ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE

Another week, another pile of threats. The April 16 ThreatsDay Bulletin from The Hacker News covers 18 distinct stories — including a Microsoft Defender zero-day that's still unpatched, SonicWall appliances under sustained brute-force assault, and a 17-year-old Excel code execution vulnerability that apparently never got the memo it was supposed to stop working.

Top Stories

Microsoft Defender Zero-Day (Unpatched)

A zero-day vulnerability in Microsoft Defender for Endpoint is being tracked in active exploitation. The flaw enables attackers to disable Defender's real-time protection on targeted endpoints without triggering alerts — effectively blinding the EDR before executing malicious payloads.

Microsoft has acknowledged the vulnerability but has not yet released a patch. Workarounds involve:

• Enabling Tamper Protection via Intune or Microsoft Defender portal
• Monitoring for registry key modifications under HKLM\SOFTWARE\Microsoft\Windows Defender\
• Alerting on DisableAntiSpyware and DisableRealtimeMonitoring policy changes

SonicWall Brute-Force Campaigns

Threat actors are conducting large-scale credential brute-force attacks against SonicWall SMA (Secure Mobile Access) and NetExtender VPN appliances. Attackers are targeting:

• Default and weak admin credentials on internet-exposed management interfaces
• Accounts with usernames matching common enterprise naming conventions (first.last, flast)
• Legacy SonicWall firmware versions with known authentication weaknesses

Approximately 23,000 SonicWall appliances remain internet-exposed with management interfaces publicly accessible, according to Shodan scans. Organizations should:

1. Restrict management interface access to trusted IP ranges
2. Enforce strong password policies and account lockout thresholds
3. Upgrade to patched firmware versions (SMA 10.2.1.14 or later)
4. Enable MFA for all VPN and management authentication

17-Year-Old Excel RCE (CVE-2009-3130 Variant)

A vulnerability class first identified in Microsoft Excel 2007–2010 era is being resurrected in modern attack chains. Researchers confirmed that a variant of the old OLE object embedding technique (related to CVE-2009-3130) can be triggered in current Excel versions when processing legacy .xls format files.

The flaw allows arbitrary code execution when a victim opens a maliciously crafted spreadsheet. Attack chains observed in the wild use:

• Phishing emails with .xls attachments (not .xlsx)
• Excel's legacy DDE (Dynamic Data Exchange) mechanism
• Macro-free exploitation — no VBA or Office macro settings required

Microsoft has confirmed the issue affects Excel through Office 2021 under specific legacy file processing conditions. A patch is expected in the next Patch Tuesday cycle.

Additional Headlines This Week

Key Takeaways for Defenders

Patch prioritization this week:

1. Apply Microsoft Defender Tamper Protection immediately (zero-day mitigation)
2. Audit SonicWall exposure and enforce MFA
3. Block legacy .xls attachments at the email gateway if not business-required
4. Review Chrome extension inventory for unauthorized additions

Detection focus:

• Defender registry key modifications (tamper attempts)
• Unusual auth failures against VPN appliances from single source IPs
• Excel processes spawning child processes or network connections

The volume and variety of active exploitation this week reinforces that patching velocity is the primary lever defenders control. The 17-year-old Excel vulnerability in particular illustrates how legacy file format support creates long tail attack surface that's easy to overlook.