cyberlights – week 15/2025
A weekly shortlist of cyber security highlights. The short summaries are AI generated! If something is wrong, please let me know!
Highlight
🔍 Regierung will Messenger-Überwachung vor dem Sommer beschließen privacy – Die österreichische Regierung plant, die Überwachung von Messenger-Diensten zur Bekämpfung von Terrorismus einzuführen, trotz Bedenken über mögliche Massenüberwachung und verfassungsrechtliche Fragen. https://futurezone.at/netzpolitik/messenger-ueberwachung-whatsapp-oesterreich-regierung-chat-staatstrojaner-oevp-spoe-neos-pegasus/403030634
News For All
🎨 Social Media Flooded with Ghibli AI Images—But What Are We Really Feeding the Algorithms? privacy – The viral trend of AI-generated Ghibli-style portraits raises privacy concerns as users unknowingly share sensitive facial data, potentially fueling identity theft and misuse of personal information. https://thecyberexpress.com/social-media-flooded-with-ghibli-ai-images/
🙈 UK's demand for Apple backdoor should not be heard in secret, says court privacy – The UK government lost its attempt to keep secret a surveillance order against Apple, allowing parts of the case to be public despite national security concerns over accessing encrypted data. https://techcrunch.com/2025/04/07/uk-demand-for-apple-backdoor-should-not-be-heard-in-secret-says-court/
😶🌫️ Oracle tells customers its public cloud was compromised data breach – Oracle has admitted to a data breach of its public cloud, revealing the theft of client data, including security keys, after initially denying the incident amid claims of exploitation of unpatched vulnerabilities. https://www.theregister.com/2025/04/08/oracle_cloud_compromised/
🤖 Russian bots hard at work spreading political unrest on Romania's internet security news – An investigation reveals a surge in pro-Russian propaganda on Romanian social media, inciting anti-EU sentiment and support for Putin, with bots promoting divisive messages and false narratives. https://www.bitdefender.com/en-us/blog/hotforsecurity/russian-bots-hard-at-work-spreading-political-unrest-on-romanias-internet
🔒 Google fixed two actively exploited Android zero vulnerability – Google's April 2025 security update fixed 62 vulnerabilities, including two actively exploited zero-days affecting the Linux kernel and ALSA USB audio, highlighting ongoing security risks in Android. https://securityaffairs.com/176337/hacking/google-fixed-two-actively-exploited-android-zero-days.html
🔍 To tackle espionage, Dutch government plans to screen university students and researchers security news – The Dutch government plans to vet university students and researchers accessing sensitive technology to combat espionage, assessing backgrounds amid rising concerns over foreign threats, particularly from China. https://therecord.media/netherlands-plan-vetting-researchers-students-espionage
🔧 WhatsApp fixed a spoofing flaw that could enable Remote Code Execution vulnerability – WhatsApp patched CVE-2025-30401, a spoofing vulnerability in Windows versions before 2.2450.6, allowing attackers to execute remote code by sending files with misleading MIME types. https://securityaffairs.com/176357/security/whatsapp-fixed-a-spoofing-flaw-that-could-enable-remote-code-execution.html
🗼 Governments identify dozens of Android apps bundled with spyware malware – A coalition of governments has revealed that numerous legitimate-looking Android apps, identified as spyware families BadBazaar and Moonshine, were used to target civil society groups opposing Chinese state interests. https://techcrunch.com/2025/04/09/governments-identify-dozens-of-android-apps-bundled-with-spyware/
👁️🗨️ Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America cybercrime – NSO Group is shifting lobbying strategies to regain access to US markets under a new administration, raising concerns about surveillance and human rights abuses. https://www.wired.com/story/nso-group-the-vogel-group-lobbying-trump-administration/
🛡️ Cyber experts offer lukewarm praise for voluntary code governing use of commercial hacking tools security news – Cybersecurity professionals gave mixed reviews to a new voluntary code for using commercial hacking tools, expressing cautious optimism while noting concerns over human rights and the absence of the U.S. as a signatory. https://cyberscoop.com/pall-mall-process-global-cybersecurity-code-conduct-commercial-hacking-tools/
🩻 Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs malware – A researcher discovered 35 suspicious Chrome extensions, collectively installed on over 4 million devices, that exhibit spyware-like behavior, including excessive permissions and obfuscated code, raising concerns about their safety. https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sketchy-chrome-extensions-with-4-million-installs/
