Infosec News
-
CISA Flags Actively Exploited Linux Kernel Zero-Days Linked to Cellebrite Android Unlock Exploit Chain
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert on two actively exploited Linux kernel vulnerabilities—CVE-2024-53197 and CVE-2024-53150—used in a zero-day exploit chain reportedly developed by Cellebrite and deployed by Serbian authorities to unlock Android devices. CVE-2024-53197 targets ALSA USB-audio drivers for local privilege escalation, while CVE-2024-53150 enables kernel memory leaks. Both are now in CISA’s Known Exploited Vulnerabilities (KEV) catalog, with mandatory federal patching required by April 30, 2025.
-
Fortinet Reveals Persistent Post-Patch Access via SSL-VPN Symlink Exploit
Fortinet has disclosed that attackers are maintaining read-only access to FortiGate devices even after patching, by abusing symbolic links (symlinks) in SSL-VPN language file directories. The exploit, tied to previously patched CVEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762), enables stealthy persistence across firmware updates. Fortinet has updated FortiOS (versions 6.4.16 to 7.6.2) to detect and remove the symlinks and prevent further abuse. CISA and CERT-FR have issued alerts, with recommendations to patch, review configurations, reset credentials, and consider disabling SSL-VPN temporarily. The compromise dates back to early 2023 and has impacted critical infrastructure targets.
Source:
https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html -
Windows CLFS Kernel Driver Zero-Day Exploited by Storm-2460 in Ransomware Attacks
On April 9, 2025, Microsoft reported that a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, is being actively exploited by the threat actor Storm-2460. The group utilizes the PipeMagic malware to escalate privileges and deploy ransomware, primarily targeting IT and real estate sectors in the U.S., as well as organizations in Venezuela, Saudi Arabia, and Spain. PipeMagic, initially discovered in 2022, functions as both a backdoor and a gateway, and has been linked to previous attacks involving fake ChatGPT applications. Microsoft has released security updates to address this vulnerability, and the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-29824 to its Known Exploited Vulnerabilities catalog.
Source:
https://www.cybersecuritydive.com/news/windows-clfs-zero-day-exploited-ransomware/744878/ -
China-Linked UNC5174 Targets Linux and macOS Systems Using SNOWLIGHT Malware and VShell RAT
Threat actor UNC5174 (aka Uteus), linked to the Chinese government, has launched a new cyber campaign targeting Linux and macOS systems. The group uses an updated version of the SNOWLIGHT malware and the open-source VShell RAT to establish persistent, fileless remote access. Initial access is achieved via an unknown vector, followed by a malicious bash script that deploys SNOWLIGHT and Sliver implants. These tools leverage WebSockets-based C2 channels and memory-resident payloads for stealth. The campaign echoes tactics seen in previous exploits against Ivanti and F5 products, and aligns with broader Chinese cyber-espionage operations across nearly 20 countries.
Related CVEs:
CVE-2024-8963
CVE-2024-9380
CVE-2024-8190
CVE-2025-0282
CVE-2025-22457Source:
https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html -
EU's "ProtectEU" Plan Threatens End-to-End Encryption Across VPNs, Messaging Apps, and Secure Email Services
The EU Commission has launched ProtectEU, a broad internal security strategy aimed at giving law enforcement lawful access to encrypted communications. While still in its early stages, the proposal is already raising red flags across the cybersecurity industry for potentially undermining end-to-end encryption.
ProtectEU is part of a growing global trend where governments push for backdoors under the guise of national security. While aimed at combating crime, these proposals risk eroding digital privacy, weakening cybersecurity, and potentially driving privacy-focused services out of EU jurisdictions altogether.
Key Affected Services:
- VPN Providers: Proton, Mullvad, Surfshark, NordVPN, and others have expressed concern. Backdoors and data retention laws could force no-log VPNs to exit the EU market.
- Encrypted Messaging Apps: Platforms like Signal, WhatsApp, and Threema are primary targets for surveillance, as they use strong E2EE to protect user privacy.
- Secure Email Providers: Proton Mail and similar services could also be impacted due to their encrypted architecture.
- Secure File Sharing & VoIP Tools: Any service enabling private, encrypted communications or file transfers may be at risk if required to implement surveillance capabilities.
Industry Response:
- Proton: Warns weakening encryption would "make European security worse", not better.
- Mullvad: Criticizes ProtectEU as a rebrand of prior mass surveillance proposals ("Chat Control").
- NordVPN & Surfshark: Express cautious optimism but emphasize that privacy and security are inseparable.
- AdGuard VPN: Warns that enforced data retention would make no-log services "untenable".
European Commission Press Release:
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_920 -
4chan Hit by Major Breach: Alleged Hacker Leaks Source Code, Moderator Identities, and Disrupts Site
In mid-April 2025, the notorious imageboard 4chan suffered a significant cybersecurity incident that has left the site offline and raised serious concerns over its internal security. Multiple sources report that a hacker, allegedly with long-term access to the platform's backend, exfiltrated and leaked sensitive data including source code, moderation tools, and a full list of site moderators and janitors.
The breach was first hinted at when a previously defunct board on 4chan unexpectedly came back online, displaying the message “U GOT HACKED.” Following this, screenshots began circulating on social media and cybercrime forums, purportedly showing access to backend infrastructure, admin panels, and internal templates. Cybersecurity analyst Alon Gal noted that these materials appear legitimate, and at least one 4chan moderator, speaking anonymously, did not dispute their authenticity.
Further reporting claims the attacker had access to 4chan’s systems for over a year before initiating the leak. The incident not only exposed internal systems and personnel data but also disrupted the platform’s availability, with 4chan remaining inaccessible at the time of writing.
TechRadar and TechCrunch both received confirmation from individuals tied to 4chan’s moderation team, expressing concern that this breach may be worse than previous DDoS attacks or takedowns, given that the attacker may have had — or still has — full control over the platform’s infrastructure.
The incident has prompted a wave of reaction across rival forums and social platforms. Some users, particularly from historically antagonistic communities like 8chan and remnants of eBaum’s World, have openly celebrated what they’ve labeled as 4chan’s “downfall.”
4chan, known for minimal moderation and a culture steeped in anonymity and chaos, has long served as a hub for internet subcultures, memes, and coordinated online raids. However, it has also faced widespread criticism for hosting extreme content, including harassment, disinformation campaigns, and more recently, AI-generated explicit material.
-
CISA Warns: 2021 SonicWall SMA 100 VPN Bug (CVE‑2021‑20035) Now Weaponized for Remote Code Execution
A four‑year‑old command‑injection bug in SonicWall’s SMA 100 series VPN gateways (CVE‑2021‑20035) has moved from “theoretical DoS” to confirmed remote‑code‑execution and is now actively exploited in the wild. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) list on 16 April 2025 and gave U.S. federal agencies until 7 May 2025 to patch. SonicWall updated its original 2021 advisory the same day, raising the CVSS score from 6.5 (Medium) to 7.2 (High) and warning customers that exploitation allows code execution as the low‑privilege nobody user.
Affected models – SMA 200, 210, 400, 410 and virtual SMA 500v on ESX, KVM, AWS & Azure.
Sources:
https://thehackernews.com/2025/04/cisa-flags-actively-exploited.html -
Sophisticated Multi-Stage Malware Campaign Uses .JSE and PowerShell to Deploy Agent Tesla, XLoader, and Remcos RAT
A recently uncovered malware campaign observed by Palo Alto Networks Unit 42 reveals a complex, multi-stage attack chain using deceptive emails and layered execution tactics to evade detection and deploy potent remote access trojans (RATs), including Agent Tesla, XLoader, and Remcos RAT.
The infection begins with a phishing email masquerading as a legitimate payment confirmation, urging recipients to open an attached 7-zip archive containing a .JSE (JavaScript Encoded) file. When executed, this script fetches a PowerShell command from an external server. This script contains a Base64-encoded payload, which is decoded, dropped into the temp directory, and executed.
Depending on the variant, the next-stage payload is either:
- A .NET binary: containing an encrypted Agent Tesla payload, injected into RegAsm.exe, often linked with Snake Keylogger or XLoader.
- An AutoIt-compiled binary: designed to obscure analysis, which decrypts and loads shellcode that injects a .NET payload into RegSvcs.exe, again delivering Agent Tesla.
Key traits of the attack:
- Multi-layered execution paths increase resilience and hinder static or dynamic detection.
- Minimal obfuscation is used; instead, the attackers favor simple but chained techniques to achieve stealth and modular delivery.
- Execution via legitimate system processes (like RegAsm.exe and RegSvcs.exe) is employed for evasion and persistence.
The discovery highlights a trend toward stacked execution stages as a means of defense evasion rather than using heavily obfuscated or exotic malware techniques.
The report also coincides with new activity from the IronHusky APT group, targeting Mongolian and Russian government entities using a new version of MysterySnail RAT, further reflecting a broader increase in multi-stage, phishing-driven malware campaigns.
