CrushFTP CVE-2025-31161 Auth Bypass and Post-Exploitation

A critical vulnerability (CVE-2025-31161) in CrushFTP managed file transfer software allows attackers to bypass authentication and gain admin-level access. Affecting versions 10.0.0-10.8.3 and 11.0.0-11.3.0, the flaw enables unauthorized actions, including data retrieval and administrative control. Exploitation has been observed since March 30, 2025, with ~1,500 vulnerable instances exposed. Post-exploitation activities include creating backdoor accounts, deploying MeshCentral agents, and using AnyDesk for remote access. A Telegram bot-based malware was also identified. The vulnerability stems from improper S3 authorization header processing and can be exploited with a simple HTTP request. Immediate patching to versions 11.3.1+ or 10.8.4+ is strongly recommended.

Pulse ID: 67f0e1f9e7eb1709fa231134
Pulse Link: https://otx.alienvault.com/pulse/67f0e1f9e7eb1709fa231134
Pulse Author: AlienVault
Created: 2025-04-05 07:55:37

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

iX-Workshop: API-Design und -Entwicklung mit HTTP, REST und OpenAPI

Lernen Sie, wie man effiziente und benutzerfreundliche APIs entwickelt, HTTP- und REST-Standards anwendet und standardisierte Referenzdokumentationen erstellt.

https://www.heise.de/news/iX-Workshop-API-Design-und-Entwicklung-mit-HTTP-REST-und-OpenAPI-10335051.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

DDoS Attacks (HTTP/2, DNS, Hacktivist)
This is Real World Technical Analysis

YouTube video: https://youtu.be/t2jKcA1OyBE

#Sponsored #cybersecurity #ddos #dos #DNS #http #tls #hack #hacker #hacking #cyber #internet Radware

Trying to come up with my own little self-hosted #http #authentication #daemon to work with #nginx' "authentication request" facility ... first step done!

Now I have a subset of HTTP 1.x implemented in #C, together with a dummy handler showing nothing but a static hello-world root document.

I know it's kind of stubborn doing that in C, but hey, #coding it is great fun

https://github.com/Zirias/swad

Posted about it yesterday already. But it looks like archive.today shows the default page of #Apache #webserver on #Ubuntu. The alternative domain name archive.is instead redirects with a 301 - Moved Permanently to a new domain krola.org, a website apparently comparing pet rabbit species?? It's also interesting, that the redirect to the new domain responds with an #HTTP header server: nginx/1.18 (Ubuntu). Apparently, the default Apache landing page also returns the same HTTP header information on the server. Perhaps the landing page is a decoy/deflection?

Anyone on #infosecexchange has any speculations on the website?

Anubis: self hostable scraper defense software

Weigh the soul of incoming HTTP requests using proof-of-work to stop AI crawlers

https://anubis.techaro.lol

CoffeeLoader: A Brew of Stealthy Techniques

CoffeeLoader is a sophisticated malware family discovered in September 2024, designed to download and execute second-stage payloads while evading detection. It employs numerous techniques to bypass security solutions, including a GPU-utilizing packer, call stack spoofing, sleep obfuscation, and Windows fibers. The malware uses HTTPS for command-and-control communications with certificate pinning to prevent man-in-the-middle attacks. It supports various commands for injecting and running shellcode, executables, and DLLs. CoffeeLoader shares similarities with SmokeLoader, which has been observed distributing it. The loader implements advanced features beneficial for evading detection by antivirus, EDRs, and malware sandboxes, making it a formidable threat in the crowded market of malware loaders.

Pulse ID: 67e5309946530b6bf94aabf8
Pulse Link: https://otx.alienvault.com/pulse/67e5309946530b6bf94aabf8
Pulse Author: AlienVault
Created: 2025-03-27 11:03:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

A Practical Guide to Uncovering Malicious Infrastructure With Hunt.io

This guide demonstrates how to use Hunt.io to investigate and track malicious infrastructure. Starting with a single suspicious IP address, the process involves analyzing hosting providers, domain information, open ports, HTTP responses, and TLS certificates. The investigation reveals connections to potential cryptocurrency fraud and malware operations. By leveraging Hunt's scan data and SQL queries, a small cluster of related servers is identified, possibly linked to Latrodectus malware. The guide emphasizes the importance of persistence, pattern recognition, and correlating data from multiple intelligence sources to effectively track threat actor operations.

Pulse ID: 67e342d7a17ba37eb960497a
Pulse Link: https://otx.alienvault.com/pulse/67e342d7a17ba37eb960497a
Pulse Author: AlienVault
Created: 2025-03-25 23:57:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Cloudflare puts an end to insecure HTTP

Plain text communication also allows unauthorized persons to view data. Cloudflare therefore also no longer supports HTTP for API calls.

https://www.heise.de/en/news/Cloudflare-puts-an-end-to-insecure-HTTP-10328265.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Chinese APT’s Stealthy Web Shell & HTTP Tunneling Campaign in Telecom Networks

The Weaver Ant threat actor maintained four-year persistent access in an Asian telecom network by deploying stealthy web shells.

