homepage
Menu
Open menu

SANS NewsBites

Microsoft Previews Centralized Windows Update Platform; OneDrive Files Exposed by File Picker Flaw; Reset ASUS Routers to Fix Persistent Backdoor

May 30, 2025  |  Volume XXVII - Issue #41

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2025-05-29

Windows Update Orchestration Platform

Microsoft is previewing the Windows Update Orchestration Platform, which will allow third-party apps to update through Windows Update. According to the Windows IT Pro blog, "Built on the Windows Update stack, the orchestration platform aims to provide developers and product teams building apps and management tools with an API for onboarding their update(s) that supports the needs of their installers. The orchestrator will coordinate across all onboarded products that are updated on Windows 11, in addition to Windows Update, to provide IT admins and users with a consistent management plane and experience, respectively."

Editor's Note

A system like this is overdue. I am always impressed by how much easier it is to patch Linux systems, with most updates being available from a single source. Windows has some catching up to do.

Johannes Ullrich
Johannes Ullrich

While this is a welcome move and one that should make patching and updating third-party applications much more effective, I do sincerely hope that Microsoft will provide appropriate controls and measures to ensure third-party vendors are not compromised to enable malicious code to be delivered via this solution.

Brian Honan
Brian Honan

Having fewer tools to coordinate, install, and update products is a win for both IT and security, and many shops have solutions in play for this reason. The update orchestration platform handles both Microsoft and third-party updates, including apps and drivers, and provides services for scheduling updates/reboots during less impactful times, as you get with Windows update services today. Compare this to your current update orchestration service, particularly if you're a Windows-only shop.

Lee Neely
Lee Neely

This could be huge news for the cybersecurity industry. Whether you like it or not, Windows is the dominant operating system used by both the consumer and enterprise market. Consumers are notoriously bad at handling software updates, especially if dealing with multiple update services. Centralizing this service perhaps removes some of the burden for those users. More to follow I suspect, on both risk and reward.

Curtis Dukes
Curtis Dukes

Who in the audience is a Red Teamer who just realized that we have a new way of delivering implants, like a Microsoft-sanctioned version of Evilgrade? Am I the only one?

Moses Frost
Moses Frost

Probably worth waiting for release and testing of Microsoft's fix to the Open Drive issue before committing to putting all your eggs in the Windows Update basket.

John Pescatore
John Pescatore

2025-05-28

OneDrive File Picker Vulnerability Potentially Exposes Entire Content of UsersÕ OneDrive

Researchers from Oasis have discovered a flaw in Microsoft's OneDrive File Picker that could be exploited to let websites access all of a user's OneDrive content. Oasis researchers say that the issue is due to excessive permissions and unsecurely stored secrets. The Oasis Research Team writes, "While users are prompted to provide consent before completing an upload, the promptÕs vague and unclear language does not communicate the level of access being granted, leaving users open to unexpected security risks." Oasis offers mitigation recommendations, including checking to see if you have granted access to vendors in the past, checking to see if websites use OneDrive File Picker, and in web applications, "temporarily remov[ing] the option to upload files using OneDrive through OAuth until Microsoft provides a secure alternative" and storing access tokens securely.

Editor's Note

Beyond making sure guidance and policy about sharing files is in place, it's not a bad idea to review current sharing settings. When was the last time you looked at what you were sharing or what's shared with you? Consider time limiting shared items, inbound or outbound.

Lee Neely
Lee Neely

This seems to be an issue with the OAuth Scopes that are being asked for by the system. The workaround, which is 'don't use it,' appears to be, um, well, insufficient?

Moses Frost
Moses Frost

Oasis says they notified Microsoft and that 'Microsoft is considering future improvements, including more precise alignment between what OneDrive File Picker does and the access it requires.' Just over one year ago, Satya Nadella, Microsoft Chairman and CEO, told all Microsoft employees 'If you're faced with the tradeoff between security and another priority, your answer is clear: *Do security*. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems.' Sounds like the captain said 'Turn!' and the ship kept steaming forward, at least for OneDrive.

John Pescatore
John Pescatore

2025-05-29

ASUS Routers are Being Backdoored

Since March, thousands of ASUS routers have been backdoored, creating a collection of compromised devices that could someday be used as a botnet. Researchers from GreyNoise have published an advisory describing the campaign. The backdoor is persistent, able to survive reboots and firmware updates. Those responsible for infecting the routers do so by exploiting vulnerabilities that have since been patched, though not all have been assigned CVEs. If a router is suspected to have been compromised, GreyNoise recommends performing a full factory reset and manual reconfiguration.

Editor's Note

These types of attacks have been happening for at least 20 years. Adding 'backdoor keys' to an authorized_keys file is a classic Linux persistence technique. For Linux systems, it is best to manage these keys centrally and have detection mechanisms in place to alert you if the file was altered.

