Svoboda Cybersecurity Brief April 18, 2025
Apr 18, 2025Critical Erlang/OTP SSH Vulnerability Allows Remote Code Execution
A critical vulnerability (CVE-2025-32433, CVSS 10.0) in Erlang/OTP’s SSH implementation allows unauthenticated attackers to execute arbitrary code by sending pre-authentication protocol messages. Impact: Full system compromise if SSH runs as root.
Mitigation: Update to OTP-25.3.2.20, OTP-26.2.5.11, or OTP-27.3.3; restrict SSH access via firewall rules.
Source: BleepingComputer
SonicWall SMA 100 Series Vulnerability Exploited in Attacks
SonicWall updated CVE-2021-20035 (CVSS 7.2), an authenticated command injection flaw in SMA 100 series appliances, confirming active exploitation. Impact: Arbitrary code execution as “nobody” user.
Mitigation: Patch to versions 10.2.1.1-19sv, 10.2.0.8-37sv, or 9.0.0.11-31sv.
Source: SecurityWeek
Mustang Panda APT Deploys Updated Malware in Myanmar Attack
The Chinese-linked group used new tools (StarProxy, SplatCloak EDR evasion driver) and updated ToneShell backdoor variants in a campaign targeting Myanmar. Impact: Lateral movement, data theft, and evasion of security tools.
Mitigation: Monitor for DLL sideloading and unusual network traffic.
Source: The Hacker News
Windows NTLM Hash Leak Exploited in Government Phishing
CVE-2025-24054, a Windows flaw leaking NTLM hashes via .library-ms files, is exploited in phishing attacks against governments. Impact: Credential theft leading to privilege escalation.
Mitigation: Apply March 2025 patches; disable NTLM if unused.
Source: BleepingComputer
Oracle Cloud Credential Leak Prompts CISA Warning
CISA warns of breach risks after legacy Oracle Cloud servers were compromised, exposing hashed/embedded credentials. Impact: Potential long-term unauthorized access via reused credentials.
Mitigation: Reset passwords, replace hardcoded credentials, enforce MFA.
Source: SecurityWeek
Chrome Extensions with 6M Installs Hide Tracking Code
57 hidden Chrome extensions, including “Fire Shield Extension Protection,” monitor browsing, access cookies, and execute remote scripts. Impact: Data exfiltration and potential spyware.
Mitigation: Remove suspicious extensions; reset passwords.
Source: BleepingComputer
BrickStorm Backdoor Targets Windows Since 2022
UNC5221’s BrickStorm malware, linked to the MITRE hack, has Windows variants using DNS-over-HTTPS for C2 communication. Impact: File manipulation and network tunneling via stolen credentials.
Mitigation: Audit for uncommon scheduled tasks; monitor DoH traffic.
Source: SecurityWeek
Ahold Delhaize Confirms Data Theft After Ransomware Attack
INC Ransom claimed responsibility for a November 2024 breach at Ahold Delhaize, stealing files from U.S. business systems. Impact: Sensitive data exposure.
Mitigation: Review breach notification obligations; enhance monitoring.
Source: BleepingComputer
ClickFix Social Engineering Tactic Adopted by State Hackers
Iranian, North Korean, and Russian APTs (TA427, TA450, TA422) use ClickFix (fake troubleshooting steps) to deploy malware like Quasar RAT. Impact: Initial access via low-user interaction.
Mitigation: Train users to avoid running unsolicited commands.
Source: The Hacker News
Node.js Malware Campaign Targets Crypto Users
Fake Binance/TradingView installers deliver Node.js payloads stealing system data and establishing persistence. Impact: Information theft and C2 access.
Mitigation: Block suspicious PowerShell executions; inspect installer sources.
Source: The Hacker News
Share this brief: https://svo.bz/fmZ8