💔 Lab provider for Planned Parenthood discloses breach affecting 1.6 million people data breach – Laboratory Services Cooperative reported a data breach affecting 1.6 million individuals, revealing sensitive medical and personal information after a cyberattack discovered in October. Victims are offered credit monitoring services. https://therecord.media/lab-provider-planned-parenthood-breach
📨 That groan you hear is users’ reaction to Recall going back into Windows security news – Microsoft is reintroducing Recall, an AI tool in Windows 11 that screenshots and indexes user activity, prompting privacy concerns despite opt-in features. Critics warn it could expose sensitive information and be exploited by malicious actors. https://arstechnica.com/security/2025/04/microsoft-is-putting-privacy-endangering-recall-back-into-windows-11/
⚠️ Attackers are exploiting recently disclosed OttoKit WordPress plugin flaw vulnerability – Attackers are actively exploiting a critical vulnerability (CVE-2025-3102) in the OttoKit WordPress plugin, allowing unauthorized admin account creation on unconfigured sites. Immediate updates are advised to mitigate risks. https://securityaffairs.com/176461/security/ottokit-wordpress-plugin-flaw-exploitation.html
💻 Back in the Game: Privacy Concerns of Second-Hand Game Consoles security research – Game consoles have been able to store personally identifiable information for years; what is less well known is what remains when they are bought or sold on the second-hand market. We share the results of two case studies on Nintendo devices: the Switch and the 3DS. https://www.computer.org/csdl/magazine/sp/5555/01/10960377/25LWluDWP8A
Some More, For the Curious
🛞 The Renaissance of NTLM Relay Attacks: Everything You Need to Know hacking write-up – NTLM relay attacks, once thought outdated, are resurging as a serious threat, allowing attackers to easily compromise systems through lateral movement without needing to crack passwords. https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everything-you-need-to-know-abfc3677c34e
🎣 VibeScamming — From Prompt to Phish: Benchmarking Popular AI Agents’ Resistance to the Dark Side security research – A new benchmark reveals how generative AI can easily facilitate phishing scams, with different AI platforms showing varied levels of resistance to misuse, raising urgent security concerns. https://labs.guard.io/vibescamming-from-prompt-to-phish-benchmarking-popular-ai-agents-resistance-to-the-dark-side-1ec2fbdf0a35
🤔 The controversial case of the threat actor EncryptHub cybercrime – EncryptHub, a conflicted figure in cybersecurity, reported two Windows vulnerabilities while also engaging in cybercrime, highlighting the balance between ethical research and criminal activity. https://securityaffairs.com/176251/cyber-crime/the-controversial-case-of-the-threat-actor-encrypthub.html
🐈 APT group ToddyCat exploits a vulnerability in ESET for DLL proxying security research – The ToddyCat APT group exploited a vulnerability in ESET's Command Line Scanner to execute malware stealthily, utilizing DLL proxying and an old malicious tool modified for their purposes. https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software-for-dll-proxying/116086/
🏔️ Someone hacked ransomware gang Everest’s leak site security news – The Everest ransomware gang's leak site was hacked and defaced with a message against crime, though it remains unclear if a data breach occurred. https://techcrunch.com/2025/04/07/someone-hacked-everest-ransomware-gang-dark-web-leak-site/
💻 Windows Remote Desktop Protocol: Remote to Rogue cyber defense – A phishing campaign attributed to UNC5837 exploited RDP by using signed .rdp files to access victim systems, allowing file exfiltration and clipboard capture, underscoring RDP's security risks. https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol/
🛡️ Server in der EU und eigene Schlüssel: Schützt das vor US-Zugriffen? privacy – Despite claims from US cloud providers about data security in EU data centers, physical server locations and encryption measures do not guarantee protection from US government access due to laws like the CLOUD Act. https://www.kuketz-blog.de/server-in-der-eu-und-eigene-schluessel-schuetzt-das-vor-us-zugriffen/
🔒 Zero Day Initiative — The April 2025 Security Update Review security news – In April 2025, Adobe and Microsoft released updates addressing multiple vulnerabilities, including critical flaws in Adobe products and 124 CVEs from Microsoft, with a focus on security risks and active exploits. https://www.thezdi.com/blog/2025/4/8/the-april-2025-security-update-review
