cybersecurity

A customer wanted to know if we had protections for ‘Sakura RAT,’ an open-source malware project hosted on GitHub, because of media claims that it had “sophisticated anti-detection capabilities.”

When we looked into Sakura RAT, we quickly realized two things. First, the RAT itself was likely of little threat to our customer. Second, while the repository did indeed contain malicious code, that code was intended to target people who compiled the RAT, with infostealers and other RATs. In other words, Sakura RAT was backdoored.

Given our previous explorations of the niche world of threat actors targeting each other, we thought we’d investigate further, and that’s where things got odd. We found a link between the Sakura RAT ‘developer’ and over a hundred other backdoored repositories – some purporting to be malware and attack tools, others gaming cheats.

When we analyzed the backdoors, we ended up down a rabbit hole of obfuscation, convoluted infection chains, identifiers, and multiple backdoor variants. The upshot is that a threat actor is creating backdoored repositories at scale, predominantly targeting game cheaters and inexperienced threat actors – and has likely been doing so for some time.

Our research suggests a link to a Distribution-as-a-Service operation previously reported on in 2024-2025 (see Prior work), but which may have existed in some form as early as 2022.

We have reported all the backdoored repositories still active at the time of our research to GitHub, as well as a repository hosting a malicious 7z archive. We also contacted the owners/operators of relevant paste sites hosting obfuscated malicious code. As of this writing, the repository hosting the malicious 7z archive, the vast majority of the backdoored repositories, and many of the malicious pastes, have been taken down.

You can now follow the Vulnerability-Lookup >Discourse topic on Mastodon: >@vulnerability-lookup@discourse.ossbase.org

https://discourse.ossbase.org/c/vulnerability-lookup-org/6

#Mastodon #Discourse #ActivityPub #VulnerabilityLookup

cross-posted from: https://lemmy.sdf.org/post/36028716

Archived

Security firm Forescout identified almost 35,000 solar power devices from 42 vendors with exposed management interfaces. These devices include inverters, data loggers, monitors, gateways and other communication equipment.

Key Findings

• Despite being a rapidly growing renewable energy source, there are security issues with remote inverter management, via cloud applications or direct access to management interfaces within inverters.
• Internet-exposed solar power devices are much more popular in Europe and Asia than in other regions. Europe accounts for 76% of exposed devices, followed by 17% in Asia and the remaining 8% in the rest of the world. Germany and Greece each account for 20% of the total devices worldwide, followed by Japan and Portugal with 9% each then Italy with 6%.
• Four of the top 10 vendors with exposed devices are headquartered in Germany, two in China and one each in Austria, Japan, US and Italy. This distribution also does not match the top 10 vendors worldwide by market share, since 9 of those are Chinese.

Mitigation Recommendations

• Do not expose inverter management interfaces to the internet.
• Patch devices as soon as possible and consider retiring those that for some reason cannot be patched.
• If a device needs to be managed remotely, consider placing it behind a VPN and following CISA’s guidelines for remote access.
• Follow the NIST guidelines for the cybersecurity of smart inverters in residential and commercial installations.

Weekly thread to discuss whatever you’re working on, big or small, at work or in your free time.

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for May 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation's honeypot network.

Top 10 vulnerabilities of the month

Vulnerability	Vendor	Product	Severity	VLAI Severity
CVE-2025-31324	SAP_SE	SAP NetWeaver (Visual Composer development server)	Critical	Critical
CVE-2025-4427	Ivanti	Endpoint Manager Mobile	Medium	Critical
CVE-2025-37899	Linux	Linux		High
CVE-2025-4428	Ivanti	Endpoint Manager Mobile	High	High
CVE-2025-32756	Fortinet	FortiVoice	Critical	Critical
CVE-2025-4664	Google	Chrome	Medium	Medium
CVE-2025-20188	Cisco	Cisco IOS XE Software	Critical	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical	Critical
CVE-2015-2051	D-Link	DIR-645	High	Critical
CVE-2024-38475	Apache Software Foundation	Apache HTTP Server	Critical	Critical

Evolution for the top 5 vulnerabilities

• CVE-2025-31324 - SAP / SAP NetWeaver (Visual Composer development server)
• CVE-2025-4427 - Ivanti / Endpoint Manager Mobile
• CVE-2025-37899 - Linux / Linux
• CVE-2025-4428 - Ivanti / Endpoint Manager Mobile
• CVE-2025-32756 - Fortinet / FortiVoice

Insights from contributors

CVE-2025-22252: Authentication Vulnerability in FortiOS, FortiProxy, and FortiSwitchManager leads to Unauthenticated Admin Access
CVE-2025-22252 is a missing authentication for critical function vulnerability in devices configured to use a remote TACACS+ server for authentication configured to use ASCII authentication. It may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass, potentially resulting in complete system compromise, data theft and service disruption.

CVE-2025-30663: Additional information
In its security release of 13 May 2025, Zoom addressed two vulnerabilities that could be exploited for privilege escalation: • CVE-2025-30663, a time-of-check time-of-use race condition affecting some Zoom Workplace Apps. If successfully exploited, an authenticated user could conduct an escalation of privilege via local access. • CVE-2025-30664 is an improper neutralization of special elements flaw affecting some Zoom Workplace Apps. Successful exploitation could allow an authenticated user to conduct an escalation of privilege via local access.

CVE-2025-41229: More information
The vulnerabilities could be used by attackers to gain access to services and data. They can also be used to execute arbitrary commands and cause a denial of service. Confidentiality, integrity and availability are all impacted. The only solution is to upgrade immediately.

