+- DoTheNeedful Forums (https://dotheneedful.online/forums)
+-- Forum: Technical Discussions (https://dotheneedful.online/forums/forumdisplay.php?fid=1)
+--- Forum: Cybersecurity (https://dotheneedful.online/forums/forumdisplay.php?fid=2)
+--- Thread: Gibby's Cybersecurity Roundup 3/21/25 (/showthread.php?tid=33)
Gibby's Cybersecurity Roundup 3/21/25 - gibby - 03-20-2025
![[Image: O0zT3Ar.png]](https://i.imgur.com/O0zT3Ar.png)
Hi everyone and welcome to the second edition of Gibby’s cybersecurity roundup. Each week, I’ll try to compile items I’ve found unique or interesting as I came across them in the cybersecurity world. I’ll try to keep things succinct and to the point, but if there is something I find particularly interesting I may deep dive into a topic a bit more.
I'm using some industry terminology here that might not be clear to everyone. If you have questions let me know but in the meantime here's my attempt to make it digestible for everyone:
- TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
- Blue Team - The Security Team focused on Defense and Detection
- Red team - The Security Team focused on Attacks and Evasion
If you want to see something added here let me know!
![[Image: plvm6YX.png]](https://i.imgur.com/plvm6YX.png)
First, lets get started with this weeks new vulnerabilities. While this list is not exhaustive-- there were a touch more than 600 new CVEs assigned this week-- it does cover some of the more popular and higher-risk ones.
High Risk: Apache Tomcat vulnerability exploited 30 hours after security bulletin released, confluence admins collectively groan in unison.
Can't make this up-- just 30 hours after the release of the vuln, hackers had a extremely effective and really good exploit for the tomcat service. So, you might want to patch this if you haven't already!
High Risk: A Vulnerability in Veeam allows attackers to execute code remotely; because why not?
Veeam has had some doosies lately, but this one is pretty up there. Domain joined backup servers can pew pew code out making it easy for attackers to disto malware. There is a patch, but the race is on before this is added to the known exploited database, so get on it. https://www.veeam.com/kb4724
High Risk: tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs
tj-actions, a well known and used repo for automating CI/CD silliness had its source changed and hackers were able to get info they shouldn't have. https://www.cve.org/CVERecord?id=CVE-2025-30066
Medium Risk: Another Popular Wordpress Plugin used on 200,000+ sites has a major security flaw; no one is surprised.
WP Ghost, a popular WordPress security plugin, has a critical remote code execution vulnerability, allowing server takeover by unauthenticated attackers. https://patchstack.com/articles/critical-lfi-to-rce-vulnerability-in-wp-ghost-plugin-affecting-200k-sites/
Medium Risk: Some Cisco Routers have a software flaw that allows attacker to DoS the BGP service.
Looks like this flaw is contained within the BGP service on Cisco XR routers, but it is a pretty bad thing. Check out the security advisory here: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bgp-dos-O7stePhX
![[Image: TVVm7lW.png]](https://i.imgur.com/TVVm7lW.png)
Here's a free web scanner that returns some really awesome information:
https://cyscan.io/
Into Threat Modeling? TRAIL, a threat modeling process by Trail of Bits, blends RRA and NIST approaches to analyze system architecture for design flaws. It models system components, maps threat actor paths, and documents scenarios, providing both immediate mitigations and strategic recommendations.
https://blog.trailofbits.com/2025/02/28/threat-modeling-the-trail-of-bits-way
State Sponsored Hackers (and some red teams (shhhhh)) are leveraging a flaw that was discovered in 2017 and still not patched by Microsoft.
https://www.zerodayinitiative.com/advisories/ZDI-25-148/2017
Sperm bank breach deposits data into hands of cybercriminals (I didn't want to edit this hilarious article title because its A+ on its own)
https://www.malwarebytes.com/blog/news/2025/03/sperm-bank-breach-deposits-data-into-hands-of-cybercriminals
By Golly G Wizz... Google Buys Wiz (for a metric shittonne of money)
https://www.reuters.com/technology/cybersecurity/google-agrees-buy-cybersecurity-startup-wiz-32-bln-ft-reports-2025-03-18/
New kali version out! Now with less salt and more theme action!
https://www.kali.org/blog/kali-linux-2025-1-release/
![[Image: EEG6FZS.png]](https://i.imgur.com/EEG6FZS.png){kind=small}
Detection Studio is a browser tool that converts Sigma rules to SIEM languages (Splunk, Elasticsearch, Grafana) locally using pySigma. It features pipeline/filter support, persistent workspaces, and rule sharing.
https://detection.studio/
Purple Lab simplifies detection rule testing by deploying a lab for log simulation, malware/ATT&CK execution, and sandbox restoration.
https://github.com/Krook9d/PurpleLab
![[Image: JkUpDIt.png]](https://i.imgur.com/JkUpDIt.png){kind=small}
shadow-rs is a rust-based Windows kernel rootkit showcases advanced kernel manipulation with Rust's safety and performance
https://github.com/joaoviictorti/shadow-rs
Adversary Simulation Success by the folks over at TrustedSec outlines measuring AdSim success via control testing, defensive enlightenment, and professional courtesy, providing metrics for each.
https://trustedsec.com/blog/measuring-the-success-of-your-adversary-simulations
![[Image: p227pSB.png]](https://i.imgur.com/p227pSB.png){kind=small}
Here is a spot where I’ll just generally soapbox when I want to.
Keep an eye out on the clickfix campaigns I mentioned last week folks. That activity is really ramping up.
That's it for this week. Thanks for reading, y'all. See you next week.
RE: Gibby's Cybersecurity Roundup 3/21/25 - JollyRgrs - 03-21-2025
Thanks for sharing this, even from a non-cybersecurity person's POV, it's nice to read up on the cliff's notes of the week and a breakdown of what it means
RE: Gibby's Cybersecurity Roundup 3/21/25 - mistiry - 03-27-2025
(03-20-2025, 07:51 PM)gibby Wrote: Here's a free web scanner that returns some really awesome information:
https://cyscan.io/
Thanks for this, hadn't seen this one and it's pretty slick.
RE: Gibby's Cybersecurity Roundup 3/21/25 - JollyRgrs - 03-29-2025
(03-27-2025, 04:05 PM)mistiry Wrote:(03-20-2025, 07:51 PM)gibby Wrote: Here's a free web scanner that returns some really awesome information:
https://cyscan.io/
Thanks for this, hadn't seen this one and it's pretty slick.
ok, that's really funny. One of the fuzzing URLs it checks is /secret. I'm pretty sure that was where I put my mp3s back in the mid 00s when I wanted to listen to my mp3s when out and about. I had an overly complicated bash script. it would convert my winamp m3u of 60k+ songs and change the pathing from local/unc path to http://my.free.domain.thing.com/secret/mp3s/... no authentication, just wide open if you knew the url. I guess I wasn't the only one that was doing something under /secret
