Svoboda Cybersecurity Brief April 26, 2025
Apr 26, 2025SAP NetWeaver Zero-Day Exploit Used to Deploy Web Shells
Threat actors are exploiting a critical zero-day vulnerability (CVE-2025-31324, CVSS 10.0) in SAP NetWeaver to upload JSP web shells via the /developmentserver/metadatauploader endpoint. The flaw allows unauthorized file uploads, enabling attackers to execute arbitrary code and deploy post-exploitation tools like Brute Ratel C4.
Impact: Unauthenticated RCE leading to persistent access, data exfiltration, and potential lateral movement.
Mitigation: Apply SAP’s latest patch immediately; restrict access to vulnerable endpoints; monitor for unauthorized file uploads.
Source: The Hacker News
North Korean Hackers Use Fake Crypto Firms to Spread Malware
North Korea-linked Contagious Interview hackers set up fake cryptocurrency companies (BlockNovas, Angeloper, SoftGlide) to distribute malware via job interviews. The campaign delivers BeaverTail, InvisibleFerret, and OtterCookie malware, targeting developers and IT professionals globally.
Source: The Hacker News
DslogdRAT Malware Deployed via Ivanti ICS Zero-Day in Japan
A new malware, DslogdRAT, was deployed via exploitation of Ivanti Connect Secure flaw (CVE-2025-0282). Attackers used a Perl web shell to gain initial access, then delivered DslogdRAT for proxy tunneling and command execution.
Source: The Hacker News
HHS Settles HIPAA Violation Case After Ransomware Attack
Comprehensive Neurology, PC failed to conduct a risk analysis before a 2020 ransomware attack compromising 6,800 patient records. HHS imposed a $25,000 fine and mandated a 2-year corrective action plan.
Source: DataBreaches.net
Scattered Spider Suspect Extradited to US from Spain
Tyler Buchanan, an alleged member of the Scattered Spider group, was extradited for wire fraud and identity theft tied to crypto thefts. The group is linked to high-profile data breaches.
Source: DataBreaches.net
Verizon DBIR 2025 Highlights Infostealer-Ransomware Supply Chain
54% of ransomware victims had credentials leaked via infostealers, with attackers increasingly exploiting edge devices (22% of breaches). Third-party risks doubled, emphasizing supply chain vulnerabilities.
Source: SecurityWeek
RackStatic Vulnerability Exposes Ruby Servers to Data Breaches
Three flaws (CVE-2025-27610, CVE-2025-27111, CVE-2025-25184) in Rack Ruby middleware allow path traversal and log manipulation. The most severe (CVE-2025-27610) exposes files if :root is misconfigured.
Impact: Unauthorized file access and log tampering.
Mitigation: Update Rack; restrict static file directories.
Source: The Hacker News
Frederick Health Hospital Faces Lawsuits Over Ransomware Breach
Four class-action lawsuits allege the hospital failed to secure patient data in a January 2025 ransomware attack. Plaintiffs claim insufficient breach details were provided.
Source: DataBreaches.net
North Korea’s Lazarus Targets South Korean Firms via Watering Holes
Lazarus exploited zero-days in Cross EX and Innorix Agent to deploy ThreatNeedle and CopperHedge malware. Attacks focused on financial and IT sectors via compromised media sites.
Source: SecurityWeek
Non-Human Identities (NHIs) Pose Growing Security Risk
NHIs (e.g., API keys, tokens) now outnumber human identities 100:1. 70% of 2022-leaked secrets remain valid, with poor rotation practices enabling silent breaches.
Source: The Hacker News
Share this brief: https://svo.bz/wlp8