Web Scanning for Sonicwall Vulnerabilities CVE-2021-20016
For the last week, scans for Sonicwall API login and domain endpoints have skyrocketed. These attacks may be exploiting an older vulnerability or just attempting to brute force credentials.
https://isc.sans.edu/diary/Web%20Scanning%20Sonicwall%20for%20CVE-2021-20016/31906
The Wizards APT Group SLAAC Spoofing Adversary in the Middle Attacks
ESET published an article with details regarding an IPv6-linked attack they have observed. Attackers use router advertisements to inject fake recursive DNS servers that are used to inject IP addresses for hostnames used to update software. This leads to the victim downloading malware instead of legitimate updates.
https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
Windows RDP Access is Possible with Old Credentials
Credential caching may lead to Windows allowing RDP logins with old credentials.
https://arstechnica.com/security/2025/04/windows-rdp-lets-you-log-in-using-revoked-passwords-microsoft-is-ok-with-that/?comments-page=1#comments

More Scans for SMS Gateways and APIs
Attackers are not just looking for SMS Gateways like the scans we reported on last week, but they are also actively scanning for other ways to use APIs and add on tools to send messages using other people s credentials.
https://isc.sans.edu/diary/More%20Scans%20for%20SMS%20Gateways%20and%20APIs/31902
AirBorne: AirPlay Vulnerabilities
Researchers at Oligo revealed over 20 weaknesses they found in Apple s implementation of the AirPlay protocol. These vulnerabilities can be abused to execute code or launch denial-of-service attacks against affected devices. Apple patched the vulnerabilities in recent updates.
https://www.oligo.security/blog/airborne

SRUM-DUMP Version 3: Uncovering Malware Activity in Forensics
Mark Baggett released SRUM-DUMP Version 3. The tool simplifies data extraction from Widnows System Resource Usage Monitor (SRUM). This database logs how much resources software used for 30 days, and is invaluable to find out what software was executed when and if it sent or received network data.
https://isc.sans.edu/diary/SRUM-DUMP%20Version%203%3A%20Uncovering%20Malware%20Activity%20in%20Forensics/31896
Novel Universal Bypass For All Major LLMS
Hidden Layer discovered a new prompt injection technique that bypasses security constraints in large language models.
The technique uses an XML formatted prequel for a prompt, which appears to the LLM as a policy file. This Policy Puppetry can be used to rewrite some of the security policies configured for LLMs. Unlike other techniques, this technique works across multiple LLMs without changing the policy.
https://hiddenlayer.com/innovation-hub/novel-universal-bypass-for-all-major-llms/
CHOICEJACKING: Compromising Mobile Devices through Malicious Chargers like a Decade ago
The old Juice Jacking is back, at least if you do not run the latest version of Android or iOS. This issue may allow a malicious USB device, particularly a USB charger, to take control of a device connected to it.
https://pure.tugraz.at/ws/portalfiles/portal/89650227/Final_Paper_Usenix.pdf
SANS @RSA: https://www.sans.org/mlp/rsac/

Example of a Payload Delivered Through Steganography
Xavier and Didier published two diaries this weekend, building on each other. First, Xavier showed an example of an image being used to smuggle an executable past network defenses, and second, Didier showed how to use his tools to extract the binary.
https://isc.sans.edu/diary/Example%20of%20a%20Payload%20Delivered%20Through%20Steganography/31892
SAP Netweaver Exploited CVE-2025-31324
An arbitrary file upload vulnerability in SAP s Netweaver product is actively exploited to upload webshells. Reliaquest discovered the issue. Reliaquest reports that they saw it being abused to upload the Brute Ratel C2 framework. Users of Netweaver must turn off the developmentserver alias and disable visual composer, and the application was deprecated for about 10 years. SAP has released an emergency update for the issue.
https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
Any.Run Reports False Positive Uploads
Due to false positives caused by MS Defender XDR flagging Adobe Acrobat Cloud links as malicious, many users of Any.Run s free tier uploaded confidential documents to Any.Run. Anyrun blocked these uploads for now but reminded users to be cautious about what documents are being uploaded.
https://x.com/anyrun_app/status/1915429758516560190

Attacks against Teltonika Networks SMS Gateways
Attackers are actively scanning for SMS Gateways. These attacks take advantage of default passwords and other commonly used passwords.
https://isc.sans.edu/diary/Attacks%20against%20Teltonika%20Networks%20SMS%20Gateways/31888
Commvault Vulnerability CVE-2205-34028
Commvault, about a week ago, published an advisory and a fix for a vulnerability in its backup software. watchTowr now released a detailed writeup and exploit for the vulnerability
https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/
Exploitation Trends Q1 2025
Vulncheck published a summary of exploitation trends, pointing out that about a quarter of vulnerabilities are exploited a day after a patch is made available.
https://vulncheck.com/blog/exploitation-trends-q1-2025
inetpub directory issues
The inetpub directory introduced by Microsoft in its April patch may lead to a denial of service against applying patches on Windows if an attacker can create a junction for that location pointing to an existing system binary like Notepad.
https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

