattack that disrupted the company's operations. In a filing with the London Stock Exchange, M&S writes that the "current estimate before mitigation is an impact on Group operating profit of around £300m for 2025/26, which will be reduced through management of costs, insurance and other trading actions." The company says that the effects of the attacks, which include losses in food sales and the unavailability of online retail shopping, are expected to last into July.
Editor's Note
[Neely]
M&S expects recovery efforts to extend into July; expect the total cost to continue to grow, particularly as customer information was stolen. They will not only be funding upgraded security and systems but also identity theft and credit restoration services. Keep an eye on M&S if you're looking to model service restoration impact and scope.
[Dukes]
US$400M is a sizeable loss on profits. To put that into context, last year profits were at $1.17B. So, about a third of expected profits were loss from this cyber incident. This event is a great framework to use for a table-top exercise to convince management to drive needed changes, which generally cost less than the actual costs of this cyber incident.
[Murray]
This is the kind of information about materiality that the SEC Regulation should elicit but rarely does. | |
|
|
|
|
|
|
|
Sponsored Links
Webcast | Rethinking Oversharing Risk and Knowledge Segmentation in the Age of AI, June 3 at noon ET
Join this webcast to explore how Knostic is redefining access and identity management for the AI era with a knowledge-centric approach that emphasizes not just who has access, but who needs access. Discover how their innovative methodology—grounded in need-to-know principles, role-based knowledge segmentation, and intent-aware access policies—creates an intelligent, scalable framework for controlling AI-generated knowledge sharing. Save your seat today: https://www.sans.org/info/232520
Webcast | SANS First Look: Leveraging Dropzone AI to Handle Tier 1 Alert Triage | June 18, 1:00 ET
SANS Instructor Mark Jeanmougin will examine how Dropzone AI can integrate into existing security stacks, support analyst development, and help SOC teams stay focused on high-impact decisions. We’ll explore how Dropzone AI functions as a virtual Tier 1 analyst, helping your team automate alert triage, cut through the noise, and escalate only what truly matters. https://www.sans.org/info/232525
Webcast | The Future of Cloud Security Starts with Runtime | May 29, 1:00 ET
Modern cloud attacks are fast, stealthy, and constantly evolving—can your security strategy keep up? Join us for an eye-opening session that explores why traditional security tools are falling short and how runtime visibility is becoming a critical pillar of modern cloud defense. Save your seat today: https://www.sans.org/info/232540 | |
|
|
|
|
Guilty Plea Agreement Signed Over Extortion of PowerSchool
(May 20 & 21, 2025)
19-year-old Matthew Lane of Worcester Massachusetts has been charged and has agreed to plead guilty to "one count each of cyber extortion conspiracy; cyber extortion; unauthorized access to protected computers; and aggravated identity theft" associated with unauthorized access and data theft from two unnamed companies, one "US-based telecommunications company" and one "cloud storage company that served school systems in the United States, Canada, and elsewhere." After working with unknown conspirators in an unsuccessful attempt to extort the telecom company over threats to leak stolen data, Lane used stolen credentials to access the educational cloud storage company's network, exfiltrating student and teacher data to a server leased in Ukraine, threatening to leak "names, email addresses, phone numbers, Social Security numbers, dates of birth, medical information, residential addresses, parent and guardian information, and passwords, among other data, of more than 60 million students and 10 million teachers," demanding approximately US $2.85M in cryptocurrency. The details of this case align with the breach of PowerSchool's Student Information System via stolen credentials for the PowerSource support platform between August and December 2024. PowerSchool confirmed in early May 2025 that they had paid an undisclosed ransom, but individual schools received extortion demands nonetheless. Lane's mandatory minimum sentence for aggravated identity theft is two years in prison, consecutive with up to five years each for the other three charges, as well as fines.
Editor's Note
[Neely]
Previously, the PowerSchool attack was credited to Shiny Hunters, which emerged in 2020. Lane is affiliated with this group which has been tied to other compromises including AT&T and Microsoft's GitHub. This is why agencies like the FBI want you to report breaches to them. Make sure your response plans involve reporting, to include verified contacts and processes.
