Svoboda Cybersecurity Brief April 19, 2025
Apr 19, 2025ASUS Router Critical Auth Bypass Vulnerability (CVE-2025-2492)
ASUS warns of a critical authentication bypass flaw (CVSS 9.2) in routers with AiCloud enabled, allowing remote unauthenticated attackers to execute arbitrary functions via crafted requests. Affected firmware versions include 3.0.0.4_382 to 3.0.0.6_102.
Impact: Remote code execution, potential device compromise.
Mitigation: Update firmware immediately, disable AiCloud on EoL devices, and restrict WAN access.
Source: BleepingComputer
SonicWall SMA VPN Devices Under Active Exploitation (CVE-2021-20035)
Arctic Wolf reports ongoing attacks since January 2025 against SonicWall SMA 100 series appliances (SMA 200/400/500v) via CVE-2021-20035, a patched RCE flaw initially downplayed as a DoS vulnerability. Attackers used default credentials (admin@LocalDomain:password) for lateral movement.
Impact: Full device compromise, credential theft.
Mitigation: Patch to fixed versions (10.2.1.1-19sv+, 10.2.0.8-37sv+), enable MFA, reset local passwords.
Source: BleepingComputer
Interlock Ransomware Uses Fake IT Tools in ClickFix Attacks
Interlock ransomware gang now leverages ClickFix social engineering, impersonating IT tools (e.g., Advanced IP Scanner) to deliver malware via PowerShell commands. The attack chain drops LummaStealer, Interlock RAT, and exfiltrates data to Azure Blobs before ransomware deployment.
Impact: Data theft, encryption, and extortion (demands up to millions).
Mitigation: Block known malicious domains (e.g., advanceipscaner[.]com), enforce PowerShell restrictions.
Source: BleepingComputer
Windows NTLM Hash Theft Exploited (CVE-2025-24054)
CISA adds CVE-2025-24054 to KEV catalog after attacks targeting Poland/Romania since March 19, 2025. Malicious .library-ms files in ZIP archives trigger SMB authentication, leaking NTLM hashes for relay/pass-the-hash attacks.
Impact: Credential theft, lateral movement.
Mitigation: Apply March 2025 Patch Tuesday updates, disable NTLM where possible.
Source: TheHackerNews
Chinese IronHusky APT Deploys MysterySnail RAT
IronHusky targets Russian/Mongolian governments with an upgraded MysterySnail RAT delivered via malicious MMC scripts mimicking Word docs. The RAT supports 40+ commands for file/process management and persists as a service.
Impact: Espionage, persistent access.
Mitigation: Monitor for IOCs (e.g., CiscoSparkLauncher.dll), block malicious domains.
Source: TheHackerNews
Radiology Practice Breach Exposes PHI
Mt. Baker Imaging confirms a January 2025 breach exposing patient data (SSNs, diagnoses) after FBI involvement. Attackers accessed systems for weeks before detection.
Impact: Medical identity theft risk.
Mitigation: Review security policies, implement MFA.
Source: DataBreaches
FBI Warns of IC3 Impersonation Scams
Scammers posing as FBI IC3 employees since December 2023 offer fake fund recovery services via Telegram/SMS, stealing financial data. Over 100 victims reported.
Impact: Financial fraud.
Mitigation: Verify law enforcement contacts independently.
Source: BleepingComputer
XorDDoS Botnet Expands to Docker Servers
XorDDoS malware (71.3% US targets) now compromises Docker servers via SSH brute-force, using a VIP sub-controller for C2. Chinese-speaking operators linked to infrastructure.
Impact: DDoS attacks, cryptomining.
Mitigation: Restrict SSH access, update Docker configurations.
Source: TheHackerNews
Share this brief: https://svo.bz/gzw3