WEEKLY TOP TEN: May 05, 2025, 16:00 GMT
- Using Trusted Protocols Against You: Gmail as a C2 Mechanism
Socket’s Threat Research Team uncovered seven malicious Python packages (named with variations of “Coffin-Codes”) that establish command and control tunnels using Gmail’s SMTP protocol. The packages connect to Gmail’s SMTP server using hardcoded credentials, send notification emails to the attacker, and create WebSocket connections that enable remote access through firewalls. Once established, these connections allow attackers to exfiltrate data, execute commands, and potentially pivot deeper into networks. The packages have since been removed from PyPI, but evidence suggests the threat actor has been operating since at least 2021. - Ascension Discloses New Data Breach After Third-Party Hacking Incident
Ascension Healthcare System has disclosed a breach affecting at least 114,692 patients after a former business partner was hacked through a vulnerability in third-party software, exposing names, addresses, SSNs, and medical records. The healthcare network discovered the incident on December 5, 2024, but only confirmed the data theft on January 21, 2025, with investigations suggesting possible links to Clop ransomware attacks targeting Cleo secure file transfer software. Affected individuals will receive two years of free identity monitoring services, including credit monitoring and identity theft restoration. This marks Ascension’s second major breach in under a year, following the May 2024 Black Basta ransomware attack that compromised personal and health data for 5.6 million patients and employees. - Shadow Roles: AWS Defaults Can Open the Door to Service Takeover
Researchers at Aqua Security discovered that the default roles for AWS services in SageMaker, Glue, and EMR are automatically configured with overly broad permissions, including AmazonS3FullAccess. These permissions allow attackers to manipulate S3 buckets used by other services, inject malicious code, and potentially take over entire AWS accounts. In one demonstration, a malicious Hugging Face model imported into SageMaker could silently execute code under a privileged role and inject backdoors into Glue job scripts. AWS has responded by scoping down default permissions and updating documentation while also notifying affected users to restrict their current default roles. - Gremlin Stealer: New Stealer on Sale in Underground Forum
Unit 42 researchers have identified Gremlin Stealer, a new C# information-stealing malware advertised on Telegram since March 2025 that bypasses Chrome cookie V20 protection. The malware steals browser data, cryptocurrency wallets, FTP/VPN credentials, Telegram/Discord sessions, and credit card information, storing it in LOCAL_APP_DATA before compressing and exfiltrating it to a dedicated server at 207.244.199[.]46. Stolen data is published through a configurable web portal that comes with the malware purchase, with 14 victim data archives currently displayed. Gremlin Stealer targets an extensive list of Chromium- and Gecko-based browsers along with multiple cryptocurrency applications, gathering system information such as PC usernames, hardware IDs, and processor details for complete victim profiling. - Detecting and Countering Malicious Uses of Claude: March 2025
Anthropic has identified and banned multiple malicious Claude users, including an “influence-as-a-service” operation that orchestrated hundreds of social media bots across platforms to push political narratives. Other banned cases include an actor scraping leaked credentials for security cameras, a recruitment fraud campaign targeting Eastern European job seekers with language-sanitized scams, and a novice threat actor developing sophisticated malware beyond their skill level.
The most concerning case was the influence operation that used Claude to determine when social media bots should like, share, comment on, or ignore posts from authentic users based on political objectives. Anthropic has banned all associated accounts and is enhancing detection methods; however, the company has not confirmed the successful real-world deployment of most of these capabilities. - Wormable Zero-Click Remote Code Execution (RCE) in Airplay Protocol Puts Apple & IoT Devices at Risk
Oligo Security researchers have discovered a set of critical vulnerabilities dubbed “AirBorne” in Apple’s AirPlay Protocol and SDK that allow for wormable zero-click remote code execution on affected devices. The most severe flaws (CVE-2025-24252 and CVE-2025-24132) enable attackers to take over MacOS devices, speakers, receivers, and CarPlay units with no user interaction required when AirPlay receiver is enabled and set to “Anyone on the same network” or “Everyone” configurations.
Once compromised, infected devices can spread malware to other vulnerable devices on any networks they connect to, potentially leading to espionage, ransomware, and supply chain attacks across the estimated 2.35 billion active Apple devices worldwide. Apple has released patches for the 17 CVEs issued from the 23 vulnerabilities disclosed, with researchers recommending users update immediately, disable AirPlay when not in use, and restrict settings to “Current User” only. - Over 1,200 SAP Netweaver Servers Vulnerable to Actively Exploited Flaw
More than 1,200 SAP NetWeaver servers connected to the internet have a serious security issue (CVE-2025-31324) that lets attackers upload files without needing to log in, specifically affecting the Visual Composer Metadata Uploader. The maximum severity flaw allows attackers to upload arbitrary executable files without authentication, enabling full system compromise by dropping web shells like “cache.jsp” and “helper.jsp” on vulnerable servers.
According to cybersecurity firm Onyphe, the compromise of 474 servers has already affected approximately 20 Fortune 500/Global 500 companies. SAP released a workaround on April 8, followed by a security update on April 25, with recommended mitigations including restricting access to the affected endpoint, disabling Visual Composer if unused, and monitoring for unauthorized files in the servlet path. - ‘SonicBoom, From Stolen Tokens to Remote Shells – SonicWall SMA
WatchTowr has released a report detailing how attackers combine two vulnerabilities (CVE-2024-38475 and CVE-2023-44221) to compromise SonicWall SMA appliances. CVE-2024-38475 exploits Apache HTTP Server’s mod_rewrite module to enable pre-authentication arbitrary file read by abusing DocumentRoot Confusion and Filename Truncation techniques, allowing attackers to extract active session tokens from the SQLite database stored at /tmp/temp.db. Once authenticated, attackers leverage CVE-2023-44221, a command injection vulnerability in the traceroute6 diagnostic function, bypassing input sanitization via a buffer overflow with excessive double quotes that breaks out of command encapsulation. These two vulnerabilities together create a complete attack chain for unauthorized access and remote command execution on vulnerable SonicWall SMA appliances. - Interesting WordPress Malware Disguised as Legitimate Anti-Malware Plugin
Wordfence discovered a sophisticated WordPress malware disguised as an anti-malware plugin that establishes persistence by modifying wp-cron.php to reinstall itself if removed. The malware allows attackers to maintain access through an emergency login function, hide from the dashboard, execute remote code via REST API, and communicate with a C&C server at 45.61.136.85. It spreads by injecting malicious code into theme header files to display ads and modifies legitimate WordPress files to gain persistence. We’ve observed the malicious plugin under various names, such as WP-antymalwary-bot.php, addons.php, wpconsole.php, wp-performance-booster.php, and scr.php. - Backdoor Found in Popular E-Commerce Components
Security researchers at Sansec have discovered a coordinated supply chain attack affecting 21 popular e-commerce extensions from vendors including Tigren, Meetanshi, and MGS, with backdoors injected into their download servers around 6 years ago but only recently activated. The backdoor, found in License.php or LicenseApi.php files, enables remote code execution through a fake license check function that can execute arbitrary PHP code supplied by attackers. Despite the backdoors being present since 2019, active exploitation only began around April 20th, 2025, with an estimated 500 to 1000 stores currently running the compromised software, including a $40 billion multinational company. We kindly recommend that affected stores promptly check for and remove the backdoored components.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