Sources:
https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.htmlhttps://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain
-
Infostealer Surge: Phishing Emails Delivering Credential-Theft Malware Soar 84% Year-over-Year
According to IBM Security’s 2025 X-Force Threat Intelligence Index, phishing emails containing infostealers rose by 84% in 2024, signaling a shift toward stealthier cyberattack methods focused on data theft rather than encryption. Early 2025 data shows this trend accelerating, with a staggering 180% increase already recorded. The report highlights that credential theft now outpaces ransomware, with stolen data involved in nearly half of all cyberattacks. The underground market for infostealers remains robust, with 8 million listings for just the top five tools, contributing to the theft of 1.6 billion credentials. Critical infrastructure is increasingly targeted, often through vulnerabilities linked to nation-state actors.
-
CVE-2025-24054: NTLM Hash Leak Exploited via Malicious .library-ms Files
CVE-2025-24054 is a Windows NTLM hash disclosure vulnerability that allows attackers to capture NTLMv2 hashes through minimal user interaction with specially crafted .library-ms files. Exploitation occurs when a user interacts with such a file—actions as simple as selecting or right-clicking can trigger the vulnerability, causing the system to initiate an SMB authentication request to an attacker-controlled server, thereby leaking the user's NTLM hash. These hashes can then be used for offline brute-force attacks or NTLM relay attacks, potentially leading to unauthorized access and lateral movement within networks.
SecurityWeekActive exploitation was observed as early as March 19. Notably, phishing campaigns targeting entities in Poland and Romania utilized this vulnerability by distributing ZIP archives containing malicious .library-ms files. Subsequent campaigns delivered these files without compression, further reducing the barrier to exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added CVE-2025-24054 to its Known Exploited Vulnerabilities catalog, underscoring the urgency for organizations to apply the necessary patches and mitigate the associated risks.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
NVIDIA RTX 50-Series GPUs Face Thermal Challenges: Hotspots and Melting Thermal Gel Raise Reliability Concerns
Recent analyses have highlighted significant thermal issues affecting NVIDIA's RTX 50-series GPUs, raising concerns for users engaged in compute-intensive GPU tasks.
-
Power Delivery Hotspots Identified by Igor's Lab:
Investigations by Igor's Lab have uncovered that RTX 50-series GPUs, including models like the RTX 5060 Ti, 5070, and 5080, exhibit thermal hotspots in their power delivery systems. These hotspots, resulting from densely packed components such as FETs, coils, and drivers on compact PCBs, have been recorded at temperatures exceeding 100°C—surpassing the GPU core temperatures. Such elevated temperatures can accelerate material degradation, potentially compromising the longevity of the graphics cards. Mitigation efforts, such as applying thermal pads or putty to the affected areas, have shown temperature reductions of up to 12°C, indicating that design adjustments could alleviate these thermal concerns -
Gigabyte's Thermal Gel Leakage Issues:
Separately, users have reported instances of thermal gel leakage in Gigabyte's RTX 50-series GPUs, notably in models like the RTX 5080. The issue appears more prevalent in vertically mounted GPUs, where gravity may exacerbate the leakage of the server-grade thermal conductive gel used in place of traditional thermal pads. While the gel is non-conductive and generally safe, its unintended migration can affect the GPU's thermal performance and aesthetics. Gigabyte has acknowledged the problem and is reportedly working on a customer service policy to address affected units
These findings underscore the importance of thermal management in high-performance GPUs and suggest that both design refinements and user awareness are crucial to ensure the reliability and longevity of RTX 50-series graphics cards.
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
-
Marks & Spencer Cyberattack Disrupts Services Across UK Stores
British retailer Marks & Spencer (M&S) is grappling with a cyberattack that began over Easter weekend, disrupting online order deliveries, click-and-collect services, and contactless payments across the UK. The company has moved some operations offline to protect staff and customers, while shares fell 3% over five days. Despite the disruption, M&S confirmed no customer data has been compromised and is working with cybersecurity experts and the UK's National Cyber Security Center. The Information Commissioner’s Office has been notified. CEO Stuart Machin apologized and assured continued efforts to resolve the incident.
