Cyber Threat Weekly – #76
The week of April 28th through May 4th, about 373 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about attack surface and threat exposure management. There are all kinds of attack surface, external, active directory, identity and access management, cloud, SaaS, network, and more.
Threat exposure management uses threat intelligence to prioritize emerging threats, the software bugs that matter most, and adversary behavior. Focusing on the issues that have the biggest business impacts allows for a more fiscally responsible security program. The ultimate goal, minimize business impact and financial risk from a cyber attack.
Let’s start with development continues for StealC malware. Hundreds of Magneto e-stores compromised. A refresher on Scattered Spider’s objectives and operations. Even if the AI buzz is annoying, understanding AI agents and securing them is important.
Researchers share Q1 2025 stats around ransomware. Two older software bugs abused to exploit SonicWall edge devices. The quick rise and apparent fall of RansomHub. Observations and detection opportunities for SAP NetWeaver shared.
List of 42,000 LabHost phishing domains shared by FBI. Internet-wide scanning for Git tokens and secrets spiked.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – April 28th to May 4th:
CVE-2025-1976 – Broadcom Brocade Fabric OS Code Injection Vulnerability:
Allows a local user with administrative privileges to execute arbitrary code with full root privileges.
CVE-2025-42599 – Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary or trigger a denial-of-service via a specially crafted request.
CVE-2025-3928 – Commvault Web Server Unspecified Vulnerability:
Allows a remote, authenticated attacker to create and execute webshells.
CVE-2025-31324 – SAP NetWeaver Unrestricted File Upload Vulnerability:
Allows an unauthenticated agent to upload potentially malicious executable binaries.
CVE-2024-38475 – Apache HTTP Server Improper Escaping of Output Vulnerability:
Allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
CVE-2023-44221 – SonicWall SMA100 Appliances OS Command Injection Vulnerability:
Allows a remote, authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user.
CVE-2025-34028 – Commvault Command Center Path Traversal Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary code.
CVE-2024-58136 – Yiiframework Yii Improper Protection of Alternate Path Vulnerability:
May allow a remote attacker to execute arbitrary code. This vulnerability could affect other products that implement Yii, including—but not limited to—Craft CMS, as represented by CVE-2025-32432.
Continuous Updates to StealC Info Stealing Malware
This popular info stealing and malware downloader has several updates. Now added RC4 encryption for network communications, executes MSI and PowerShell payloads, server-side brute-force capabilities for credential harvesting, and more. Info Stealer malware remains popular in the criminal underground.
https://www.zscaler.com/blogs/security-research/i-stealc-you-tracking-rapid-changes-stealc
Supply Chain Attack on Hundreds of Magneto E-Stores
We are seeing consistent attacks on the supply chain. This one is concerning, some of the malware was dormant for nearly six years. Three vendors are affected, two denying a breach and / or infected extensions, the last didn’t respond to researchers. Let’s hope dormant malware doesn’t become the norm.
https://sansec.io/research/license-backdoor
Scattered Spider Objectives and Operations Refresher
This threat group has been covered several times, they are in the news again with the Marks & Spencer (M&S) attack. This is a good time to dig into how they operate, some history of the group, behavior, and some mitigations.
Researchers Share Security Implications of AI Agents
What are AI agents and what are the current threats to using them. Researchers break down attacks and mitigations on two open-source AI agent technologies. There are some lessons here as well as an understanding of AI agent architecture.
https://unit42.paloaltonetworks.com/agentic-ai-threats/
Quarterly Ransomware Report – Q1 2025
The ransomware landscape is volatile, while new players enter the scene, the disruptions from major players and law enforcement are taking its toll. Non the less, average ransom payment was about $522,777 with around 27% paying the ransom. For data exfil only attacks, 31% paid the ransom. Known CVEs were increasing exploited for initial access, a trend we continue to see. Smaller orgs are taking the brunt of attacks.
Active Exploitation of Two Older SonicWall Bugs
These bugs were added to the CISA known exploited vulnerability catalog this week. Edge devices are under constant attack, lesson here, patch your edge devices quickly to minimize impact. In addition, researchers shared proof-of-concept code.
https://thehackernews.com/2025/05/sonicwall-confirms-active-exploitation.html
https://github.com/watchtowrlabs/watchTowr-vs-SonicWall-PreAuth-RCE-Chain
The Possible Demise of Prolific RansomHub Operations
Researchers share an analysis of RansomHub operations, their playbook could be used by any group. RansomHub has been down since April 1st. Unknown if it’s temporary, but the play by DragonForce maybe an indicator.
https://www.darkreading.com/cyber-risk/prolific-ransomhub-operation-goes-dark
https://www.group-ib.com/blog/ransomware-debris/
SAP NetWeaver Exploitation Observations and Detection Opportunities
Critical CVE-2025-31324 exploit behavior shared. This bug allows unrestricted file uploads. Researchers share several observed behaviors and detection opportunities. Some indicators are also shared.
https://redcanary.com/blog/threat-intelligence/cve-2025-31324/
List of 42,000 LabHost Phishing Domains Released
The FBI took down one of the largest phishing-as-a-service platforms, LabHost. Known for extensive customization, 2FA bypass techniques, and more. At the time of take-down, the platform had over 10,000 customers worldwide.
https://www.ic3.gov/CSA/2025/250429.pdf
https://www.ic3.gov/CSA/2025/LabHost_Domains.csv
Git Token and Secrets Scanning Spiked
This is interesting behavior, there is some normal scanning, but four specific spikes in recent months. Increased Git configs scanning activity is a bit weird. Attack surface and exposure management are the new norms. Ensure you have exposed systems locked down and look for configuration deviations.
https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebase-exposure
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
