End-of-Day report
Timeframe: Donnerstag 17-04-2025 18:00 - Freitag 18-04-2025 18:00
Handler: Felician Fuchs
Co-Handler: Michael Schlagenhaufer
News
Chrome extensions with 6 million installs have hidden tracking code
A set of 57 Chrome extensions with 6,000,000 users have been discovered with very risky capabilities, such as monitoring browsing behavior, accessing cookies for domains, and potentially executing remote scripts. [..] Earlier today, the researcher added 22 more extensions believed to belong to the same operation, taking the total to 57 extensions used by 6 million people. Some of the newly added extensions are public, too. Tuckner says that many of the extensions have been removed from the Chrome Web Store following his report from last week, but others still remain.
https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-million-installs-have-hidden-tracking-code/
Windows NTLM hash leak flaw exploited in phishing attacks on governments
A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. The flaw tracked as CVE-2025-24054 was fixed in Microsoft's March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as 'less likely' to be. [..] In a later campaign, Check Point discovered phishing emails that contained .library-ms attachments, without an archive. Simply downloading the .library-ms file was enough to trigger NTLM authentication to the remote server, demonstrating that archives were not required to exploit the flaw.
https://www.bleepingcomputer.com/news/security/windows-ntlm-hash-leak-flaw-exploited-in-phishing-attacks-on-governments/
Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign.
https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.html
Nebula - Autonomous AI Pentesting Tool
Another cutting-edge tool from 2024 is Nebula, an open-source AI-powered penetration testing assistant. If PentestGPT is like an AI advisor, Nebula attempts to automate parts of the pentest process itself.
https://www.darknet.org.uk/2025/04/nebula-autonomous-ai-pentesting-tool/
Cross-Site WebSocket Hijacking Exploitation in 2025
The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions.
https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forgejo, GraphicsMagick, libmozjs-115-0, perl-32bit, poppler, subfinder, and thunderbird), and Ubuntu (erlang and ruby2.3, ruby2.5).
https://lwn.net/Articles/1018020/
[R1] Nessus Version 10.8.4 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2025-05
Yokogawa Recorder Products
https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-04