Tageszusammenfassung - 30.04.2025

End-of-Day report

Timeframe: Dienstag 29-04-2025 18:00 - Mittwoch 30-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

AirBorne: Wormable Zero-Click RCE in Apple AirPlay

Oligo Security Research has discovered a new set of vulnerabilities in Apple-s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices.

https://www.oligo.security/blog/airborne

Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)

The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily.

https://isc.sans.edu/diary/rss/31906

Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understand the difference between Deep Web, Dark Web, and Darknet. Learn how they work, how to access them safely, and why they matter in 2025.

https://www.darknet.org.uk/2025/04/understanding-the-deep-web-dark-web-and-darknet-2025-guide/

The MCP Authorization Spec Is... a Mess for Enterprise

The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functionality. Up until now, as people experiment with Agentic AI and tool support, they-ve mostly adopted the MCP stdio transport, which means you end up with a 1:1 deployment of MCP server and MCP client. What organizations need is a way to deploy MCP servers remotely and leverage authorization to give resource owner-s access to their data safely.

https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/

Practical Cyber Deception - Introduction to -Chaotic Good-

Cyber deception isn-t about building expensive honeynets or deploying complex traps - it-s about instilling doubt and confusion in the attacker. By layering practical, tactical deception into your environment, you shift the balance of power: slowing them down, forcing mistakes, and gaining early warning long before real damage is done. From fake servers and canary tokens to ransomware drive traps, deception turns defense from a reactive grind into a strategic, active game.

https://detect.fyi/practical-cyber-deception-introduction-to-chaotic-good-2ac7bf046fee?source=rssd5fd8f494f6a4

Phishers Take Advantage of Iberian Blackout Before Its Even Over

Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugals national airline in a campaign offering compensation for delayed or disrupted flights.

https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advantage-iberian-blackout

Vulnerabilities

Dell schützt PowerProtect Data Manager und Laptops vor möglichen Attacken

In einer Warnmeldung führen die Entwickler aus, dass PowerProtect Data Manager über mehrere Lücken in Komponenten von Drittanbietern wie Golang und Spring Framework, aber auch über Lücken in der Anwendung selbst angreifbar ist. Sind Attacken erfolgreich, können sich Angreifer etwa mit lokalem Zugriff und niedrigen Rechten höhere Nutzerrechte verschaffen (CVE-2025-23375 "hoch"). Die Entwickler versichern, die Lücken in PowerProtect Data Manager 19.19.0-15 geschlossen zu haben.

https://www.heise.de/news/Dell-schuetzt-PowerProtect-Data-Manager-und-Laptops-vor-moeglichen-Attacken-10367541.html

Security updates for Wednesday

Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs).

https://lwn.net/Articles/1019457/

CISA Releases Three Industrial Control Systems Advisories

ICSA-25-119-01 Rockwell Automation ThinManager, ICSA-25-119-02 Delta Electronics ISPSoft, ICSA-25-105-05 Lantronix XPort (Update A)

https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-releases-three-industrial-control-systems-advisories

Mehrere Schwachstellen in Sematell ReplyOne (SYSS-2024-081/-082/-083)

https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sematell-replyone-syss-2024-081/-082/-083

f5: K000151082: PostgreSQL vulnerability CVE-2021-32027

https://my.f5.com/manage/s/article/K000151082