Johannes Ullrich
Johannes Ullrich

Beyond making sure you are keeping routers actively updated, review contents of SSH key files as well as making sure ssh is off if you're not using it or that access to the service is tightly controlled where you are. Remember if compromised, you'll be doing a factory reset/reconfiguration. Rescan after the reset to be sure you're clean.

Lee Neely
Lee Neely

A full factory reset solves many security ills. That said, the reset also needs to be augmented with patching to bring it up to the latest software version. Unfortunately, the customer base for this product isn't the most adept at managing the security of their system. I suspect these backdoored routers will be around for a while longer.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News

2025-05-28

FBI: Cyberthreat Actor Group is Targeting Law Firms

The US Federal Bureau of Investigation's (FBI's) Cyber Division has published a Private Industry Notification warning that a cyberthreat actor known as Silent Ransom Group (SRG) / Luna Moth / Chatty Spider / UNC3753 is targeting US law firms. Specifically, the threat actors are using callback phishing schemes and IT-related social engineering to gain access to the firms' networks. The threat actors do not encrypt data; instead, they demand a ransom not to leak or sell data they have stolen from the law firms' networks. The FBI's notification includes indicators of compromise as well as recommendations to improve cyber hygiene.

Editor's Note

Beyond making sure threat detection, MFA and training are in place, to include validation of callers, resist the temptation to think you can't talk yourself out of whatever happens because of your background/profession. Talk to your MSP to make sure you have sufficient protection and response for the current threat environment.

Lee Neely
Lee Neely

If you are in Industry X and need backup for convincing management, just do a web search for 'Cyberthreat Actor Group is Targeting Industry X,' and you will find headlines. If you are responsible for protecting client legal information, I hope you don't need to use articles like this one.

John Pescatore
John Pescatore

Law firms have always been close to the top of the list of potential targets. They often deal with clients' intellectual property and are typically ill-prepared to adequately safeguard the data, making them the weak point in an organization's cyber defense. Vet your law firms carefully and ask questions as to staffing of their cyber defense and breach preparation, just like you should do for any vendor.

Johannes Ullrich
Johannes Ullrich

Criminals simply go where the money is. The attack techniques they employ are generally the same. The alert does reinforce the need for companies to understand how law firms secure their data. In essence, what does the law firm's cyber security program look like and how is it managed?

Curtis Dukes
Curtis Dukes

2025-05-29

Cyberthreat Actors Use Phony Bitdefender Site to Spread Information-Stealing Malware

Researchers from DomainTools detected a malware campaign that used a phony Bitdefender website to spread malicious programs designed to steal sensitive information. Users' devices become infected after they click on a button on the fake Download for Windows website. Instead of downloading the file users are expecting, the site downloads a malicious executable that deploys a payload containing three malicious tools: VenomRAT, StormKitty, and SilentTrinity. According to DomainTools, "VenomRAT provides initial and ongoing access to victim machines; StormKitty quickly gathers credentials on the system; and SilentTrinity is used for exfiltration and stealthy long term access."

Editor's Note

Your EDR should be hip to these malicious packages. Make sure EDR is provided without user interaction as the fake domain and download (BitDefender.zip) will likely fool unwary users. Bitdefender is working to 86 the fake download site and domain.

Lee Neely
Lee Neely

Hey, it sounds silly and old, but if it works right?

Moses Frost
Moses Frost

2025-05-28

Mandiant: Phony AI Video Generation Websites are Serving Malware

Mandiant researchers have uncovered a campaign that uses phony AI video generation websites to spread malware. The campaign, which has been active since at least the middle of 2024, comprises more than 30 websites that masquerade as well-known AI tools. The sites serve up malware that leads to machines becoming infected with information stealers and backdoors. Users generally visit the malicious sites by following links in advertisements on social media platforms. "Mandiant Threat Defense has observed UNC6032 compromises culminating in the exfiltration of login credentials, cookies, credit card data, and Facebook information through the Telegram API." Mandiant also points out that Morphisec published a write-up of a similar investigation earlier in May.

Editor's Note

Fascination with AI hasn't escaped the notice of threat actors, and of course they are seeking to weaponize that trend. The blog includes IoCs for your threat hunters, but this is going to keep evolving as the trend continues. Provide vetted AI solutions to offset risks as well as training on choosing wisely online.

Lee Neely
Lee Neely

2025-05-29

MathWorks Confirms MATLAB Outage Due to Ransomware Attack

On Monday, May 26, 2025, MathWorks confirmed that the outages they had been reporting since May 18 were due to a ransomware attack. The incident affected both online applications used by customers and internal systems used by staff. MATLAB, which has more than five million users worldwide, "is a programming and numeric computing platform for engineering and scientific applications like data analysis, signal and image processing, control systems, wireless communications, and robotics. MATLAB includes a programming language, interactive apps, highly specialized libraries, and tools for automatically generating embedded code. MATLAB is also the foundation for Simulink¨, a block diagram environment for simulating complex multi-domain systems." As of May 29, MathWorks writes that they have brought some of the affected systems back online.

Editor's Note

The MathWorks status site is being continuously updated as the outage is resolved and provides a link to subscribe to updates you may wish to leverage. Most recently their license server, file exchange and accounts services are back, which should help your users immensely. Unfortunately, they don't have an overall indication of what remains offline. No ransomware gang has taken credit for the attack.

Lee Neely
Lee Neely

Most ransomware reports talk about the effect on the cyber underserved, this one demonstrates that even large, well-resourced companies can be a victim. Let's hope that they're more forthcoming with post event analysis than they have been about the event, as we all could learn from their misfortune.

Curtis Dukes
Curtis Dukes

2025-05-29

Adidas Customer Data Stolen Through Third-Party Breach; Victoria's Secret Service Outages Due to "Security Incident"

Two more retailers have reported cyber incidents. Adidas said that a breach of a third-party customer support partner resulted in the theft of some customer data. Adidas has begun notifying affected customers. The company has not provided details about the service provider, number of affected individuals, or when the incident was first detected. Adidas is based in Herzogenaurach, Bavaria, Germany. In a separate story, Victoria's Secret took down their US website on Wednesday, May 28, 2025, in the wake of what they say is a "security incident." While some of the Ohio-based company's in-store services are also unavailable, both Victoria's Secret and PINK stores remain open.

Editor's Note

The Adidas breach amounted to contact information: name, email, etc. which could be leveraged for order related phishing scams. This is similar to the recent Coinbase breach, reminding us to keep an eye on third-party security, particularly as unlike Coinbase, you likely can't just fire them if an incident happens. You should have the conversation about what would trigger a switch of providers and how your data would be transferred and disposed of.

Lee Neely
Lee Neely

Not the first time an organization has been tripped up by a third-party service provider security failing. The incident presents an opportunity for CISOs to use as part of a table-top exercise for the executive team. You might also want to include on the risk register for managing third-party data spillage.

Curtis Dukes
Curtis Dukes

2025-05-28

Chrome and Firefox Updates

Google and Mozilla have both released updated versions of their flagship browsers, addressing a total of 21 vulnerabilities. Google has updated the stable channel for Chrome to version 137 for Windows, macOS, and Linux. The newest version of the browser includes fixes for 11 security issues, eight of which were detected by external researchers. Of those, two are rated high-severity: a use-after-free defect in Compositing (CVE-2025-5063) and an out-of-bounds write flaw in the V8 JavaScript engine (CVE-2025-5280). Firefox 139 addresses 10 security issues, including a critical double-free issue in libvpx encoder that does not have an assigned CVE.

Editor's Note

Both Chrome CVEs have a CVSS score of 8.8, and appear to be not too difficult to compromise, so keep an eye on the update rollout. Firefox critical flaws are addressed in Firefox 139, ESR 115.24 and 128.11. Note there are also critical fixes in Thunderbird 139 and 128.11.

Lee Neely
Lee Neely

2025-05-28

Follow-up: Cellcom, Masimo, and Nova Scotia Power

Wisconsin-based telecommunications provider Cellcom says that calling and text-messaging services are nearly fully restored following a cyberattack that prompted the company to take its network offline in mid-May 2025. In a statement on their website, the company acknowledged that "some intermittent issues may still occur as systems continue to stabilize." In a Tuesday, May 27 filing with the US Securities and Exchange Commission (SEC), California-based medical device manufacturer Masimo provided additional information regarding a "cybersecurity-related incident." Specifically, Masimo "does not expect the cybersecurity-related incident reported under Item 8.01 of Form 8-K on May 6, 2025 ... to materially impact the Company's revenue for fiscal year 2025." Masimo expected that most of the costs incurred will be covered through their cyber insurance policy. Masimo also notes that they are operating "at near full capacity, and the Company's critical order-taking, distribution and shipping systems are fully operational." On Friday, May 23, Nova Scotia Power acknowledged that they experienced a ransomware attack. The company initially referred to a "cybersecurity incident" that resulted in the theft of customer data. Nova Scotia Power says they have not paid the ransom demand.