Honeypot Iptables Maintenance and DShield-SIEM Logging
In this diary, Jesse is talking about some of the tasks to maintain a honeypot, like keeping filebeats up to date and adjusting configurations in case your dynamic IP address changes
https://isc.sans.edu/diary/Honeypot%20Iptables%20Maintenance%20and%20DShield-SIEM%20Logging/31876
XRPL.js Compromised
An unknown actor was able to push malicious updates of the XRPL.js library to NPM. The library is officially recommended for writing Riple (RPL) cryptocurrency code. The malicious library exfiltrated secret keys to the attacker
https://www.aikido.dev/blog/xrp-supplychain-attack-official-npm-package-infected-with-crypto-stealing-backdoor
https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx
Cisco Equipment Affected by Erlang/OTP SSH Vulnerability
Cisco published an advisory explaining which of its products are affected by the critical Erlang/OTP SSH library vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

xorsearch.py: Ad Hoc YARA Rules
Adhoc YARA rules allow for easy searches using command line arguments without having to write complete YARA rules for simple use cases like string and regex searches
https://isc.sans.edu/diary/xorsearch.py%3A%20%22Ad%20Hoc%20YARA%20Rules%22/31856
Google Spoofed via DKIM Replay Attack
DKIM replay attacks are a known issue where the attacker re-uses a prior DKIM signature. This will work as long as the headers signed by the signature are unchanged. Recently, this attack has been successful against Google.
https://easydmarc.com/blog/google-spoofed-via-dkim-replay-attack-a-technical-breakdown/
SSL.com E-Mail Validation Bug
SSL.com did not properly verify which domain a particular email address is authorized to receive certificates for. This could have been exploited against webmail providers.
https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

It's 2025, so why are malicious advertising URLs still going strong?
Phishing attacks continue to take advantage of Google s advertising services. Sadly, this is still the case for obviously malicious links, even after various anti-phishing services flag the URL.
https://isc.sans.edu/diary/It%27s%202025...%20so%20why%20are%20obviously%20malicious%20advertising%20URLs%20still%20going%20strong%3F/31880
ChatGPT Fingerprinting Documents via Unicode
ChatGPT apparently started leaving fingerprints in texts, which it creates by adding invisible Unicode characters like non-breaking spaces.
https://www.rumidocs.com/newsroom/new-chatgpt-models-seem-to-leave-watermarks-on-text
Asus AI Cloud Security Advisory
Asus warns of a remote code execution vulnerability in its routers. The vulnerability is related to the AI Cloud feature. If your router is EoL, disabling the feature will mitigate the vulnerability
https://www.asus.com/content/asus-product-security-advisory/
PyTorch Vulnerability
PyTorch fixed a remote code execution vulnerability exploitable if a malicious model was loaded. This issue was exploitable even with the weight_only=True" setting selected
https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6

Microsoft Entra User Lockout
Multiple organizations reported widespread alerts and account lockouts this weekend from Microsoft Entra. The issue is caused by a new feature Microsoft enabled. This feature will lock accounts if Microsoft believes that the password for the account was compromised.
https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/
https://learn.microsoft.com/en-us/entra/identity/authentication/feature-availability
Erlang/OTP SSH Exploit
An exploit was published for the Erlang/OTP SSH vulnerability. The vulnerability is easy to exploit, and the exploit and a Metasploit module allow for easy remote code execution.
https://github.com/exa-offsec/ssh_erlangotp_rce/blob/main/ssh_erlangotp_rce.rb
Sonicwall Exploited
An older command injection vulnerability is now exploited on Sonicwall devices after initially gaining access by brute-forcing credentials.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022
Unpatched Vulnerability in Bubble.io
An unpatched vulnerability in the no-code platform bubble.io can be used to access any project hosted on the site.
https://github.com/demon-i386/pop_n_bubble

RedTail: Remnux and Malware Management
A description showing how to set up a malware analysis in the cloud with Remnux and Kasm. RedTail is a sample to illustrate how the environment can be used.
https://isc.sans.edu/diary/RedTail%2C%20Remnux%20and%20Malware%20Management%20%5BGuest%20Diary%5D/31868
Critical Erlang/OTP SSH Vulnerability
Researchers identified a critical vulnerability in the Erlang/OTP SSH library. Due to this vulnerability, SSH servers written in Erlang/OTP allow arbitrary remote code execution without prior authentication
https://www.openwall.com/lists/oss-security/2025/04/16/2
Brickstorm Analysis
An analysis of a recent instance of the Brickstorm backdoor. This backdoor used to be more known for infecting Linux systems, but now it also infects Windows.
https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor
https://blog.nviso.eu/wp-content/uploads/2025/04/NVISO-BRICKSTORM-Report.pdf
OpenAI GPT 4.1 Controversy
OpenAI released its latest model, GPT 4.1, without a safety report and guardrails to prevent malware creation.
https://opentools.ai/news/openai-stirs-controversy-with-gpt-41-release-lacking-safety-report