Apache Tomcat Vulnerability Actively Exploited to Carry out Remote Code Execution

Pulse ID: 67ea98de56c6392506302862
Pulse Link: https://otx.alienvault.com/pulse/67ea98de56c6392506302862
Pulse Author: cryptocti
Created: 2025-03-31 13:30:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

surely one of you #infosec peers has a guide or article on why #VPN services aren't the privacy silver bullet they often advertise themselves to be. something that mentions you're paying co-conspirators to #mitm your own traffic in addition to lowering the reputation to that of your new address space?

Die einzige sichere Cloud, die alle potentiellen Angreifer mit links abwehren kann:

Jean-Cloud Van Damme

Take this, #infosec

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.

Pulse ID: 67e6c6b5e3b5eec595438366
Pulse Link: https://otx.alienvault.com/pulse/67e6c6b5e3b5eec595438366
Pulse Author: AlienVault
Created: 2025-03-28 15:56:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Apache Tomcat: CVE-2025-24813: Active Exploitation

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certain 8.5.x versions. Exploitation requires specific server configurations and involves sending malicious PUT and GET requests. Six malicious IP addresses have been identified attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Multiple proof-of-concept exploits have been published, increasing the likelihood of ongoing exploitation attempts. Users are advised to upgrade to patched versions or implement network-level controls to restrict access to the Tomcat server.

Pulse ID: 67e6c6b6dd57e4c62a1a8d1f
Pulse Link: https://otx.alienvault.com/pulse/67e6c6b6dd57e4c62a1a8d1f
Pulse Author: AlienVault
Created: 2025-03-28 15:56:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

A Deep Dive into Water Arsenal and Infrastructure

Water Gamayun, a suspected Russian threat actor, exploits the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) to compromise systems and exfiltrate data. The group uses custom payloads like EncryptHub Stealer variants, SilentPrism and DarkWisp backdoors, as well as known malware like Stealc and Rhadamanthys. Their delivery methods include malicious provisioning packages, signed .msi files, and Windows MSC files. The attackers employ techniques such as LOLBins and encrypted communications to evade detection. Their infrastructure includes C&C servers for managing infected systems and exfiltrating data. The campaign highlights the group's adaptability and sophistication in cyber espionage operations.

Pulse ID: 67e7cba2606bdb8acfedda1c
Pulse Link: https://otx.alienvault.com/pulse/67e7cba2606bdb8acfedda1c
Pulse Author: AlienVault
Created: 2025-03-29 10:29:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Latest issue of my curated #cybersecurity and #infosec list of resources for week #13/2025 is out!

It includes the following and much more:

➝ DNA of 15 Million People for Sale in #23andMe Bankruptcy,

➝ #Trump administration accidentally texted a journalist its war plans,

➝ Critical Ingress #NGINX controller vulnerability allows RCE without authentication,

➝ #Cyberattack hits Ukraine's state railway,

➝ Troy Hunt's Mailchimp account was successfully phished,

➝ #OpenAI Offering $100K Bounties for Critical #Vulnerabilities,

➝ #Meta AI is now available in #WhatsApp for users in 41 European countries... and cannot be turned off

Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end

https://infosec-mashup.santolaria.net/p/infosec-mashup-13-2025

Critical vulnerabilities reported in Dell Unity storage systems
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-vulnerabilities-reported-in-dell-unity-storage-systems-o-1-h-q-o/gD2P6Ple2L

Pulling the Threads on the Phish of Troy Hunt

A sophisticated phishing attack targeted Troy Hunt, compromising his Mailchimp account. The analysis reveals connections to the Scattered Spider group through domain pivoting. Using Validin's DNS, host response, and registration data, dozens of related domain names were uncovered. The investigation exposed a fake Cloudflare turnstile and bogus registration details. Pivoting on various features led to the discovery of multiple related domains and IP addresses. The attack's tactics strongly resemble those of Scattered Spider, including the reuse of previously used domains. The findings demonstrate the power of Validin's databases for uncovering adversary infrastructure and strengthening threat intelligence.

