End-of-Day report
Timeframe: Dienstag 29-04-2025 18:00 - Mittwoch 30-04-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
AirBorne: Wormable Zero-Click RCE in Apple AirPlay
Oligo Security Research has discovered a new set of vulnerabilities in Apple-s AirPlay Protocol and the AirPlay Software Development Kit (SDK), which is used by third-party vendors to integrate AirPlay into third-party devices.
https://www.oligo.security/blog/airborne
Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
The activity occured on the 23 April 2025 between 18:00 - 19:00 UTC but since then based on activity reported to DShield (see graphs below) has been happening almost daily.
https://isc.sans.edu/diary/rss/31906
Yet Another NodeJS Backdoor (YaNB): A Modern Challenge
During an Advanced Continual Threat Hunt (ACTH) investigation conducted in early March 2025, Trustwave SpiderLabs identified a notable resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications. These campaigns trick users into executing NodeJS-based backdoors, subsequently deploying sophisticated NodeJS Remote Access Trojans (RATs) similar to traditional PE structured legacy RATs.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/
Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)
Understand the difference between Deep Web, Dark Web, and Darknet. Learn how they work, how to access them safely, and why they matter in 2025.
https://www.darknet.org.uk/2025/04/understanding-the-deep-web-dark-web-and-darknet-2025-guide/
The MCP Authorization Spec Is... a Mess for Enterprise
The Model Context Protocol has created quite the buzz in the AI ecosystem at the moment, but as enterprise organizations look to adopt it, they are confronted with a hard truth: it lacks important security functionality. Up until now, as people experiment with Agentic AI and tool support, they-ve mostly adopted the MCP stdio transport, which means you end up with a 1:1 deployment of MCP server and MCP client. What organizations need is a way to deploy MCP servers remotely and leverage authorization to give resource owner-s access to their data safely.
https://blog.christianposta.com/the-updated-mcp-oauth-spec-is-a-mess/
Practical Cyber Deception - Introduction to -Chaotic Good-
Cyber deception isn-t about building expensive honeynets or deploying complex traps - it-s about instilling doubt and confusion in the attacker. By layering practical, tactical deception into your environment, you shift the balance of power: slowing them down, forcing mistakes, and gaining early warning long before real damage is done. From fake servers and canary tokens to ransomware drive traps, deception turns defense from a reactive grind into a strategic, active game.
https://detect.fyi/practical-cyber-deception-introduction-to-chaotic-good-2ac7bf046fee?source=rssd5fd8f494f6a4
Phishers Take Advantage of Iberian Blackout Before Its Even Over
Opportunistic threat actors targeted Portuguese and Spanish speakers by spoofing Portugals national airline in a campaign offering compensation for delayed or disrupted flights.
https://www.darkreading.com/cyberattacks-data-breaches/phishers-take-advantage-iberian-blackout
Vulnerabilities
Dell schützt PowerProtect Data Manager und Laptops vor möglichen Attacken
In einer Warnmeldung führen die Entwickler aus, dass PowerProtect Data Manager über mehrere Lücken in Komponenten von Drittanbietern wie Golang und Spring Framework, aber auch über Lücken in der Anwendung selbst angreifbar ist. Sind Attacken erfolgreich, können sich Angreifer etwa mit lokalem Zugriff und niedrigen Rechten höhere Nutzerrechte verschaffen (CVE-2025-23375 "hoch"). Die Entwickler versichern, die Lücken in PowerProtect Data Manager 19.19.0-15 geschlossen zu haben.
https://www.heise.de/news/Dell-schuetzt-PowerProtect-Data-Manager-und-Laptops-vor-moeglichen-Attacken-10367541.html
Security updates for Wednesday
Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs).
https://lwn.net/Articles/1019457/
CISA Releases Three Industrial Control Systems Advisories
ICSA-25-119-01 Rockwell Automation ThinManager, ICSA-25-119-02 Delta Electronics ISPSoft, ICSA-25-105-05 Lantronix XPort (Update A)
https://www.cisa.gov/news-events/alerts/2025/04/29/cisa-releases-three-industrial-control-systems-advisories
Mehrere Schwachstellen in Sematell ReplyOne (SYSS-2024-081/-082/-083)
https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sematell-replyone-syss-2024-081/-082/-083
f5: K000151082: PostgreSQL vulnerability CVE-2021-32027
https://my.f5.com/manage/s/article/K000151082