👧 “The girl should be calling men.” Leak exposes Black Basta’s influence tactics. security research – A leak of 190,000 messages from the Black Basta ransomware group reveals their structured operations, including social engineering tactics, vulnerability exploitation, and negotiation strategies during ransom demands. https://arstechnica.com/security/2025/04/leaked-messages-expose-trade-secrets-of-prolific-black-basta-ransomware-group/
🔑 Critical Fortinet FortiSwitch flaw allows remote attackers to change admin passwords vulnerability – Fortinet has patched a critical vulnerability (CVE-2024-48887) in FortiSwitch devices, allowing remote attackers to change admin passwords. Users are advised to disable HTTP/HTTPS access as a temporary measure. https://securityaffairs.com/176380/security/fortinet-fortiswitch-flaw.html
🐛 How cyberattackers exploit domain controllers using ransomware cyber defense – Cyberattackers are increasingly targeting domain controllers in ransomware attacks, leveraging high-privilege accounts and centralized network access to inflict widespread damage, necessitating enhanced security measures. https://www.microsoft.com/en-us/security/blog/2025/04/09/how-cyberattackers-exploit-domain-controllers-using-ransomware/
🩼 Tainted drive appears to be source of malware attack on Western military mission in Ukraine security research – The Russia-backed group Gamaredon exploited an infected removable drive to deploy updated GammaSteel malware against a Ukraine-based military mission, showcasing increased sophistication in their cyberespionage tactics. https://therecord.media/gamaredon-removable-drive-malware-western-military-mission-ukraine
🖖 AI Vulnerability Finding security news – Microsoft's AI has identified multiple vulnerabilities in GRUB2 and U-Boot, which could potentially allow attackers to bypass security on devices using UEFI Secure Boot. https://www.schneier.com/blog/archives/2025/04/ai-vulnerability-finding.html
🧧 China Secretly (and Weirdly) Admits It Hacked US Infrastructure security news – In a rare admission, Chinese officials acknowledged hacking U.S. infrastructure during a secret meeting, attributing the attacks to U.S. policies on Taiwan. The disclosure adds tension amid ongoing cybersecurity concerns. https://www.wired.com/story/china-admits-hacking-us-infrastructure/
🚧 STRIDE GPT cyber defense – STRIDE GPT is an AI-driven threat modeling tool that generates threat models and attack trees based on the STRIDE methodology, allowing users to input application details and providing various features such as risk scoring and customizable reports. https://github.com/mrwadams/stride-gpt
CISA Corner
🗞️ Fortinet Releases Advisory on New Post-Exploitation Technique for Known Vulnerabilities security news – Fortinet issued an advisory regarding a threat actor exploiting vulnerabilities in FortiGate products to create a malicious file that grants read-only access to device files. Users are advised to upgrade their systems and reset credentials. https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities
⚠️ CISA Adds One Known Exploited Vulnerability to Catalog warning – CISA has added CVE-2025-31161, an authentication bypass vulnerability in CrushFTP, to its Known Exploited Vulnerabilities Catalog due to evidence of active exploitation, emphasizing the risk to federal networks. https://www.cisa.gov/news-events/alerts/2025/04/07/cisa-adds-one-known-exploited-vulnerability-catalog ⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog warning – CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2025-30406 related to Gladinet CentreStack and CVE-2025-29824 affecting Microsoft Windows, highlighting risks to federal networks. https://www.cisa.gov/news-events/alerts/2025/04/08/cisa-adds-two-known-exploited-vulnerabilities-catalog ⚠️ CISA Adds Two Known Exploited Vulnerabilities to Catalog warning – CISA has included two Linux kernel vulnerabilities, CVE-2024-53197 and CVE-2024-53150, in its Known Exploited Vulnerabilities Catalog due to active exploitation, highlighting risks to federal networks. https://www.cisa.gov/news-events/alerts/2025/04/09/cisa-adds-two-known-exploited-vulnerabilities-catalog
⚙️ CISA Releases Ten Industrial Control Systems Advisories vulnerability – CISA issued ten advisories on April 10, 2025, addressing vulnerabilities in various Industrial Control Systems, including Siemens and Rockwell Automation products, urging users to review for mitigations. https://www.cisa.gov/news-events/alerts/2025/04/10/cisa-releases-ten-industrial-control-systems-advisories
While my intention is to pick news that everyone should know about, it still is what I think is significant, cool, fun... Most of the articles are in English, but some current warnings might be in German.
(by @wrzlbrmpft@infosec.exchange) Obviously, the opinions inside these articles are not my own. No guarantee for correct- or completeness in any way.