M&S Press Release:
https://corporate.marksandspencer.com/media/press-releases/cyber-incident-further-updateSysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
SAP NetWeaver Zero-Day (CVE-2025-31324) Under Active Exploitation — Emergency Patch Issued
SAP has issued an out-of-band emergency fix for a critical zero-day RCE vulnerability (CVE-2025-31324, CVSS 10.0) affecting the NetWeaver Visual Composer. The flaw lies in the /developmentserver/metadatauploader endpoint, allowing unauthenticated attackers to upload malicious files and execute arbitrary commands — leading to full system compromise.
ReliaQuest and watchTowr confirm active in-the-wild exploitation, with attackers deploying JSP webshells, Brute Ratel payloads, and advanced evasion techniques like Heaven's Gate and MSBuild injection. Even fully patched systems prior to this emergency release remain vulnerable.
SAP has not yet publicly acknowledged the active exploitation. The vulnerability affects Visual Composer Framework 7.50 and is not covered in the April 8th patch cycle. Two additional critical bugs were also addressed in this emergency update (CVE-2025-27429 and CVE-2025-31330).
Immediate Actions:
- Apply the emergency SAP patch immediately
- Restrict or disable access to the vulnerable endpoint if patching isn't feasible
- Scan servlet paths for unauthorized uploads
- Conduct full environment scans for persistence mechanisms
- Stay alert — widespread exploitation is likely to follow
SAP Security Patch Info:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.htmlSysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Kali Linux Rolls Out New Archive Signing Key After Repository Access Loss
In a recent announcement, the Kali Linux team revealed that users will soon encounter apt update failures due to a missing GPG signing key.
Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature.The failure stems from the team losing access to their previous signing key, prompting the rollout of a new one. Users must manually update their systems by downloading the new key using either wget or curl:
sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpgor
sudo curl https://archive.kali.org/archive-keyring.gpg -o /usr/share/keyrings/kali-archive-keyring.gpgVerifying the SHA1 checksum is recommended to ensure file integrity.
sha1sum /usr/share/keyrings/kali-archive-keyring.gpg 603374c107a90a69d983dbcb4d31e0d6eedfc325 /usr/share/keyrings/kali-archive-keyring.gpgThe new keyring includes both the old and new keys, allowing a smooth transition without indicating any key compromise.
Additionally, all Kali images (ISO, NetHunter, VM, Cloud, Docker, WSL) have been refreshed (version 2025.1c and weekly builds from 2025-W17) to include the new key. Fresh installs are an option for users preferring a clean setup.
The team reassures that there was no security compromise—only a loss of key access—and signatures of the new key are publicly verifiable via the Ubuntu keyserver.
Users are advised to update immediately to restore normal package management and avoid repository signature errors.
Source:
https://www.kali.org/blog/new-kali-archive-signing-key/Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
How to use Hashcat on GeForce RTX 50 series video cards. How to install the driver for GeForce RTX 5060, 5070, 5080, 5090 in Linux
In recent years, Linux preparation for brute-force hashes using the Hashcat utility has been quite well-tested:installing Hashcat installing proprietary drivers for a video card installing CUDABut if you repeat the installation commands that have already been tested for years, then they will not work for the new GeForce RTX 5060, 5070, 5080, 5090 graphic cards. This article will provide updated commands that will allow you to configure Linux to work effectively with Hashcat, including using GeForce RTX 50 series video cards.
So, the changes are that now the NVIDIA driver for Linux is released in two flavors:
NVIDIA Proprietary (this is the same flavor that we have been installing for the past few years) NVIDIA Open (this is a relatively new flavor)In general, the difference between these driver flavors is not very significant and did not particularly affect Hashcat users. This was the case before the release of the GeForce RTX 50 series. Starting with the release of the GeForce RTX 50 series video cards (since 2025), the difference between the driver versions has become significant – only NVIDIA Open now supports the GeForce RTX 50 series. This means that when installing the driver, you need to select NVIDIA Open – fortunately, this does not cause any difficulties, since it is present in the standard repositories of many Linux distributions.
What is NVIDIA Open and should Linux users switch to the new driver:https://suay.site/?p=5090
Source: https://miloserdov.org/?p=8299 -
SentinelOne Under Siege: Chinese Espionage, North Korean Infiltration, and Ransomware Threats
In April 2025, SentinelOne revealed it has been the target of a broad spectrum of cyber threats, including Chinese state-sponsored espionage, North Korean job applicant infiltration, and ransomware operations. A China-nexus APT group dubbed PurpleHaze, likely linked to APT15, targeted SentinelOne infrastructure and clients using ShadowPad malware obfuscated via a compiler called ScatterBrain, and leveraged GoReShell, a Go-based reverse SSH backdoor. These intrusions exploited an N-day vulnerability in Check Point devices and targeted over 70 global organizations.
