- Daily - CERT.at

Tageszusammenfassung - 17.12.2025
by Daily end-of-shift report 17 Dec '25

17 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-12-2025 19:10 − Mittwoch 17-12-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Amazon disrupts Russian GRU hackers attacking edge network devices ∗∗∗ --------------------------------------------- The Amazon Threat Intelligence team has disrupted active operations attributed to hackers working for the Russian foreign military intelligence agency, the GRU, who targeted customers cloud infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-disrupts-russian-gru-… ∗∗∗ Cellik Android malware builds malicious versions from Google Play apps ∗∗∗ --------------------------------------------- A new Android malware-as-a-service (MaaS) named Cellik is being advertised on underground cybercrime forums offering a robust set of capabilities that include the option to embed it in any app available on the Google Play Store. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cellik-android-malware-build… ∗∗∗ Attackers Use Stolen AWS Credentials in Cryptomining Campaign ∗∗∗ --------------------------------------------- Threat actors wielding stolen AWS Identity and Access Management (IAM) credentials leverage Amazon EC and EC2 infrastructure across multiple customer environments. --------------------------------------------- https://www.darkreading.com/cloud-security/attackers-use-stolen-aws-credent… ∗∗∗ Deliberate Internet Shutdowns ∗∗∗ --------------------------------------------- For two days in September, Afghanistan had no internet. No satellite failed; no cable was cut. This was a deliberate outage, mandated by the Taliban government. It followed a more localized shutdown two weeks prior, reportedly instituted “to prevent immoral activities.” No additional explanation was given. The timing couldn’t have been worse: communities still reeling from a major earthquake lost emergency communications, flights were grounded, and banking was interrupted. --------------------------------------------- https://www.schneier.com/blog/archives/2025/12/deliberate-internet-shutdown… ∗∗∗ GhostPoster Malware Found in 17 Firefox Add-ons with 50,000+ Downloads ∗∗∗ --------------------------------------------- A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available. --------------------------------------------- https://www.thehackernews.com/2025/12/ghostposter-malware-found-in-17-firef… ∗∗∗ APT28 Targets Ukrainian UKR-net Users in Long-Running Credential Phishing Campaign ∗∗∗ --------------------------------------------- The Russian state-sponsored threat actor known as APT28 has been attributed to what has been described as a "sustained" credential-harvesting campaign targeting users of UKR[.]net, a webmail and news service popular in Ukraine. --------------------------------------------- https://www.thehackernews.com/2025/12/apt28-targets-ukrainian-ukr-net-users… ∗∗∗ New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails ∗∗∗ --------------------------------------------- The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, according to Kaspersky. The Russian cybersecurity vendor said it detected the new activity in October 2025. The origins of the threat actor are presently unknown. --------------------------------------------- https://www.thehackernews.com/2025/12/new-forumtroll-phishing-attacks-targe… ∗∗∗ Chinas Ink Dragon hides out in European government networks ∗∗∗ --------------------------------------------- Misconfigured servers are in, 0-days out Chinese espionage crew Ink Dragon has expanded its snooping activities into European government networks, using compromised servers to create illicit relay nodes for future operations. --------------------------------------------- https://www.theregister.com/2025/12/16/chinas_ink_dragon_hides_out/ ∗∗∗ Microsoft security updates breaks MSMQ on older Win systems ∗∗∗ --------------------------------------------- Folder permission changes cause queue failures and misleading error messages, no real fix yet Microsoft has good news for administrators: while some organizations now pay for security updates on older Windows versions, the inconsistent quality remains free. --------------------------------------------- https://www.theregister.com/2025/12/17/microsoft_admits_that_message_queuin… ∗∗∗ NATOs battle for cloud sovereignty: Speed is existential ∗∗∗ --------------------------------------------- Build a digital backbone faster than adversaries can evolve or lose the information war NATO is in an existential race to develop sovereign cloud-based technologies to underpin its mission, the alliances Assistant Secretary General for Cyber and Digital Transformation told an audience at the Royal United Services Institute (RUSI) last week. --------------------------------------------- https://www.theregister.com/2025/12/17/sovereign_cloud_is_existential_nato/ ∗∗∗ BlindEagle Targets Colombian Government Agency with Caminho and DCRAT ∗∗∗ --------------------------------------------- IntroductionIn early September 2025, Zscaler ThreatLabz discovered a new spear phishing campaign attributed to BlindEagle, a threat actor who operates in South America and targets users in Spanish-speaking countries, such as Colombia. In this campaign, BlindEagle targeted a government agency under the control of the Ministry of Commerce, Industry and Tourism (MCIT) in Colombia using a phishing email sent from what appears to be a compromised account within the same organization. --------------------------------------------- https://www.zscaler.com/blogs/security-research/blindeagle-targets-colombia… ∗∗∗ WhatsApp und Signal: Privatsphäre angreifbar, Tracker-Software verfügbar ∗∗∗ --------------------------------------------- Die WhatsApp- und Signal-Messenger verraten Informationen über Nutzer durch Bestätigungs-Laufzeiten. Eine Einstellung hilft. --------------------------------------------- https://www.heise.de/news/WhatsApp-und-Signal-Privatsphaere-angreifbar-Trac… ∗∗∗ Telekom startet System gegen Betrugsanrufe ∗∗∗ --------------------------------------------- Jemand ruft an, die Nummer ist nicht eingespeichert. Man geht ran und lässt sich in ein Gespräch verwickeln. Das ist meist keine gute Idee. --------------------------------------------- https://www.heise.de/news/Telekom-startet-System-gegen-Betrugsanrufe-111176… ∗∗∗ Inside a purchase order PDF phishing campaign ∗∗∗ --------------------------------------------- A “purchase order” PDF blocked by Malwarebytes led to a credential-harvesting phishing site. So we analyzed the attack and where the data went next. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2025/12/inside-a-purchase-or… ∗∗∗ Systemwarnung? Virus gefunden? Welche Gefahren von PopUp-Fenstern ausgehen können ∗∗∗ --------------------------------------------- Sie zählen wohl zu den unbeliebtesten Erfindungen rund um das Internet: PopUp-Fenster. Wenig überraschend werden sie seit Langem auch für dubiose Machenschaften genutzt. Was hinter den Benachrichtigungen lauert und woran sich ein möglicher Betrugsversuch erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-popup-fenster/ ∗∗∗ From Linear to Complex: An Upgrade in RansomHouse Encryption ∗∗∗ --------------------------------------------- Operators behind RansomHouse, a ransomware-as-a-service (RaaS) group, have upgraded their encryption methods from single-phase to complex and layered. --------------------------------------------- https://unit42.paloaltonetworks.com/ransomhouse-encryption-upgrade/ ∗∗∗ ESET Threat Report H2 2025 ∗∗∗ --------------------------------------------- The second half of the year underscored just how quickly attackers adapt and innovate, with rapid changes sweeping across the threat landscape. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h2-2025/ ∗∗∗ Theres Payloads, And Then Theres pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks ∗∗∗ --------------------------------------------- Over the past ~1.5 weeks, the React2Shell campaign has unleashed a flood of exploitation attempts targeting vulnerable React Server Components. Analyzing the payload size distribution across these attacks reveals a clear fingerprint of modern cybercrime, and a landscape dominated by automated scanners with a handful of sophisticated outliers. --------------------------------------------- https://www.greynoise.io/blog/react2shell-payload-analysis ===================== = Vulnerabilities = ===================== ∗∗∗ VU#382314: Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards ∗∗∗ --------------------------------------------- A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. --------------------------------------------- https://kb.cert.org/vuls/id/382314 ∗∗∗ Reports About Cyberattacks Against Cisco Secure Email Gateway And Cisco Secure Email and Web Manager ∗∗∗ --------------------------------------------- On December 10, Cisco became aware of a new cyberattack campaign targeting a limited subset of appliances with certain ports open to the internet that are running Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. This attack allows the threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ HPE OneView: Kritische Lücke erlaubt Codeschmuggel aus dem Netz ∗∗∗ --------------------------------------------- In HPEs OneView können bösartige Akteure aus dem Netz ohne Authentifizierung Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HPE-OneView-Kritische-Luecke-erlaubt-Codeschmugge… ∗∗∗ Two Chrome flaws could be triggered by simply browsing the web: Update now ∗∗∗ --------------------------------------------- Googles patched two flaws in Chrome, both of which can be triggered remotely when a user loads specially crafted web content. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/12/two-chrome-flaws-could-be-tr… ∗∗∗ TYPO3-EXT-SA-2025-016: Vulnerability in bundled package in extension "Single Sign-on with SAML" (md_saml) ∗∗∗ --------------------------------------------- It has been discovered that the extension "Single Sign-on with SAML" (md_saml) bundles a vulnerable version of “onelogin/php-saml“ which is susceptible to Authentication Bypass. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-016 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-url-parse), Fedora (assimp, conda-build, mod_md, util-linux, and webkitgtk), Oracle (firefox), SUSE (chromium, librsvg, poppler, python311, qemu, strongswan, webkit2gtk3, wireshark, and xen), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-5.15, linux-azure-fips, and linux-raspi, linux-raspi-realtime, linux-xilinx). --------------------------------------------- https://lwn.net/Articles/1050942/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0010 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2025-14174 Versions affected: WebKitGTK and WPE WebKit before 2.50.4. Credit to Apple and Google Threat Analysis Group. Impact: Processing maliciously crafted web content may lead to memory corruption. --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0010.html ∗∗∗ Unzählige Sicherheitslücken in IBM DataPower Gateway geschlossen ∗∗∗ --------------------------------------------- Angreifer können IBMs Sicherheits- und Integrationsplattform DataPower Gateway über verschiedene Wege attackieren. --------------------------------------------- https://heise.de/-11118285 ∗∗∗ ZDI-25-1104: Sante PACS Server HTTP Content-Length Header Handling NULL Pointer Dereference Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1104/ ∗∗∗ [F5] K000158176: NGINX Ingress Controller vulnerability CVE-2025-14727 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.12.2025
by Daily end-of-shift report 16 Dec '25

16 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-12-2025 18:30 − Dienstag 16-12-2025 19:10 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719 ∗∗∗ --------------------------------------------- In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter. --------------------------------------------- https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-lo… ∗∗∗ AWS Blames Russia’s GRU for Years-Long Espionage Campaign Targeting Western Energy Infrastructure ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) has attributed a persistent multi-year cyber espionage campaign targeting Western critical infrastructure, particularly the energy sector, to a group strongly linked with Russia’s Main Intelligence Directorate (GRU), known widely as Sandworm (or APT44). --------------------------------------------- https://thecyberexpress.com/espionage-western-critical-infrastructure/ ∗∗∗ New SantaStealer malware steals data from browsers, crypto wallets ∗∗∗ --------------------------------------------- A new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-santastealer-malware-ste… ∗∗∗ Google is shutting down its dark web report feature in January ∗∗∗ --------------------------------------------- Google is discontinuing its "dark web report" security tool, stating that it wants to focus on other tools it believes are more helpful. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-is-shutting-down-its-da… ∗∗∗ SoundCloud confirms breach after member data stolen, VPN access disrupted ∗∗∗ --------------------------------------------- Audio streaming platform SoundCloud has confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database containing user information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-a… ∗∗∗ European authorities dismantle call center fraud ring in Ukraine ∗∗∗ --------------------------------------------- European law enforcement authorities dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of more than 10 million euros. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-authorities-dismant… ∗∗∗ Microsoft to block Exchange Online access for outdated mobile devices ∗∗∗ --------------------------------------------- Microsoft announced on Monday that it will soon block mobile devices running outdated email software from accessing Exchange Online services until theyre updated. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-block-exchange… ∗∗∗ Cyberattack disrupts Venezuelan oil giant PDVSAs operations ∗∗∗ --------------------------------------------- Petróleos de Venezuela (PDVSA), Venezuelas state-owned oil company, was hit by a cyberattack over the weekend that disrupted its export operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberattack-disrupts-venezue… ∗∗∗ Updaten: Warnung vor Angriffen auf Apple-Lücken und Gladinet ∗∗∗ --------------------------------------------- Die CISA warnt vor laufenden Angriffen auf Schwachstellen in Apples iOS und macOS sowie auf Gladinet CentreStack und Triofox. --------------------------------------------- https://www.heise.de/news/Updaten-Warnung-vor-Angriffen-auf-Apple-Luecken-u… ∗∗∗ Defender-Problem nach Windows Update KB5072033 – Get-MPComputerStatus leer ∗∗∗ --------------------------------------------- Das kumulative Update KB5072033 vom 9. Dezember 2025 kann unter Windows 11 24H2 und 25H2, sowie ggf. unter Windows Server 2025, Probleme verursachen. Die Statusabfrage, ob der Windows Defender noch korrekt arbeitet, funktioniert per PowerShell eventuell nicht. --------------------------------------------- https://www.borncity.com/blog/2025/12/16/defender-fehler-nach-windows-updat… ∗∗∗ The Detection & Response Chronicles: Exploring Telegram Abuse ∗∗∗ --------------------------------------------- Adversaries utilizing popular messaging apps throughout different attack phases is nothing new. Telegram, in particular, has constantly been the subject of abuse by multiple threat actors, favoured for its anonymity, accessibility, resilience, and operational advantages. In this blog, we explore popular Telegram Bot APIs, recent campaigns involving Telegram abuse, and provide detection and hunting opportunities. --------------------------------------------- https://blog.nviso.eu/2025/12/16/the-detection-response-chronicles-explorin… ∗∗∗ Malicious NuGet Package Typosquats Popular .NET Tracing Library to Steal Wallet Passwords ∗∗∗ --------------------------------------------- The Socket Threat Research Team uncovered a malicious NuGet package, Tracer.Fody.NLog, that typosquats and impersonates the legitimate Tracer.Fody library and its maintainer. It presents itself as a standard .NET tracing integration but in reality functions as a cryptocurrency wallet stealer. --------------------------------------------- https://socket.dev/blog/malicious-nuget-package-typosquats-popular-net-trac… ∗∗∗ PornHub Confirms Premium User Data Exposure Linked to Mixpanel Breach ∗∗∗ --------------------------------------------- PornHub is facing renewed scrutiny after confirming that some Premium users activity data was exposed following a security incident at a third-party analytics provider. The PornHub data breach disclosure comes as the platform faces increasing regulatory scrutiny in the United States and reported extortion attempts linked to the stolen data. The issue stems from a data breach linked not to PornHub’s own systems, but to Mixpanel, an analytics vendor the platform previously used. --------------------------------------------- https://thecyberexpress.com/pornhub-data-breach-premium-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, glib2.0, libgd2, paramiko, and python-apt), Fedora (chromium, python3.13, python3.14, qt6-qtdeclarative, and usd), Mageia (ffmpeg, firefox, nspr, nss, and thunderbird), Oracle (kernel, mysql, mysql:8.0, mysql:8.4, ruby:3.3, wireshark, and xorg-x11-server), Red Hat (expat, mingw-expat, and rsync), SUSE (binutils, curl, glib2, gnutls, go1.24, go1.25, keylime, libmicrohttpd, libssh, openexr, postgresql15, python311, and xkbcomp), and Ubuntu (libsoup3, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-6.14, linux-azure, linux-azure-6.8, linux-azure-fips, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, linux-oem-6.14, linux-raspi, and linux-realtime, linux-realtime-6.8). --------------------------------------------- https://lwn.net/Articles/1050778/ ∗∗∗ Node.js Security Releases ∗∗∗ --------------------------------------------- The team is still working on a particularly challenging patch, for this reason the release is being postponed to Thursday, December 18th or shortly after. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/december-2025-security-releases ∗∗∗ [R1] Nessus Versions 10.11.1 and 10.9.6 Fix Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, libxslt) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2025-24 ∗∗∗ JumpCloud Remote Assist Flaw Lets Users Gain Full Control of Company Devices ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2025-34352) found by XM Cyber in the JumpCloud Remote Assist for Windows agent allows local users to gain full SYSTEM privileges. Businesses must update to version 0.317.0 or later immediately to patch the high-severity flaw. --------------------------------------------- https://hackread.com/jumpcloud-remote-assist-flaw-full-devices-control/ ∗∗∗ Sicherheitslücken: HPE-ProLiant-Server mit Intel QuickAssist sind verwundbar ∗∗∗ --------------------------------------------- Sicherheitspatches schließen mehrere Lücken in HPE ProLiant. Server sind aber nur unter bestimmten Bedinungen angreifbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-HPE-ProLiant-Server-mit-Intel-… ∗∗∗ SEIKO EPSON printer Web Config vulnerable to stack-based buffer overflow ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51846148/ ∗∗∗ Synology-SA-25:18 C2 Identity Edge Server (PWN2OWN 2025) ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_18 ∗∗∗ Mitsubishi Electric GT Designer3 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-04 ∗∗∗ Hitachi Energy AFS, AFR and AFF Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-03 ∗∗∗ Johnson Controls PowerG, IQPanel and IQHub ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-02 ∗∗∗ Güralp Systems Fortimus Series, Minimus Series, and Certimus Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-350-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.12.2025
by Daily end-of-shift report 15 Dec '25

15 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-12-2025 18:00 − Montag 15-12-2025 18:30 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ French Interior Ministry confirms cyberattack on email servers ∗∗∗ --------------------------------------------- The French Interior Minister confirmed on Friday that the countrys Ministry of the Interior was breached in a cyberattack that compromised e-mail servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/france-interior-ministry-con… ∗∗∗ Microsoft: Recent Windows updates break VPN access for WSL users ∗∗∗ --------------------------------------------- Microsoft says that recent Windows 11 security updates are causing VPN networking failures for enterprise users running Windows Subsystem for Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-recent-windows-up… ∗∗∗ Flaw in Hacktivist Ransomware Lets Victims Decrypt Own Files ∗∗∗ --------------------------------------------- A new version of VolkLocker, wielded by the pro-Russia RaaS group CyberVolk, has some key enhancements but one fatal flaw. --------------------------------------------- https://www.darkreading.com/threat-intelligence/flaw-hacktivist-ransomware-… ∗∗∗ Cyberangriff: Hacker attackieren Ideal Versicherung mit Ransomware ∗∗∗ --------------------------------------------- Die auf Alters- und Pflegevorsorgeversicherungen spezialisierte Ideal Gruppe untersucht einen Ransomware-Befall. Der Geschäftsbetrieb ist eingeschränkt. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-attackieren-ideal-versicherun… ∗∗∗ A look at an Android ITW DNG exploit ∗∗∗ --------------------------------------------- Between July 2024 and February 2025, 6 suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Investigation of these images showed that these images were DNG files targeting the Quram library, an image parsing library specific to Samsung devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-ex… ∗∗∗ Frogblight threatens you with a court case: a new Android banker targets Turkish users ∗∗∗ --------------------------------------------- Kaspersky researchers have discovered a new Android banking Trojan targeting Turkish users and posing as an app for accessing court case files via an official government webpage. The malware is being actively developed and may become MaaS in the future. --------------------------------------------- https://securelist.com/frogblight-banker/118440/ ∗∗∗ ClickFix Attacks Still Using the Finger ∗∗∗ --------------------------------------------- Since as early as November 2025, the finger protocol has been used in ClickFix social engineering attacks. BleepingComputer posted a report of this activity on November 15th, and Didier Stevens posted a short follow-up in an ISC diary the next day. --------------------------------------------- https://isc.sans.edu/diary/rss/32566 ∗∗∗ Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT. --------------------------------------------- https://thehackernews.com/2025/12/fake-osint-and-gpt-utility-github-repos.h… ∗∗∗ Arbeitssuchende aufgepasst! Vorsicht vor Jobportalen wie trabajo.org und bebee.com ∗∗∗ --------------------------------------------- Jobportale wie trabajo.org oder bebee.com werben mit attraktiven Stellenangeboten. Tatsächlich gibt es jedoch zahlreiche Hinweise darauf, dass man hier keine Jobs bekommt und sogar Daten abgegriffen werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/arbeitssuchende-aufgepasst-warum-sie… ∗∗∗ Exploitation of Critical Vulnerability in React Server Components (Updated December 12) ∗∗∗ --------------------------------------------- We discuss the CVSS 10.0-rated RCE vulnerability in the Flight protocol used by React Server Components. This is tracked as CVE-2025-55182. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2025-55182-react-and-cve-2025-66478… ∗∗∗ PureRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a PureRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html ∗∗∗ Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor ∗∗∗ --------------------------------------------- The Oyster backdoor (also known as Broomstick) is targeting the financial world, using malicious search ads for PuTTY, Teams, and Google Meet. --------------------------------------------- https://hackread.com/fake-microsoft-teams-google-meet-download-oyster-backd… ∗∗∗ 16TB of MongoDB Database Exposes 4.3 Billion Lead Gen Records ∗∗∗ --------------------------------------------- Cybersecurity researchers discovered an unsecured 16TB database exposing 4.3 billion professional records, including names, emails, and LinkedIn data. Learn what happened, why this massive data leak enables new scams, and how to protect your PII. --------------------------------------------- https://hackread.com/mongodb-database-expose-lead-gen-records/ ∗∗∗ GitHub Scanner for React2Shell (CVE-2025-55182) Turns Out to Be Malware ∗∗∗ --------------------------------------------- A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as malicious after spreading malware. The project, named React2shell-scanner, was hosted under the user niha0wa and has since been removed from the platform following community reports. --------------------------------------------- https://hackread.com/github-scanner-react2shell-cve-2025-55182-malware/ ∗∗∗ Patchday-Problem: Message-Queuing-Störungen in Windows 10, Server 2016 und 2019 ∗∗∗ --------------------------------------------- Die Sicherheitsupdates im Dezember stören das Message Queuing in Windows 10, Server 2016 und 2019. Fehlermeldungen sind die Folge. --------------------------------------------- https://heise.de/-11114815 ∗∗∗ "Careless Whisper" side-channel attack affects WhatsApp and Signal ∗∗∗ --------------------------------------------- A tool for tracking over three billion WhatsApp and Signal users has been publicly released. Just by knowing the phone number, attackers can determine when users come home, when they are actively using the phone, when they go to sleep, or when they are offline. They can also drain batteries and data limits without the users noticing anything. --------------------------------------------- https://cybernews.com/security/whatsapp-signal-real-time-tracking-battery-d… ∗∗∗ Rich Headers: leveraging this mysterious artifact of the PE format ∗∗∗ --------------------------------------------- We started our project with low expectations, thinking that there must be a reason the Rich Headers feature is overlooked and not widely utilized. Over time, we became more and more impressed with how much could be achieved by searching for feature clusters based on such a small part of an executable, and how powerful it can be when leveraged correctly. --------------------------------------------- https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-heade… ∗∗∗ Decompiling run-only AppleScripts ∗∗∗ --------------------------------------------- We validate the tool against XCSSET samples with known source Explore anti-analysis and anti-sandbox behavior in older malware Show common obfuscation tricks used in the wild Walk through key internals that make the decompiler workIntro to run-only AppleScripts. --------------------------------------------- https://pberba.github.io/security/2025/12/14/decompiling-run-only-applescri… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücken in Webkit: Angriffe auf iPhone-Nutzer beobachtet ∗∗∗ --------------------------------------------- Zwei aktiv ausgenutzte Sicherheitslücken gefährden Apple-Geräte wie iPhones, iPads und Macs. Anwender sollten zügig patchen. --------------------------------------------- https://www.golem.de/news/zero-day-luecken-in-webkit-angriffe-auf-iphone-nu… ∗∗∗ Kein Patch von Microsoft: Zero-Day-Lücke gefährdet alle gängigen Windows-Versionen ∗∗∗ --------------------------------------------- Forscher warnen vor einer Zero-Day-Lücke unter Windows. Richtig gefährlich wird diese in Kombination mit einer bereits bekannten Lücke. --------------------------------------------- https://www.golem.de/news/kein-patch-von-microsoft-zero-day-luecke-gefaehrd… ∗∗∗ FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations. --------------------------------------------- https://thehackernews.com/2025/12/freepbx-authentication-bypass-exposed.html ∗∗∗ Researcher Uncovers 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, libsoup3, mysql8.4, and wireshark), Debian (ruby-git, ruby-sidekiq, thunderbird, and vlc), Fedora (apptainer, chromium, firefox, golangci-lint, libpng, and xkbcomp), Mageia (golang), SUSE (binutils, chromium, firefox, gegl, go1.25, govulncheck-vulndb, hauler, kernel, keylime, libpng12, pgadmin4, postgresql16, python, python-Django, python-django, python3, python311, rhino, thunderbird, unbound, and xkbcomp), and Ubuntu (usbmuxd). --------------------------------------------- https://lwn.net/Articles/1050523/ ∗∗∗ Security updates 1.6.12 and 1.5.12 released ∗∗∗ --------------------------------------------- We just published security updates to the 1.6 and 1.5 LTS versions of Roundcube Webmail. They both contain fixes for recently reported two security vulnerabilities. --------------------------------------------- https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12 ∗∗∗ React2Shell-Patch unzureichend, Angriffe weiten sich aus ∗∗∗ --------------------------------------------- Updates zum Schließen einer kritischen Lücke in React-Servern sind unvollständig. Immer mehr Angreifer missbrauchen das Leck. --------------------------------------------- https://www.heise.de/news/React2Shell-Patch-unzureichend-Angriffe-weiten-si… ∗∗∗ Angreifer können mit TeamViewer DEX verwaltete PCs attackieren ∗∗∗ --------------------------------------------- Über TeamViewer DEX (Digital Employee Experience) managen Admins Firmencomputer. Nun können Angreifer an mehreren Schwachstellen ansetzen, um Geräte zu attackieren. --------------------------------------------- https://heise.de/-11114835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.12.2025
by Daily end-of-shift report 12 Dec '25

12 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-12-2025 18:00 − Freitag 12-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NIS-2 in Österreich umgesetzt (NISG 2026) ∗∗∗ --------------------------------------------- Das Netz- und Informationssystemsicherheitsgesetz 2026 (NISG 2026) wurde heute (12.12.2025) im Nationalrat beschlossen. Die Kundmachung erfolgt nach Beschluss des Bundesrates und Unterzeichnung des Bundespräsidenten. Das Gesetz wird neun Monate nach seiner Kundmachung (voraussichtlich im Herbst 2026) in Kraft treten. --------------------------------------------- https://certitude.consulting/blog/de/nis-2-in-osterreich-umgesetzt-nisg-202… ∗∗∗ Technical Analysis of the BlackForce Phishing Kit ∗∗∗ --------------------------------------------- Zscaler ThreatLabz identified a new phishing kit named BlackForce, which was first observed in the beginning of August 2025 with at least five distinct versions. BlackForce is capable of stealing credentials and performing Man-in-the-Browser (MitB) attacks to steal one-time tokens and bypass multi-factor authentication (MFA). The phishing kit is actively marketed and sold on Telegram forums for €200–€300. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-blackfor… ∗∗∗ Cybersecurity Performance Goals 2.0 for Critical Infrastructure ∗∗∗ --------------------------------------------- Today, CISA released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cybersecurity-performanc… ∗∗∗ SHADOW-VOID-042 Targets Multiple Industries with Void Rabisu-like Tactics ∗∗∗ --------------------------------------------- In November, a targeted spear-phishing campaign was observed using Trend Micro-themed lures against various industries, but this was quickly detected and thwarted by the Trend Vision One™ platform. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/SHADOW-VOID-042.html ∗∗∗ Malicious VSCode Marketplace extensions hid trojan in fake PNG file ∗∗∗ --------------------------------------------- A stealthy campaign with 19 extensions on the VSCode Marketplace has been active since February, targeting developers with malware hidden inside dependency folders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1050251/ ∗∗∗ New Windows RasMan zero-day flaw gets free, unofficial patches ∗∗∗ --------------------------------------------- Free unofficial patches are available for a new Windows zero-day vulnerability that allows attackers to crash the Remote Access Connection Manager (RasMan) service. RasMan is a critical Windows system service that starts automatically, runs in the background with SYSTEM-level privileges, and manages VPN, Point-to-Point Protocol over Ethernet (PPoE), and other remote network connections. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-windows-rasman-zero-day… ∗∗∗ Fernwartung ScreenConnect: Kritische Lücke ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- In der Fernwartungssoftware Connectwise ScreenConnect können angemeldete Angreifer Schadcode einschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/Fernwartung-ScreenConnect-Kritische-Luecke-ermoeg… ∗∗∗ GitLab: Angreifer können Wiki-Seiten mit Malware anlegen ∗∗∗ --------------------------------------------- Die DevSecOps-Plattform GitLab ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer Systeme kompromittieren. --------------------------------------------- https://www.heise.de/news/GitLab-Angreifer-koennen-Wiki-Seiten-mit-Malware-… ∗∗∗ New React RSC Vulnerabilities Enable DoS and Source Code Exposure ∗∗∗ --------------------------------------------- The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. --------------------------------------------- https://thehackernews.com/2025/12/new-react-rsc-vulnerabilities-enable.html ∗∗∗ Google fixes super-secret 8th Chrome 0-day ∗∗∗ --------------------------------------------- Google issued an emergency fix for a Chrome vulnerability already under exploitation, which marks the world's most popular browser's eighth zero-day bug of 2025. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/11/google_fixes… ∗∗∗ DSA-6080-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00246.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-expl… ∗∗∗ CISA Releases 12 Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-releases-12-industr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.12.2025
by Daily end-of-shift report 11 Dec '25

11 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-12-2025 18:00 − Donnerstag 11-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Identitätsklau möglich: Gravierende Sicherheitsmängel bei eID-Karten aufgedeckt ∗∗∗ --------------------------------------------- Seit 2021 können EU-Bürger in Deutschland eine sogenannte eID-Karte beantragen, um sich beispielsweise bei Onlinediensten auszuweisen. Recherchen der Süddeutschen Zeitung zufolge gibt es bei der Beantragung dieser Karten aber erhebliche Sicherheitsprobleme, weil Ämter wohl oft nicht sauber prüfen können, wer eigentlich der Antragsteller ist. Mögliche Folgen sind Missbrauch für Geldwäsche und andere betrügerische Aktivitäten. --------------------------------------------- https://www.golem.de/news/identitaetsklau-moeglich-gravierende-sicherheitsm… ∗∗∗ Brisantes Datenleck auf Docker Hub: Über 10.000 Docker-Images leaken Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Flare haben auf Docker Hub bereitgestellte Docker-Images auf enthaltene Anmeldeinformationen durchsucht und sind fündig geworden. Laut eigenem Blogbeitrag fanden die Forscher bei einem einmonatigen Suchlauf in mehr als 10.000 Images unzählige Geheimnisse von über 100 verschiedenen Organisationen – darunter ein Fortune-500-Unternehmen und eine große staatliche Bank. --------------------------------------------- https://www.golem.de/news/docker-hub-zugangsdaten-in-ueber-10-000-docker-im… ∗∗∗ NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control (C2) purposes. --------------------------------------------- https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html ∗∗∗ SMS vom Bundeskanzleramt? Phishing-Falle statt Rückerstattung ∗∗∗ --------------------------------------------- Eine SMS-Nachricht, versendet im Namen des Bundeskanzleramts, verspricht eine Rückerstattung von über 100 Euro. Dahinter verbirgt sich aber wenig überraschend nichts anderes als eine Phishing-Falle. Kriminelle wollen über diesen Weg an Login-Daten für Onlinebanking gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/bundeskanzleramt-phishing-rueckersta… ∗∗∗ Scammers Sent 40,000 E-Signature Phishing Emails to 6,000 Firms in Just 2 Weeks ∗∗∗ --------------------------------------------- Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services. --------------------------------------------- https://hackread.com/scammers-e-signature-phishing-emails/ ∗∗∗ New ‘DroidLock’ Android Malware Locks Users Out, Spies via Front Camera ∗∗∗ --------------------------------------------- Zimperium zLabs reveals DroidLock, a new Android malware acting like ransomware that can hijack Android devices, steal credentials via phishing, and stream your screen via VNC. --------------------------------------------- https://hackread.com/droidlock-android-malware-users-spy-camera/ ∗∗∗ Active Attacks Exploit Gladinets Hard-Coded Keys for Unauthorized Access and Code Execution ∗∗∗ --------------------------------------------- Huntress is warning of a new actively exploited vulnerability in Gladinet's CentreStack and Triofox products stemming from the use of hard-coded cryptographic keys that have affected nine organizations so far. --------------------------------------------- https://thehackernews.com/2025/12/hard-coded-gladinet-keys-let-attackers.ht… ∗∗∗ .NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL ∗∗∗ --------------------------------------------- New research has uncovered exploitation primitives in the .NET Framework that could be leveraged against enterprise-grade applications to achieve remote code execution. WatchTowr Labs, which has codenamed the "invalid cast vulnerability" SOAPwn, said the issue impacts Barracuda Service Center RMM, Ivanti Endpoint Manager (EPM), and Umbraco 8. But the number of affected vendors is likely to be longer given the widespread use of .NET. --------------------------------------------- https://thehackernews.com/2025/12/net-soapwn-flaw-opens-door-for-file.html ∗∗∗ New ConsentFix attack hijacks Microsoft accounts via Azure CLI ∗∗∗ --------------------------------------------- A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijack… ∗∗∗ Hackers exploit unpatched Gogs zero-day to breach 700 servers ∗∗∗ --------------------------------------------- An unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, has enabled attackers to gain remote code execution on Internet-facing instances and compromise hundreds of servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-gogs-zero-day-rce-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1050117/ ∗∗∗ Google warnt vor Sicherheitslücke: Chrome-Nutzer werden attackiert ∗∗∗ --------------------------------------------- Ein Notfallupdate für den Webbrowser Chrome schließt mehrere gefährliche Sicherheitslücken. Mindestens eine davon wird bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/google-warnt-vor-sicherheitsluecke-chrome-nutzer-… ∗∗∗ Barracuda RMM: Kritische Sicherheitslücken erlauben Codeschmuggel ∗∗∗ --------------------------------------------- IT-Verantwortliche, die ihre IT mit Barracuda RMM – ehemals unter dem Namen Managed Workplace bekannt – verwalten, sollten schleunigst den bereitstehenden Hotfix 2025.1.1 installieren, sofern das noch nicht geschehen ist. Er schließt mehrere Sicherheitslücken, von denen gleich drei die Höchstwertung CVSS 10 erhalten und damit ein großes Risiko darstellen. --------------------------------------------- https://heise.de/-11111274 ∗∗∗ WinRAR: Codeschmuggel-Lücke wird attackiert ∗∗∗ --------------------------------------------- Im Packprogramm WinRAR klafft bis zur Version 7.12 Beta 1 eine Sicherheitslücke, die Angreifern das Einschleusen von Schadcode erlaubt. Attacken auf diese Lücken wurden nun beobachtet. Wer WinRAR einsetzt, sollte daher zügig auf eine neuere Version aktualisieren. --------------------------------------------- https://heise.de/-11111474 ∗∗∗ ZDI-25-1060: Senstar Symphony FetchStoredLicense Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1060/ ∗∗∗ MISP v2.5.28 Release: Security, Dashboard Upgrade, and Community Enhancements ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.28 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.12.2025
by Daily end-of-shift report 10 Dec '25

10 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-12-2025 18:00 − Mittwoch 10-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Der doppelte Login: Phishing-Versuch bei der Salzburg AG ∗∗∗ --------------------------------------------- Mit Phishing-Mails locken Kriminelle die Kund:innen der Salzburg AG auf eine gefälschte Login-Seite. Der erste Anmeldeversuch schlägt zwar fehl, übermittelt aber Usernamen und Passwort an die Betrüger:innen – und öffnet die echte Eingabemaske. Da der zweite Versuch klappt, schöpfen die Opfer keinen Verdacht. Warum die Masche auch für Nicht-Kund:innen relevant ist, erklärt dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-doppelter-login/ ∗∗∗ 01flip: Multi-Platform Ransomware Written in Rust ∗∗∗ --------------------------------------------- In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust. --------------------------------------------- https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/ ∗∗∗ Opportunistic Pro-Russia Hacktivists Attack US and Global Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/opportunistic-pro-russia… ∗∗∗ Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft ∗∗∗ --------------------------------------------- Varonis threat analysts warn about Spiderman, a dangerous new kit that automates attacks against European banks and crypto customers, stealing a victim’s full identity profile. --------------------------------------------- https://hackread.com/spiderman-phishing-kit-european-banks-credential-theft/ ===================== = Vulnerabilities = ===================== ∗∗∗ Besser manuell patchen: Hacker nutzen gefährliche Lücke im Notepad++-Updater aus ∗∗∗ --------------------------------------------- Angreifer verbreiten über eine Sicherheitslücke im Updater von Notepad++ Malware. Der Entwickler warnt und rät zum Update – aber besser von Hand. --------------------------------------------- https://www.golem.de/news/besser-manuell-patchen-hacker-nutzen-gefaehrliche… ∗∗∗ Patchday: Angreifer nutzen Sicherheitslücke in Windows und Windows Server aus ∗∗∗ --------------------------------------------- Derzeit haben Angreifer unter anderem Windows 11 und Windows Server 2022 im Visier. Demzufolge sollten Admins sicherstellen, dass Windows Update auf ihren Systemen aktiv ist und die aktuellen Sicherheitspatches installiert sind. --------------------------------------------- https://www.heise.de/news/Patchday-Angreifer-nutzen-Sicherheitsluecke-in-Wi… ∗∗∗ Bitdefender: Sicherheitsleck ermöglicht Rechteausweitung im Virenschutz ∗∗∗ --------------------------------------------- In der Virenschutzsoftware von Bitdefender wurde eine Sicherheitslücke entdeckt, die Angreifern das Ausweiten ihrer Rechte im System ermöglicht. Betroffen sind diverse Bitdefender-Varianten. Aktualisierungen zum Ausbessern der Schwachstelle sind verfügbar. --------------------------------------------- https://www.heise.de/news/Bitdefender-Sicherheitsleck-ermoeglicht-Rechteaus… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (abrt and kernel), Debian (libpng1.6, libsoup2.4, pdns-recursor, webkit2gtk, and wordpress), Fedora (imhex, libwebsockets, lunasvg, python3-docs, and python3.14), Mageia (python3 and webkit2), Red Hat (abrt, firefox, mysql8.4, and postgresql:15), Slackware (mozilla), SUSE (gegl, gnutls, go1.24, go1.25, libpng16-16, openssh, postgresql13, python-Jinja2, and sssd), and Ubuntu (fonttools and netty). --------------------------------------------- https://lwn.net/Articles/1049939/ ∗∗∗ Fortinet-Patchday: SSO-Login in vielen Produkten umgehbar ∗∗∗ --------------------------------------------- Angreifer können verschiedene Fortinet-Produkte attackieren und sich unter anderem unbefugt Zugriff verschaffen. Sicherheitsupdates stehen zum Download bereit. Bislang sind keine Berichte zu laufenden Attacken bekannt. Admins sollten mit dem Patchen aber nicht zu lange warten. --------------------------------------------- https://heise.de/-11109878 ∗∗∗ Ivanti stopft kritische Sicherheitlücke im Endpoint Manager ∗∗∗ --------------------------------------------- Ein Update für Ivantis Endpoint Manager schließt unter anderem eine kritische Sicherheitslücke, durch die Angreifer Javascript einschleusen können. --------------------------------------------- https://heise.de/-11110277 ∗∗∗ DSA-6075-1 wordpress - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00241.html ∗∗∗ ZDI-25-1045: Schneider Electric PowerChute Serial Shutdown Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1045/ ∗∗∗ ZDI-25-1042: Siemens Simcenter Femap IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1042/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-96/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 146 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-95/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-releases-three-indu… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/09/cisa-adds-two-known-expl… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/05/cisa-adds-one-known-expl… ∗∗∗ K000158128: SQLite vulnerability CVE-2025-6965 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158128 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.12.2025
by Daily end-of-shift report 09 Dec '25

09 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-12-2025 18:00 − Dienstag 09-12-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious VSCode extensions on Microsofts registry drop infostealers ∗∗∗ --------------------------------------------- Two malicious extensions on Microsoft's Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Ransomware gangs turn to Shanya EXE packer to hide EDR killers ∗∗∗ --------------------------------------------- Multiple ransomware gangs are using a packer-as-a-service platform named Shanya to help them deploy payloads that disable endpoint detection and response solutions on victim systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-turn-to-sha… ∗∗∗ North Korean hackers exploit React2Shell flaw in EtherRAT malware attacks ∗∗∗ --------------------------------------------- A new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit… ∗∗∗ ‘Broadside’ Mirai Variant Targets Maritime Logistics Sector ∗∗∗ --------------------------------------------- Yet another variant of the Mirai botnet is threatening the maritime logistics sector by exploiting a critical flaw in digital recording devices used by companies on seagoing vessels. The attacks allow for remote command injection via the vulnerability, enabling attackers to establish Netlink-based process monitoring for persistence and other malicious activities. --------------------------------------------- https://www.darkreading.com/threat-intelligence/broadside-mirai-variant-mar… ∗∗∗ Lumma Stealer: Danger lurking in fake game updates from itch.io and Patreon ∗∗∗ --------------------------------------------- After patches on mainstream gaming platforms like Steam, indie game platforms as well as Patreon have become the latest platforms for distributing malware. --------------------------------------------- https://feeds.feedblitz.com/~/932262560/0/gdatasecurityblog-en~Lumma-Steale… ∗∗∗ Attacken laufen bereits: Rund 29.000 Server über React-Lücke angreifbar ∗∗∗ --------------------------------------------- Angreifer attackieren eine React2Shell genannte kritische Lücke im React-Framework. Allein in Deutschland gibt es noch über 3.000 anfällige Server. --------------------------------------------- https://www.golem.de/news/attacken-laufen-bereits-rund-29-000-server-ueber-… ∗∗∗ Zero-Click Agentic Browser Attack Can Delete Entire Google Drive Using Crafted Emails ∗∗∗ --------------------------------------------- A new agentic browser attack targeting Perplexity's Comet browser that's capable of turning a seemingly innocuous email into a destructive action that wipes a user's entire Google Drive contents, findings from Straiker STAR Labs show. --------------------------------------------- https://thehackernews.com/2025/12/zero-click-agentic-browser-attack-can.html ∗∗∗ Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild. --------------------------------------------- https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html ∗∗∗ Experts Confirm JS#SMUGGLER Uses Compromised Sites to Deploy NetSupport RAT ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT. --------------------------------------------- https://thehackernews.com/2025/12/experts-confirm-jssmuggler-uses.html ∗∗∗ STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware ∗∗∗ --------------------------------------------- Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565. --------------------------------------------- https://thehackernews.com/2025/12/stac6565-targets-canada-in-80-of.html ∗∗∗ Storm-0249 Escalates Ransomware Attacks with ClickFix, Fileless PowerShell, and DLL Sideloading ∗∗∗ --------------------------------------------- The threat actor known as Storm-0249 is likely shifting from its role as an initial access broker to adopt a combination of more advanced tactics like domain spoofing, DLL side-loading, and fileless PowerShell execution to facilitate ransomware attacks. --------------------------------------------- https://thehackernews.com/2025/12/storm-0249-escalates-ransomware-attacks.h… ∗∗∗ Novel clickjacking attack relies on CSS and SVG ∗∗∗ --------------------------------------------- Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/css_svg_clic… ∗∗∗ Crims using social media images, videos in virtual kidnapping scams ∗∗∗ --------------------------------------------- Criminals are altering social media and other publicly available images of people to use as fake proof of life photos in "virtual kidnapping" and extortion scams, the FBI warned on Friday. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/virtual_kidn… ∗∗∗ New Prompt Injection Attack Vectors Through MCP Sampling ∗∗∗ --------------------------------------------- This article examines the security implications of the Model Context Protocol (MCP) sampling feature in the context of a widely used coding copilot application. MCP is a standard for connecting large language model (LLM) applications to external data sources and tools. --------------------------------------------- https://unit42.paloaltonetworks.com/model-context-protocol-attack-vectors/ ∗∗∗ New BYOVD loader behind DeadLock ransomware attack ∗∗∗ --------------------------------------------- Talos observed a threat actor leveraging a BYOVD technique to disable endpoint detection and escalate privileges in an attack that eventually delivered DeadLock ransomware as the payload. --------------------------------------------- https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/ ∗∗∗ Space Bears Ransomware Claims Comcast Data Theft Through QuasarBreach ∗∗∗ --------------------------------------------- Space Bears ransomware group is claiming that it obtained internal Comcast material by exploiting a breach at Quasar Inc., a telecommunications engineering contractor based in Georgia. --------------------------------------------- https://hackread.com/space-bears-ransomware-comcast-quasar-breach/ ∗∗∗ ChrimeraWire Trojan Fakes Chrome Activity to Manipulate Search Rankings ∗∗∗ --------------------------------------------- ChrimeraWire is a new Windows trojan that automates web browsing through Chrome to simulate user activity and manipulate search engine rankings. --------------------------------------------- https://hackread.com/chrimerawire-trojan-fakes-chrome-search-activity/ ∗∗∗ SimpleX Chat X Account Hacked, Fake Site Promotes Crypto Wallet Scam ∗∗∗ --------------------------------------------- SimpleX Chat’s X account hacked to promote fake crypto site urging users to connect wallets. Site mimicked official design to steal funds. --------------------------------------------- https://hackread.com/simplex-chat-x-account-hacked-fake-site-wallet-scam/ ∗∗∗ Coupongogo: Remote-Controlled Crypto Stealer Targeting Developers on GitHub ∗∗∗ --------------------------------------------- Deep dive into the Coupongogo browser extension (v1.1.12): The alarming cryptostealer waiting for activation. --------------------------------------------- https://www.rastersec.com/blog/coupongogo-cryptostealer ∗∗∗ CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones ∗∗∗ --------------------------------------------- CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability. --------------------------------------------- https://www.ibm.com/think/x-force/cve-2023-20078-technical-analysis ∗∗∗ Malicious Crate Mimicking ‘Finch’ Exfiltrates Credentials via a Hidden Dependency ∗∗∗ --------------------------------------------- Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates. --------------------------------------------- https://socket.dev/blog/malicious-crate-mimicking-finch-exfiltrates-credent… ∗∗∗ Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks ∗∗∗ --------------------------------------------- Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. --------------------------------------------- https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-6073-1 ffmpeg - security update ∗∗∗ --------------------------------------------- Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00239.html ∗∗∗ Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. --------------------------------------------- https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html ∗∗∗ Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Sneeit Framework plugin for WordPress is being actively exploited in the wild, per data from Wordfence. The remote code execution vulnerability in question is CVE-2025-6389 (CVSS score: 9.8), which affects all versions of the plugin prior to and including 8.3. It has been patched in version 8.4, released on August 5, 2025. The plugin has more than 1,700 active installations. --------------------------------------------- https://thehackernews.com/2025/12/sneeit-wordpress-rce-exploited-in-wild.ht… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0). --------------------------------------------- https://lwn.net/Articles/1049657/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1049769/ ∗∗∗ iOS 26.2: Apple behebt kritische Bugs im zweiten Release Candidate ∗∗∗ --------------------------------------------- Das wahrscheinlich letzte große iOS-Update des Jahres, iOS 26.2, lässt etwas länger auf sich warten: Apple hat stattdessen am Montagabend deutscher Zeit einen zweiten Release Candidate des Updates für das iPhone-Betriebssystem veröffentlicht. Was genau im RC2 geändert wurde, verrieten die Kalifornier bisher nicht. Es gilt aber als sicher, dass einer oder mehrere kritische Fehler behoben werden. Offen bleibt, wann mit dem finalen Release zu rechnen ist. --------------------------------------------- https://heise.de/-11108257 ∗∗∗ Multiple vulnerabilities in ABB Terra AC Wallbox ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN84024274/ ∗∗∗ Multiple vulnerabilities in GroupSession ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN19940619/ ∗∗∗ SAP-Patchday: 14 Sicherheitswarnungen zum Jahresende ∗∗∗ --------------------------------------------- https://www.heise.de/news/SAP-Patchday-14-Sicherheitswarnungen-zum-Jahresen… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 140.