Read more in:
- www.justice.gov: Worcester College Student to Plead Guilty to Cyber Extortions
- www.justice.gov: UNITED STATES OF AMERICA v. MATTHEW D. LANE (PDF)
- cyberscoop.com: Massachusetts man will plead guilty in PowerSchool hack case
- www.bleepingcomputer.com: PowerSchool hacker pleads guilty to student data extortion scheme
- techcrunch.com: US student agrees to plead guilty to hack affecting tens of millions of students | |
|
|
Two Critical WordPress Vulnerabilities: Motors Theme and Crawlomatic Plugin
(May 19, 20, & 21, 2025)
Critical vulnerabilities have been reported in the Motors WordPress theme and the Crawlomatic plugin for WordPress. A privilege elevation vulnerability in the Motors theme is due to an unverified password change issue. The flaw affects all versions of the Motors theme through 5.6.67. The themes developers released an updated version of Motors on May 14; users are advised to update to Motors version 5.6.68 or newer. "The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1." The flaw affects all versions of the Crawlomatic Multipage Scraper Post Generator plugin through 2.6.8.1; users are advised to update to version 2.6.8.2 or newer.
Editor's Note
[Neely]
You probably already have your plugins set to auto-update, but you likely have to manually update themes, so you need to verify both are updated. Make sure MFA is required for all accounts; remember you're preventing privilege escalation. The Motors theme flaw, CVE-2025-4322, account takeover privilege escalation, has a CVSS score of 9.8. The Crawlomatic flaw, CVE-2025-4389, unauthenticated arbitrary file upload, also has a CVSS score of 9.8.
[Dukes]
Insufficient Input/Output Validation is number four in the OWASP Mobile Risks Top 10 list. CodeRevolution, maker of Crawlomatic, has had three file validation vulnerabilities over three months. Perhaps it’s time for a company standdown to teach secure software development practices.
[Murray]
(This is me, not repeating that WordPress plugins come with no representation of quality, should be used only by design and intent, never by default, and must be scrupulously managed.)
Read more in:
- www.helpnetsecurity.com: Flawed WordPress theme may allow admin account takeover on 22,000+ sites (CVE-2025-4322)
- www.bleepingcomputer.com: Premium WordPress 'Motors' theme vulnerable to admin takeover attacks
- www.wordfence.com: Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover
- nvd.nist.gov: CVE-2025-4322 Detail
- www.scworld.com: Crawlomatic WordPress plugin patched for critical 9.8 RCE flaw
- www.wordfence.com: Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload
- nvd.nist.gov: CVE-2025-4389 Detail | |
|
|
Two VMware Security Bulletins
(May 20, 2025)
Broadcom has released a pair of security bulletins to address a total of seven vulnerabilities in VMware Cloud Foundation, VMware ESXi, vCenter Server, Workstation, and Fusion. The first bulletin, VMSA-2025-0009, addresses three flaws in VMware Cloud Foundation, which were reported to Broadcom by the NATO Cyber Security Centre (NCSC): a directory traversal vulnerability, an information disclosure vulnerability, and a missing authorization vulnerability. All three are rated important. The second bulletin, VMSA-2025-0010, addresses four flaws affecting VMware ESXi, vCenter Server, Workstation, and Fusion.
Editor's Note
[Neely]
While the headlines are pointing at vCenter, make sure you're updating your Workstation, Fusion and ESXi deployments as well. Update to ESXi 8.0 U3e, Workstation 17.6.3 and Fusion 13.6.3.
