Cyber Threat Weekly – #78

The week of May 12^th through May 18^th, about 407 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about how conceptually, threat actor behavior hasn’t changed that much in six years.

The use of living off the land / fileless attack methodology and the abuse of legit trusted services are still happening but more prevalent.  Ingress capabilities such as VPNs and RDP are still targeted.  Lateral movement is still a huge problem.  Exploit and behavior are still the norm.  Yesterday’s nation state attack is still tomorrow commodity attack. 

Let’s start with researcher creates a tool that disables Microsoft Defender.  Exploit code released for Ivanti Endpoint Manager Mobile exploit chain.  Muddled Libra related to the Scattered Spider threat group, assessment.

Ransomware affiliates going after SAP NetWeaver bug.  Be aware of Google.com open redirects.  Deep dive into DarkCloud Stealer malware. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – May 12^th to May 18^th:

CVE-2025-47729 – TeleMessage TM SGNL Hidden Functionality Vulnerability:
The archiving backend holds cleartext copies of messages from TM SGNL application users.

CVE-2025-32709 – Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability:
Allows an authorized attacker to escalate privileges to administrator.

CVE-2025-30397 – Microsoft Windows Scripting Engine Type Confusion Vulnerability:
Allows an unauthorized attacker to execute code over a network via a specially crafted URL.

CVE-2025-32706 – Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability:
Allows an authorized attacker to elevate privileges locally.

CVE-2025-32701 – Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability:
Allows an authorized attacker to elevate privileges locally.

CVE-2025-30400 – Microsoft Windows DWM Core Library Use-After-Free Vulnerability:
Allows an authorized attacker to elevate privileges locally.

CVE-2025-32756 – Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability:
May allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.

CVE-2025-42999 – SAP NetWeaver Deserialization Vulnerability:
Allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content.

CVE-2024-12987 – DrayTek Vigor Routers OS Command Injection Vulnerability:
Multiple routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface, affecting Dray Tek Vigor2960, Vigor300B, and Vigor3900 routers.

CVE-2025-4664 – Google Chromium Loader Insufficient Policy Enforcement Vulnerability:
Allows a remote attacker to leak cross-origin data via a crafted HTML page.

Disable Microsoft Defender with ‘Defendnot’ Tool

A redo of a tool designed to install a fake AV product disabling Microsoft Defender.  The undocumented Windows Security Center (WSC) API can be abused to trick Windows into thinking another AV is installed.  This tool uses a .dll made from scratch and injects it into the Taskmgr.exe process.  Let’s hope criminals don’t pick up on this and create a ton of tools like it.

https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/

Exploit Code for Ivanti Endpoint Manager Mobile Released

Researchers release exploit code for two vulnerabilities actively exploited in the wild in an exploit chain.  Chances are much higher for broad exploitation.  The bugs are CVE-2025-4427 and CVE-2025-4428.  We really should refrain from releasing exploit code too soon.

https://www.rapid7.com/blog/post/2025/05/16/etr-ivanti-epmm-exploit-chain-exploited-in-the-wild/

Muddled Libra Threat Group Analysis

As a subset of the Scattered Spider threat group, they draw in members from diverse backgrounds and interests.  Members come from Discord and Telegram channels including The Com, native English speakers specializing in social engineering.  Behavior and TTPs shared.

https://unit42.paloaltonetworks.com/muddled-libra/

Multiple Threat Groups Target SAP NetWeaver Bugs

First nation state threat actors and now some evidence of ransomware affiliates abusing SAP NetWeaver bugs.  A second bug CVE-2025-42999 that is being chained in these attacks was also patched on May 12^th. 

https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-ongoing-sap-netweaver-attacks/

https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/

Continually Abused Google.com Open Redirects

In this case, the open redirect is google.com/travel/clk, a valid token can be used for weeks, even months to redirect users to a domain of choice.  We continue to see coverage of open redirect abuses from legit and trusted domains.

https://isc.sans.edu/diary/rss/31950

Analyzing New Variants of DarkCloud Stealer Malware

Researchers perform a technical analysis revealing an infection chain that employs AutoIt scripting.  Advertised on dark web forums as early as January 2023, this malware appears to be continually developed. 

https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/