Editor's Note

The Cellcom attack likely involved a DDoS attack, which regional providers like them may not be able to mitigate. On the other hand, these smaller providers are not targeted the way large providers like Verizon, AT&T and T-Mobile are. Consider the ability to defend, react and respond to threats when evaluating provider options, including service delivery targets and exact requirements to change if needed.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

SANS Internet Storm Center StormCast Friday, May 30, 2025

Alternate Data Streams; ConnectWise Breach; Google Calendar C2

https://isc.sans.edu/podcastdetail/9472

Alternate Data Streams: Adversary Defense Evasion and Detection

Good Primer of alternate data streams and how they are abused, as well as how to detect and defend against ADS abuse.

https://isc.sans.edu/diary/Alternate+Data+Streams+Adversary+Defense+Evasion+and+Detection+Guest+Diary/31990

ConnectWise Breach Affects ScreenConnect Customers

ConnectWise’s ScreenConnect solution was compromised, leading to attacks against a small number of customers. This is yet another example of how attackers are taking advantage of remote access solutions.

https://www.connectwise.com/company/trust/advisories

Mark Your Calendar: APT41 Innovative Tactics

Google detected attacks leveraging Google’s calendar solution as a command and control channel.

https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender

Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The resource disparity between small ICS defenders and sophisticated attackers poses a significant security challenge.

https://www.sans.edu/cyber-research/webs-deception-using-sans-ics-kill-chain-flip-advantage-defender/

SANS Internet Storm Center StormCast Thursday, May 29, 2025

LLM Assisted Analysis; MSP Ransomware; Everetz Vulnerability

https://isc.sans.edu/podcastdetail/9470

Exploring a Use Case of Artificial Intelligence Assistance with Understanding an Attack

Jennifer Wilson took a ‘weird string’ found in a recent honeypot sample and worked with ChatGPT to figure out what it is all about.

https://isc.sans.edu/diary/Guest+Diary+Exploring+a+Use+Case+of+Artificial+Intelligence+Assistance+with+Understanding+an+Attack/31980

Ransomware Deployed via SimpleHelp Vulnerabilities

Ransomware actors are using vulnerabilities in SimpleHelp to gain access to victimÕs networks via MSPs. The exploited vulnerabilities were patched in January.

https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/

OS Command Injection in Everetz Equipment

Broadcast equipment manufactured by Everetz is susceptible to an OS command injection vulnerability. Everetz has not responded to researchers reporting the vulnerability so far and there is no patch available.

https://www.onekey.com/resource/security-advisory-remote-code-execution-on-evertz-svdn-cve-2025-4009

SANS Internet Storm Center StormCast Wednesday, May 28, 2025

Securing authorized_keys; Meteobridge RCE Vulnerability; ADAuditPlus SQL Injection; Dero Miner vs Docker API

https://isc.sans.edu/podcastdetail/9468

SSH authorized_keys File

One of the most common techniques used by many bots is to add rogue keys to the authorized_keys file, implementing an SSH backdoor. Managing these files and detecting unauthorized changes is not hard and should be done if you operate Unix systems.

https://isc.sans.edu/diary/Securing+Your+SSH+authorizedkeys+File/31986

Remote Command Execution on Smartbedded Meteobridge(CVE-2025-4008)

Weatherstation software Meteobridge suffers from an easily exploitable unauthenticated remote code execution vulnerability

https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008

https://forum.meteohub.de/viewtopic.php?t=18687

ManageEngine ADAuditPlus SQL Injection

Zoho patched two SQL Injection vulnerabilities in its ManageEngine ADAuditPlus product

https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html (CVE-2025-41407)

https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html (CVE-2025-36527)

Dero Miner Infects Containers through Docker API

Kaspersky found yet another botnet infecting docker containers to spread crypto coin miners. The initial access happens via exposed docker APIs.

https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/

SANS Internet Storm Center StormCast Tuesday, May 27, 2025

SVG Steganography; Fortinet PoC; GitLab Duo Prompt Injection

https://isc.sans.edu/podcastdetail/9466

SVG Steganography

Steganography is not only limited to pixel-based images but can be used to embed messages into vector-based formats like SVG.

https://isc.sans.edu/diary/SVG+Steganography/31978

Fortinet Vulnerability Details CVE-2025-32756

Horizon3.ai shows how it was able to find the vulnerability in FortinetÕs products, and how to possibly exploit this issue. The vulnerability is already being exploited in the wild and was patched May 13th

https://horizon3.ai/attack-research/attack-blogs/cve-2025-32756-low-rise-jeans-are-back-and-so-are-buffer-overflows/

Remote Prompt Injection in GitLab Duo Leads to Source Code Theft

An attacker may leave instructions (prompts) for GitLab Duo embedded in the source code. This could be used to exfiltrate source code and secrets or to inject malicious code into an application.

https://www.legitsecurity.com/blog/remote-prompt-injection-in-gitlab-duo