Read more in:
- www.securityweek.com: NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch
- support.broadcom.com: VMSA-2025-0009 : VMware Cloud Foundation updates address multiple vulnerabilities (CVE-2025-41229, CVE-2025-41230, CVE-2025-41231)
- support.broadcom.com: VMSA-2025-0010 : VMware ESXi, vCenter Server, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-41225, CVE-2025-41226, CVE-2025-41227, CVE-2025-41228) | |
|
|
Dutch Legislature Expands Reach of Espionage Law
(May 15, 20, & 21, 2025)
Legislators in the Netherlands have expanded their laws concerning the criminalization of espionage to include cyber espionage and "and other activities carried out on behalf of foreign states that may harm Dutch national interests." According to the Dutch National Coordinator for Security and Counterterrorism, "Legislation already existed that criminalized classic espionage, such as sharing state secrets. But forms and use of espionage are changing. Also, if a person leaks sensitive information to a foreign government that is not a state secret, or if someone secretly carries out actions for a foreign government, this will be punishable from 15 May if it can seriously harm Dutch interests."
Editor's Note
[Neely]
As attack techniques and threats change, so should supporting legislation. The new laws increase prison sentences to up to eight years for those found guilty of espionage, with a twelve-year maximum for particularly severe cases. The legislation also includes provisions for vetting students and researchers working on sensitive technologies due to unwelcome foreign interests as noted by Dutch intelligence services. If you're doing research on Dutch-based systems, make sure you're working within the updated requirements.
Read more in:
- therecord.media: Dutch government passes law to criminalize cyber-espionage
- dig.watch: Netherlands expands espionage laws to include cyber activities
- www.nctv.nl: From May 15: more forms of espionage punishable | |
|
|
International Effort Takes Down Lumma Infostealer
(May 21, 2025)
In an international effort, Europol's European Cybercrime Centre, Microsoft, the US Department of Justice, Japan’s Cybercrime Control Center and tech firms Lumen, Cloudflare, and Bitsight, took down the infrastructure supporting the info stealer known as Lumma. Europol writes, "Between 16 March and 16 May 2025, Microsoft identified over 394,000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this week, Microsoft’s Digital Crimes Unit (DCU), Europol, and international partners have disrupted Lumma’s technical infrastructure, cutting off communications between the malicious tool and victims. In addition, over 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes."
Editor's Note
[Neely]
Lumma steals passwords, credit card and banking information and cryptocurrency wallet details. Microsoft's takedown of the domains for Lumma's infrastructure was coordinated with US DOJ takedown of the C&C infrastructure. Regrettably, infostealers like Lumma, RedLine and MetaStealer are hard to detect, very effective as a first stage compromise and unlikely to be abandoned, even with a takedown like this, so keep up on EDR and other cyber hygiene activity to make it hard for the malware to get to your systems or spread.
Read more in:
- www.wired.com: Authorities Carry Out Elaborate Global Takedown of Infostealer Heavily Used by Cybercriminals
- www.europol.europa.eu: Europol and Microsoft disrupt world’s largest infostealer Lumma
- www.nextgov.com: US, international and industry partners topple infrastructure of popular info-stealer malware
- therecord.media: Lumma infostealer’s infrastructure seized during US, EU, Microsoft operation
- cyberscoop.com: Lumma infostealer infected about 10 million systems before global disruption
- www.securityweek.com: Microsoft Sinkholes Domains, Disrupts Notorious ‘Lumma Stealer’ Malware Operation
- www.theregister.com: FBI, Microsoft, international cops bust Lumma infostealer service
- www.helpnetsecurity.com: Lumma Stealer Malware-as-a-Service operation disrupted | |
|
|
Ohio's Kettering Health Suffers Cyberattack; Scammers Contact Patients
(May 20 & 21, 2025)
On the morning of Tuesday, May 20, The Kettering Health healthcare network in Ohio suffered a cyberattack that has disrupted operations, including cancellations of both inpatient and outpatient elective procedures. Kettering's emergency rooms and clinics have remained open to patients. In addition, Kettering's call center was temporarily unavailable. Some patients reported receiving calls asking for payment card information related to Kettering Health medical expenses; Kettering acknowledged that these were scam calls and noted that "While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice." Kettering Health "operates 14 medical centers in Ohio ... [and] manages emergency centers and over 120 outpatient facilities across western Ohio."