Pulse ID: 67e31944a2fbedb7ff514ec0
Pulse Link: https://otx.alienvault.com/pulse/67e31944a2fbedb7ff514ec0
Pulse Author: cryptocti
Created: 2025-03-25 20:59:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

From: blenderdumbass . org

The multiplayer, or the lack there of, at the moment is so utterly broken and so lacking of being properly made that for a long time, I was just not bothering with it. Seeing it as something unnecessary. Something that does not need to be touched, because other things, like the...

Read or listen: https://blenderdumbass.org/articles/a_rant_about_making_a_multiplayer_game

#Gamedev #DanisRace #Networking #Multiplayer #TCP #HTTP #Programming #Python #UPBGE #Blender3d #GNU #Linux #GamingOnLinux #FreeSoftware #OpenSource

Cloudflare macht unsicherem HTTP den Garaus

Klartextkommunikation erlaubt auch Unbefugten Einsicht in Daten. Cloudflare unterstützt daher auch für API-Aufrufe kein HTTP mehr.

https://www.heise.de/news/Cloudflare-macht-unsicherem-HTTP-den-Garaus-10328030.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

Weaver Ant, the Web Shell Whisperer: Tracking a China-Nexus Cyber Operation

Sygnia uncovered a sophisticated China-nexus threat actor, Weaver Ant, targeting a major Asian telecom company. The group employed web shells and tunneling techniques for persistence and lateral movement, maintaining access for over four years. They utilized encrypted China Chopper and custom 'INMemory' web shells, along with a recursive HTTP tunnel tool for internal network access. Weaver Ant demonstrated advanced evasion techniques, including ETW patching, AMSI bypassing, and 'PowerShell without PowerShell' execution. The operation involved extensive reconnaissance, credential harvesting, and data exfiltration. Despite eradication attempts, the group showed remarkable persistence, adapting their tactics to regain access.

Pulse ID: 67e2ab375298346f9c281119
Pulse Link: https://otx.alienvault.com/pulse/67e2ab375298346f9c281119
Pulse Author: AlienVault
Created: 2025-03-25 13:10:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Should you ever run across an article that says you don't need a VPN because most every website use HTTPS, be aware that you can not see the encryption, or the lack of it, in mobile apps. Thus, things like this happen - Apple did not bother to upgrade their own software from HTTP to HTTPS.

https://9to5mac.com/2025/03/18/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch/
Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch
#vpn #http #https #encryption

Mastodon-Client-API

Auch wenn sich im #Fediverse viel um #ActivityPub dreht und hier durchaus auch eine #Client-Schnittstelle skizziert ist, nutzt #Mastodon eine eigene Client-API, die (zumindest teilweise) auch von anderer fediversaler Serversoftware unterstützt wird (z.B. #Friendica, #Firefish, #Mammuthus).

Diese #API (application programming interface, eine #Schnittstelle zur #Programmierung von Anwendungen) dient Apps und Clients dazu, entsprechende Funktionen auf einer #Instanz durchzuführen. Diese API ermöglicht die Entwicklung von Apps wie #Tusky, #Fedilab & Co.

Man kann diese API auch nutzen, um Konten etwa (teil)automatisiert zu betreiben.

Oder Statistiken zu sammeln... oder... oder... ;-)

Die API ist soweit öffentlich dokumentiert und steht frei zur Verfügung.

Allgemeine Dokumentation zu #Mastodon (auf Englisch):
https://docs.joinmastodon.org/

"Getting started with the API":
https://docs.joinmastodon.org/client/intro/

Wer mit dem Gedanken spielt, die API zu nutzen, sollte sich mit #HTTP, #JSON & Co. anfreunden können. Und Englischkenntnisse sind in diesem Bereich grundsätzlich von Vorteil...

Quick question for folks who understand HTTP caching on reverse proxies like Squid or Cloudflare. If I have a GET REST endpoint responding with 200 OK and the following headers:

Cache-Control: public, max-age=3600  
ETag: "123-a"

The proxy should cache and serve the response without hitting the underlying server more than once for the first hour, then send a request with If-Match: "123-a" when the cache goes stale, right? Is there any reason why it wouldn’t?

From: blenderdumbass . org

The multiplayer, or the lack there of, at the moment is so utterly broken and so lacking of being properly made that for a long time, I was just not bothering with it. Seeing it as something unnecessary. Something that does not need to be touched, because other things, like the...

Read or listen: https://blenderdumbass.org/articles/a_rant_about_making_a_multiplayer_game

Going stateless is one of REST’s secret weapons. Treating each request as independent makes APIs more scalable, reliable, and easier to cache. Want to know why statelessness is such a big deal? Read the post!

https://woodruff.dev/rest-constraint-3-going-stateless-for-scalability/

HTTP status codes but as cats:
https://http.cat/

RFC 9745: The Deprecation HTTP Header Field

Ce nouveau champ de l'en-tête #HTTP sert à indiquer que la ressource demandée va être (ou a été) abandonnée et qu'il faut penser à migrer. Il sert surtout pour les #API HTTP.

#RFC

https://www.bortzmeyer.org/9745.html