Pulse ID: 67e848f9c64772d54fd7164b
Pulse Link: https://otx.alienvault.com/pulse/67e848f9c64772d54fd7164b
Pulse Author: AlienVault
Created: 2025-03-29 19:24:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Just 1 more day to submit your talk at DEF CON TRAINING! https://cfptime.org/cfps/1914/ #cfp #infosec

Guten Morgen liebe*r Fediversebwohner*in,

Hast du schon einmal einen unbekannten USB Stick oder ein USB Kabel gefunden? Hast du ihn angesteckt, um zu sehen, ob ein Hinweis auf den oder die Eigentümer*in darauf ist? Das kann gefährlich sein.
Zum einem können auf USB Sticks klassische Viren gespeichert sein. Diese können z.B. als Macro in einer Office-Datei enthalten oder als Spiel oder vermeintlicher Treiber als ausführbare Datei gespeichert sein. Öffnest du sie, kann dein System infiziert werden. Bevor es zuverlässige Internetverbindungen mit großer Bandbreite gab, war die Verbreitung über Disketten, CDs und später USB-Sticks bei Viren sehr verbreitet. Sie infizierten den Rechner und speicherten sich selbst auf allen angeschlossenen Medien, damit sie weitergetragen wurden.
Zum anderen kann es sich bei einem USB Stick auch um ein ganz anderes Gerät handeln. Nämlich einen Microcontroller, der sich als Tastatur und Speicher ausgibt und beim Einstecken automatisch Tastaturbefehle eingibt, um z.B. Passwörter zu stehlen oder Trojaner zu installieren. Die Miniaturisierung ist inzwischen soweit fortgeschritten, dass selbst ein normal aussehendes USB Kabel einen Microcontroller enthalten kann. Da sie sich einfach als Tastatur anmelden und Befehle im Kontext der User*in eingeben, werden sie von vielen Virenscannern nicht erkannt. Das gleiche Risiko besteht an sich auch bei öffentlichen USB Ports zum Laden von Smartphones wie zum Beispiel in manchen Bahnen oder Bussen. Auch hier könnte jemand entsprechende Geräte anbringen und gut tarnen.
Daher solltest du es vermeiden, fremde USB Kabel oder Sticks zu nutzen oder deine Geräte in öffentlich zugängliche Ports zu stecken. Nimm dir besser ein eigenes Kabel und eine Powerbank mit.
Nimm den heutigen Tag als Anlass und packe dir eine Powerbank mit Kabel für Notfälle ein.

Habt einen wundervollen Tag

Apple ID Hack — New Warning For 2 Billion Users

Apple has long since had an air of invulnerability about it as far as users have been concerned; be they iPhone, iPad or Mac fans, the ecosystem has been thought of as pretty darn secure. Like most security assumptions, however, it is wrong. […]

https://www.forbes.com/sites/daveywinder/2025/03/30/apple-id-hack-new-warning-for-2-billion-users/

This dumb password rule is from Chase Bank.

* Can't use any special characters except ! # $ % + / = @ ~
* Max length restriction (32 characters).
* No runs of identical characters ("aaa") or sequential characters ("abc").
* Password check is case-insensitive

https://dumbpasswordrules.com/sites/chase-bank/

Ok, friends. Suppose you want to host some sites at your home as either .onion or .i2p sites so that basically you can connect to them via a secure and anonymous connection from anywhere in the world. Use Firefox, install Foxy Proxy add on, and then put it in pattern matching mode. you can run both i2pd and tor on your laptop and proxy only .onion or .i2p sites through those daemons by wildcard pattern matching... voila! #infosec #linux #networking

Here’s where we’re headed:

All online services will fail. We’ll go back to face-to-face communication when trust is required. No online communication will be truly trustworthy.

#AI #infosec #privacy #insurance #fraud #trust #online https://infosec.exchange/@st1nger/114254299053372632

Maybe I’m just paranoid, but what could possibly go wrong with this idea? Grimace.

“Based on the analysis of this data, Microsoft can remotely apply fixes such as removing problematic drivers or updates and changing configuration settings.”

https://www.bleepingcomputer.com/news/microsoft/microsoft-tests-new-quick-machine-recovery-tool-to-fix-boot-crashes/

This is a "Secure Post" #infosec