Editor's Note
[Neely]
Good time to remind users that contact, via phone or SMS, for updated payment information is a scam. If you're a Kettering Health customer, check their site for updated contact, and verify services are available before heading in. | |
|
|
Cellcom Outage Caused by Cyber Incident
(May 20 & 21, 2025)
Cellcom, a wireless service provider based in Wisconsin, has disclosed that they experienced a cyber incident that caused service outages and disruptions that began on May 14. The event left Cellcom subscribers in Wisconsin and Upper Michigan without the ability to place phone calls or send text messages. Initially, Cellcom had said the disruption was due to a technical issue. Users reported they were unable to port their mobile phone numbers to other carriers. As of Wednesday, May 21, Cellcom did not have an estimated time for full service recovery.
Editor's Note
[Neely]
Cellcom has been a telephone service provider for 115 years. Their latest message indicates expected service recovery this week, with the caveat that they will not compromise safety or security or trust to do so. The impacted systems prevented porting service to another carrier, which begs the question of what we would do in that scenario, given the dependance on our cellular devices. Consider if it's truly viable to start using a new number, to include not being able to forward the old number, versus waiting up such an outage. | |
|
|
|
|
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, May 23, 2025
Backup Connectivity; Windows 2025 dMSA Abuse; Samlify Vulnerability
https://isc.sans.edu/podcastdetail/9464
Resilient Secure Backup Connectivity for SMB/Home Users
Establishing resilient access to a home network via a second ISP may lead to unintended backdoors. Secure the access and make sure you have the visibility needed to detect abuse.
https://isc.sans.edu
BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
An attacker with the ability to create service accounts may be able to manipulate these accounts to mark them as migrated accounts, inheriting all privileges the original account had access to.
https://www.akamai.com
Flaw in samlify That Opens Door to SAML Single Sign-On Bypass CVE-2025-47949
The samlify Node.js library does not verify SAML assertions correctly. It will consider the entire assertion valid, not just the original one. An attacker may use this to obtain additional privileges or authenticate as a different user
https://www.endorlabs.com | |
SANS Internet Storm Center StormCast Thursday, May 22, 2025
Crypto Confidence Scams; Extension Mayhem for VS Code and Chrome
https://isc.sans.edu/podcastdetail/9462
New Variant of Crypto Confidence Scam
Scammers are offering login credentials for what appears to be high value crypto coin accounts. However, the goal is to trick users into paying for expensive “VIP” memberships to withdraw the money.
https://isc.sans.edu
Malicious Chrome Extensions
Malicious Chrome extensions mimic popular services like VPNs to trick users into installing them. Once installed, the extensions will exfiltrate browser secrets
https://dti.domaintools.com
Malicious VS Code Extensions
Malicious Visual Studio Code extensions target crypto developers to trick them into installing them to exfiltrate developer secrets.
https://securitylabs.datadoghq.com | |
SANS Internet Storm Center StormCast Wednesday, May 21, 2025
Researchers Scanning the Internet; Forgotten DNS Records; openpgp.js Vulnerability
https://isc.sans.edu/podcastdetail/9460
Researchers Scanning the Internet
A “newish” RFC, RFC 9511, suggests researchers identify themselves by adding strings to the traffic they send, or by operating web servers on machines from which the scan originates. We do offer lists of researchers and just added three new groups today
https://isc.sans.edu
Cloudy with a change of Hijacking: Forgotten DNS Records
Organizations do not always remove unused CNAME records. An attacker may take advantage of this if an attacker is able to take possession of the now unused public cloud resource the name pointed to.
https://blogs.infoblox.com
Message signature verification can be spoofed CVE-2025-47934
A vulnerability in openpgp.js may be used to spoof message signatures. openpgp.js is a popular library in systems implementing end-to-end encrypted browser applications.
https://github.com/openpgpjs | |
|
|
|