2025-27920: Additional information
Microsoft discovered critical vulnerability CVE-2025-27920 affecting the messaging application Output Messenger. Microsoft additionally observed exploitation of the vulnerability since April 2024. According to Microsoft, the attacker needs to be authenticated, although the Output Messenger advisory indicates that privileges are not required to exploit the vulnerability. An attacker could upload malicious files into the server’s startup directory by exploiting this directory traversal vulnerability. This allows an attacker to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, possibly leading to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Continuous exploitation

• CVE-2023-0656 - SonicWall / SonicOS (not in CISA KEV)
• CVE-2022-26134 - Atlassian / Confluence Data Center
• CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

• In two hacker competitions run by Palisade Research, autonomous AI systems matched or outperformed human professionals in demanding security challenges.
• In the first contest, four out of seven AI teams scored 19 out of 20 points, ranking among the top five percent of all participants, while in the second competition, the leading AI team reached the top ten percent despite facing structural disadvantages.
• According to Palisade Research, these outcomes suggest that the abilities of AI agents in cybersecurity have been underestimated, largely due to shortcomings in earlier evaluation methods.

crosspostato da: https://lemmy.sdf.org/post/35753834

Archived

Cipher, the cybersecurity division of Prosegur Group, has reported a 43% increase in cyberattacks against essential service operators in Spain during 2024. Its cyber intelligence division, Unit x63, highlights the focus on the energy sector, as critical infrastructure, which accounted for 9% of the total. This upward trend, continuing into 2025, points to a growing number of threats from espionage, sabotage and the exfiltration of sensitive data, reflecting the increasing sophistication and persistence of cyber attackers.

In early 2025, Cipher’s Unit x63 confirmed that several Spanish energy companies were targeted by ransomware campaigns, hit by data leaks and the subsequent sale of information on underground forums. Globally, geopolitical tensions have intensified attacks on sensitive infrastructure.

[...]

Threat landscape: key types of cyberattack targeting the energy sector.

Cyberespionage in the energy sector aims to covertly obtain critical information such as facility blueprints, proprietary technologies and strategic contracts. These attacks are typically state-sponsored or executed by Advanced Persistent Threat (APT) groups looking to gain geopolitical or economic advantage—or laying the groundwork for future sabotage [...]

Cyber sabotage in the energy sector seeks to disrupt or damage critical operations by targeting industrial systems such as SCADA, ICS, or PLCs. Unlike espionage, these attacks aim for destruction and demand high levels of sophistication, often linked to nation state [...]

Destructive malware has become a frequent weapon in geopolitical conflicts, severely impacting the energy sector, and is designed to erase data, disable systems, or sabotage operations. They can temporarily shut down businesses and cripple key infrastructure [...]

Hacktivist activity in the energy sector is on the rise in 2025, driven by political, social, and ideological motives [...] Pro-Russian collectives like NoName057(16) have launched DDoS campaigns against Western critical infrastructure. In 2024, a new group named “Mr. Hamza” emerged with strong anti-globalist rhetoric [...]

In 2025, disinformation campaigns aimed at the energy sector have intensified, seeking to erode public confidence in both governments and companies. Russian-led operations in Eastern Europe have targeted efforts to diversify away from Russian gas [...]

Cipher’s Unit x63 has identified a growing number of threats to the energy sector from state or para-state actors focused on espionage, sabotage, and strategic control. Russia remains the leading aggressor, with veteran groups such as Sandworm and APT28 expanding their activities across Europe.

[...]

China, Iran and North Korea have also stepped up operations. China's Volt Typhoon, active since 2023, and Iranian groups APT34 and CyberAvengers are behind global campaigns against critical infrastructure. North Korean units such as Lazarus and Kimsuky focus on energy and nuclear information. Additionally, the presence of cyber mercenaries developing tailored malware for state clients further complicates attribution and heightens supply chain risks.

[...]

crosspostato da: https://lemmy.sdf.org/post/35711367

Archived

Chinese efforts to spy on the Dutch are intensifying, with the focus on semiconductors, Dutch Defence Minister Ruben Brekelmans said on Saturday.

"The semiconductor industry, which we are technologically leading, or technology advanced, of course, to get that intellectual property - that's interesting to China," Brekelmans said in an interview on the sidelines of the Shangri-La Dialogue security meeting in Singapore.

[...]

When asked if the spying had stopped, Brekelmans said: "It's continuing. In our newest intelligence reports, our intelligence agency said that the biggest cyber threat is coming from China, and that we do see most cyber activity when it comes to us being as from China. That was the case last year, but that's still the case. So we only see this intensifying."

[...]

Dutch intelligence agencies first publicly attributed cyber espionage to China last year, when they said state-backed cyber spies had gained access to a Dutch military network in 2023.

Brekelmans said security is becoming increasingly important for the Netherlands as China is "using their economic position for geopolitical purposes and also to pressure us".

[...]

The minister said the Netherlands has introduced instruments to protect key industries and vital interests but the country and region also need to reduce their dependency on China for critical raw materials.

"Both on the European Union level, but also on the national level, we need to make bigger steps in order to reduce those dependencies."

The first day of @thotcon 0xD was a total blast! Before the presentations even got started I had the amazing Cliff Stoll sitting next to me imparting his wisdom, his jokes, and being a lot of fun! If you are interested in #CyberSecurity you definitely need to read his book The Cuckoos Egg! @cybersecurity

Full analysis.