Meanwhile, North Korea-aligned actors submitted over 1,000 fake job applications to SentinelOne, attempting to penetrate intelligence teams. Separately, Russian ransomware groups—most notably Nitrogen—used advanced impersonation tactics to acquire legitimate EDR licenses from resellers with poor KYC controls. These attackers participate in a growing underground economy offering “EDR Testing-as-a-Service” to improve malware evasion against top-tier endpoint defenses.
SentinelOne emphasized that attacks on security vendors are both real and rising, and that openly acknowledging these threats is vital for industry-wide defense improvements.
Sources:
https://thehackernews.com/2025/04/sentinelone-uncovers-chinese-espionage.htmlhttps://cyberscoop.com/cybersecurity-vendors-are-under-attack-sentinelone-says/
-
UK Retailer Co-op Disables IT Systems Following Attempted Cyber Intrusion
British supermarket chain Co-op temporarily shut down parts of its IT infrastructure after detecting unauthorized access attempts, disrupting back office and call center operations. While stores and essential services remain unaffected, the company has not confirmed if the intrusion was successful. The incident follows a recent ransomware attack on Marks & Spencer by the "Scattered Spider" group, raising concerns about escalating threats to UK retail infrastructure.
-
NoName057(16) Targets Dutch Infrastructure in Ongoing DDoS Attacks
Hacktivist group NoName057(16) has launched a sustained wave of distributed denial of service (DDoS) attacks against Dutch public and private organizations, according to the Dutch National Cyber Security Center (NCSC). The attacks have disrupted access to online services across multiple provinces and municipalities, including Groningen, Noord-Holland, and Tilburg.
The group, active since early 2022, uses a crowdsourced platform dubbed "DDoSIA" to coordinate and incentivize global participants in DDoS operations. Despite arrests in Spain last year, the core leadership remains active, and their operations show no sign of stopping. Dutch authorities confirm no data breaches have occurred, but public-facing systems continue to face service outages.
This attack reinforces the shift from ransomware to geopolitically motivated DDoS attacks.
-
Microsoft to Retire Authenticator Password Autofill by August 2025, Shifting Users to Edge
Microsoft has announced the phased deprecation of the
password autofill featurein its Authenticator app, aiming to consolidate credential management within its Edge browser. The Authenticator app will still support MFA and Passkeys, however. The transition will occur over several months:June 2025: Users will no longer be able to save new passwords in Authenticator.July 2025: Autofill functionality will cease, and stored payment information will be deleted.August 2025: Saved passwords and unsaved generated passwords will become inaccessible within Authenticator.
To maintain access to their saved credentials, users must switch to Microsoft Edge, where passwords and addresses synced to their Microsoft account will remain available. Edge must also be set as the default autofill provider on mobile devices to utilize this functionality. Alternatively, users can export their passwords from Authenticator before August 1, 2025, and import them into another password manager. Payment information, however, must be manually re-entered into the new platform as it cannot be exported from Authenticator.
Microsoft Announcement:
https://support.microsoft.com/en-us/account-billing/changes-to-microsoft-authenticator-autofill-09fd75df-dc04-4477-9619-811510805ab6Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090 -
Magento Supply Chain Attack Unleashes Six-Year Dormant Backdoors, Hits Up to 1,000 E-Stores
A sophisticated supply chain attack has compromised between 500 and 1,000 Magento-powered e-commerce sites through 21 maliciously backdoored third-party extensions. Discovered by security firm Sansec, the breach involves vendors Tigren, Meetanshi, and MGS, with some backdoors embedded as far back as 2019 but only activated in April 2025. The attackers used a covert PHP backdoor hidden in license verification files, enabling remote code execution, webshell deployment, and full administrative control.
The malicious code validates specially crafted HTTP requests using hardcoded keys before executing administrative functions, including dynamic PHP code injection via uploaded "license" files. Notably, past versions of this backdoor lacked authentication, highlighting an evolving threat. One victim is reportedly a $40 billion multinational.
While Meetanshi acknowledged a server breach, Tigren denied any compromise and continues distributing affected code. MGS has remained unresponsive. BleepingComputer independently verified the backdoor in at least one extension (MGS StoreLocator). Users are urged to scan their systems for indicators of compromise and revert to known-clean backups. Sansec has pledged further analysis as investigations continue.
Sysadmin by day | Hacker by night | Go Developer | hashpwn site owner
3x RTX 4090
