May 17, 2025

Hello all,

Along with the usual Microsoft Patch Tuesday scramble, this week brought an explosion of updates and vulnerability reveals from a lot of other vendors and products, ranging from ASUS to VMware – almost to Z.

Headline NEWS:

  • ASUS fixed two defects in their DriverHub tool that is used to identify motherboards and offer drivers for download. If exploited, it could have allowed for RCE on the victim’s machine. ASUS strongly recommends that you update to the latest DriverHub version.
  • F5 BIG-IP has a command injection vulnerability that can allow for an attacker to execute arbitrary commands in an elevated session. Update to a patched version to fix this defect.
  • Fortinet released fixes for a zero-day that has been shown to be exploited in their FortiVoice They have released updated software to address this and have guidance on checking for existing compromise. Foritnet also released fixes for FortiOS, FortiProxy, and FortiManager to plug a defect that can allow an unauthenticated threat actor to gain full administrative control over the systems. If you support these devices, it is highly recommended that you check for updates.
  • Google fixed a Chrome browser defect that already had a public exploit available. If you haven’t done so yet, update your browser. Expect that other Chromium based browsers will likely be following suit soon, if not already.
  • Ivanti can’t seem to stay out of the news for long. This time the defect is in EPMM or Endpoint Manager Mobile. There are two items that when chained together allow for remote code execution and unauthenticated access, equaling a bad day. And if EPMM wasn’t enough, they are also warning that Neurons for ITSM, an IT service management solution, needs to be patched. If you’ve got em, patch em.
  • Microsoft surprised me this month, I expected a lesser number of defect fixes, but instead Big Redmon coughed up a whopping 72 flaws and 5 zero-days that need fixing. I guess I should be happy that they are releasing updates to fix these things. But shouldn’t the quantity of these things be decreasing by now? Make sure you vet and apply the patches quickly as the zero-days are already under active attack.
  • Samsung made an update available for MagicINFO 9 Server, which is used to control digital signs. Huntress Labs found that an earlier patch was ineffective and Mirai Botnet threat actors were still able to pwn the server for their own evil uses. Update to the latest patched version to fix this defect. Hopefully, for real this time.
  • SAP released a fix for a defect in NetWeaver that was already reported as being under active exploitation. Check your NetWeaver instances for updates and follow the vendor’s guidance to check for signs of compromise.
  • US Deportations Airline – GlobalX was apparently hacked by Anonymous, exfiltrating flight records and passenger lists, which they made available to the media. I guess the secretive flights are not so secret now. GlobalX said that they have isolated the affected infrastructure and have engaged cyber security professionals to help.
  • VMware (Broadcom) urges rapid patching of VMWare Tools to fix a defect that can allow “a malicious actor with non-administrative privileges on a guest VM to tamper [with] the local files to trigger insecure file operations within that VM”. In other words, someone with low permissions can elevate permissions. That’s not good. Also, in VMware news. VMware Aria Automation, VMware Cloud Foundation, and VMware Telco Cloud Platform need updates to prevent session token theft of a logged in user.

In Ransomware, Malware, and Vulnerabilities News:

  • Coinbase, a crypto currency exchange, was recently hacked and had customer data exfiltrated. The criminals contacted Coinbase and demanded $20 million to delete the data and not publish it. Coinbase outright refused and posted on their X account, “We will pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack.” This hack was apparently made possible due to the dirtbags bribing some offshore Coinbase employees to get them the information and possibly access. All of which have been terminated, hopefully with some prejudice. Recognizing that offshoring brings some enhanced additional risk, Coinbase has said that they are “Opening a new support hub in the U.S.” It would be nice if this became a growing trend – hiring onshore.

In Other News Events of Note and Interest:

  • A Practical Roadmap for Adopting Vibe Coding is a good article that gives a good history of, and recommendations for the future of Vibe Coding. If you’re unaware, this is the practice of working collaboratively with an agentic AI to write software code. Since this is rapidly gaining ground, it would behoove anyone doing software development to at least become familiar with what this is, how it works, the pitfalls and protections needed, and if it can be used by you or your company.

Musings:

I attended BSides Tampa today, what a great conference. It was me and 2,400 or so of my best friends! The Tampa BSides is the third largest in the country, with this being their twelfth year putting on this amazing gathering of cyber security and cyber professionals. One of the highlights was the show’s keynote closing speaker, John Hammond, from Huntress Labs. He spoke about “Another round on the treadmill” – that we as security professionals have an unending assignment. We will always be dealing with our Sisyphean task of security. But as I read in an article recently, Sisyphus had a break each day once he reached the top of the mountain with his boulder, he walked back down before starting this uphill struggle with his burden again. His muscles could rest, he could think of other things, he could, in a sense, recharge. That’s something that we cyber professionals do not have built into our worlds, we’re “always on”. John Hammond’s talk about the treadmill reminded all of us that we need to stop at times, step away, get clarity, refocus, and just be, don’t do. Because when we take time away, we can come back with renewed energy to run on that cyber security treadmill some more. So, take a break, and then, when rested, jump back on.

Visc. Jan Broucinek

And don’t forget to keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

 

Tags
Share this with: