Talk With an Expert

Internet Storm Center Tech Corner

Internet Storm Center StormCast Friday, March 28, 2025

Sitecore Exploited; Blasting Past Webp; Splunk and Firefox Vulnerabilities

https://isc.sans.edu/podcastdetail/9384

Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218

Our honeypots detected a deserialization attack against the CMS Sitecore using a 'thumnailaccesstoken' header. The underlying vulnerability was patched in January, and security firm Searchlight Cyber revealed details about this vulnerability a couple of weeks ago.

https://isc.sans.edu/diary/Sitecore+thumbnailsaccesstoken+Deserialization+Scans+and+some+new+reports+CVE202527218/31806

Blasting Past Webp

Google's Project Zero revealed details how the NSO BLASTPASS exploit took advantage of a Webp image parsing vulnerability in iOS. This zero-click attack was employed in targeted attack back in 2023 and Apple patched the underlying vulnerability in September 2023. But this is the first 'byte by byte' description showing how the attack worked.

https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html

Splunk Vulnerabilities

Splunk patched about a dozen of vulnerabilities. None of them are rated critical, but a vulnerability rated 'High' allows authenticated users to execute arbitrary code.

https://advisory.splunk.com/

Firefox 0-day Patched

Mozilla patched a sandbox escape vulnerability that is already being exploited.

https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

Internet Storm Center StormCast Thursday, March 27, 2025

Classifying Malware with ML; Malicious NPM Packages; Google Chrome 0-day

https://isc.sans.edu/podcastdetail/9382

Leveraging CNNs and Entropy-Based Feature Selection to Identify Potential Malware Artifacts of Interest

This diary explores a novel methodology for classifying malware by integrating entropy-driven feature selection with a specialized Convolutional Neural Network (CNN). Motivated by the increasing obfuscation tactics used by modern malware authors, we will focus on capturing high-entropy segments within files, regions most likely to harbor malicious functionality, and feeding these distinct byte patterns into our model.

https://isc.sans.edu/diary/Guest+Diary+Leveraging+CNNs+and+EntropyBased+Feature+Selection+to+Identify+Potential+Malware+Artifacts+of+Interest/31790

Malware found on npm infecting local package with reverse shell

Researchers at Reversinglabs found two malicious NPM packages, ethers-provider2, and ethers-providerz that patch the well known (and not malicious) ethers package to add a reverse shell and downloader.

https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell

Google Patched Google Chrome 0-day

Google patched a vulnerability in Chrome that was already exploited in attacks against media and educational organizations in Russia

https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html

Internet Storm Center StormCast Wednesday, March 26, 2025

XWiki Exploit; File Converter Correction; VMWare Vulnerability; Draytek Router Reboots; MMC Exploit Details

https://isc.sans.edu/podcastdetail/9380

XWiki Search Vulnerability Exploit Attempts (CVE-2024-3721)

Our honeypot detected an increase in exploit attempts for an XWiki command injection vulnerability. The vulnerability was patched last April, but appears to be exploited more these last couple days. The vulnerability affects the search feature and allows the attacker to inject Groovy code templates.

https://isc.sans.edu/diary/XWiki+Search+Vulnerability+exploit+attempts+CVE20243721/31800

Correction: FBI Image Converter Warning

The FBI's Denver office warned of online file converters, not downloadable conversion tools

https://www.fbi.gov/contact-us/field-offices/denver/news/fbi-denver-warns-of-online-file-converter-scam

VMWare Vulnerability

Broadcom released a fix for a VMWare Tools vulnerability. The vulnerability allows users of a Windows virtual machine to escalate privileges within the machine.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518

Draytek Reboots

Over the weekend, users started reporting Draytek routers rebooting and getting stuck in a reboot loop. Draytek now published advice as to how to fix the problem.

https://faq.draytek.com.au/docs/draytek-routers-rebooting-how-to-solve-this-issue/

Microsoft Management Console Exploit CVE-2025-26633

TrendMicro released details showing how the MMC vulnerability Microsoft patched as part of its patch Tuesday this month was exploited.

https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html

View Older Issues

Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.

Browse Archive