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-94/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.31 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-93/ ∗∗∗ Security Vulnerabilities fixed in Firefox 146 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-92/ ∗∗∗ Vulnerability Summary for the Week of December 1, 2025 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-342 ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/08/cisa-adds-two-known-expl… ∗∗∗ K000158118: PostgreSQL vulnerabilities CVE-2025-8713, CVE-2025-8715 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.12.2025
by Daily end-of-shift report 05 Dec '25

05 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-12-2025 18:00 − Freitag 05-12-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ React2Shell - Angriffe gegen verwundbare Anwendungen auf von Basis React.JS und weiterer Frameworks ∗∗∗ --------------------------------------------- Diese Woche wurden kritische Sicherheitslücken in den React Server Components veröffentlicht. Diese Schwachstellen ermöglichen unauthentifizierte Remote-Code Execution sofern Anwendungen die betroffenen Server Components einsetzen. Mittlerweile wird diese Sicherheitslücke aktiv ausgenutzt um verwundbare Installationen zu kompromittieren. Proof-of-Concept Exploits sind bereits öffentlich zugänglich. CVE-Nummer(n): CVE-2025-55182 --------------------------------------------- https://www.cert.at/de/warnungen/2025/12/react2shell-angriffe-gegen-verwund… ∗∗∗ CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Far ∗∗∗ --------------------------------------------- GreyNoise is already seeing opportunistic, largely automated exploitation attempts consistent with the newly disclosed React Server Components (RSC) “Flight” protocol RCE—often referred to publicly as “React2Shell” and tracked as CVE-2025-55182. --------------------------------------------- https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-expl… ∗∗∗ Cloudflare blames todays outage on emergency React2Shell patch ∗∗∗ --------------------------------------------- Cloudflare has blamed todays outage on the emergency patching of a critical React remote code execution vulnerability, which is now actively exploited in attacks. [..] "The issue was not caused, directly or indirectly, by a cyber attack on Cloudflare’s systems or malicious activity of any kind. Instead, it was triggered by changes being made to our body parsing logic while attempting to detect and mitigate an industry-wide vulnerability disclosed this week in React Server Components," Cloudflare CTO Dane Knecht noted in a post-mortem. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blames-todays-out… ∗∗∗ Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down again ∗∗∗ --------------------------------------------- The disclosure write up is great — it’s full of facts, and explains when you are and aren’t vulnerable. I don’t think anybody knows how to parse it and people have started taking actions before even knowing what they’re doing. [..] Check with your developers and suppliers if they even use React v19 yet. They most probably don’t, in which case you aren’t vulnerable. --------------------------------------------- https://doublepulsar.com/cybersecurity-industry-overreacts-to-react-vulnera… ∗∗∗ Hackers are exploiting ArrayOS AG VPN flaw to plant webshells ∗∗∗ --------------------------------------------- Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-array… ∗∗∗ FBI warns of virtual kidnapping scams using altered social media photos ∗∗∗ --------------------------------------------- The FBI warns that criminals are altering images shared on social media and using them as fake proof of life photos in virtual kidnapping ransom scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-virtual-kidnapp… ∗∗∗ Asus supplier hit by ransomware attack as gang flaunts alleged 1 TB haul ∗∗∗ --------------------------------------------- Laptop maker says a vendor breach exposed some phone camera code, but not its own systems Asus has admitted that a third-party supplier was popped by cybercrims after the Everest ransomware gang claimed it had rifled through the tech titans internal files. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/05/asus_supplie… ∗∗∗ SMS Phishers Pivot to Points, Taxes, Fake Retailers ∗∗∗ --------------------------------------------- Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones. --------------------------------------------- https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake… ∗∗∗ Warnung: Neue Phishing-E-Mails im Namen der WKO im Umlauf ∗∗∗ --------------------------------------------- Kriminelle imitieren besonders gern bekannte Organisationen. Aktuell ist erneut die WKO betroffen. Bei einer neuen Phishing-Variante werden Empfänger:innen unter dem Vorwand einer „Qualitätssicherung“ dazu aufgefordert, ihre Daten zu überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/wko-phishing-e-mails-datenerfassung/ ∗∗∗ A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtect ∗∗∗ --------------------------------------------- GreyNoise detected a surge of 7,000+ IPs attempting to log into GlobalProtect, sharing fingerprints with a surge in SonicWall API scanning and earlier Palo Alto campaigns, exposing a persistent credential-based attack pattern. --------------------------------------------- https://www.greynoise.io/blog/hidden-pattern-credential-based-attacks-palo-… ∗∗∗ November CVEs Fell 25% YoY, Driven by Slowdowns at Major CNAs ∗∗∗ --------------------------------------------- 2025 CVE volume is still running ahead of 2024 overall, even as November cooled off year over year. [..] For security teams, the practical takeaway is to be careful about using “global CVE count” as a proxy for risk. CVE volume can still be useful as a publishing health signal, especially when concentrated among a small number of high-output CNAs and programs. --------------------------------------------- https://socket.dev/blog/november-cves-fell-25-yoy-driven-by-slowdowns-at-ma… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame). --------------------------------------------- https://lwn.net/Articles/1049417/ ∗∗∗ VU#441887: Duc contains a stack buffer overflow vulnerability in the buffer_get function, allowing for out-of-bounds memory read ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/441887 ∗∗∗ Drupal: Security advisories for contributed projects ∗∗∗ --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Socomec DIRIS Digiware M series and Easy Config, PDF XChange Editor vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/socomec-diris-digiware-m-series-and-easy… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.12.2025
by Daily end-of-shift report 04 Dec '25

04 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-12-2025 18:30 − Donnerstag 04-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Fraudulent gambling network may be a nation-state spying operation ∗∗∗ --------------------------------------------- A sprawling infrastructure that has been bilking unsuspecting people through fraudulent gambling websites for 14 years is likely a dual operation run by a nation-state-sponsored group that is targeting government and private-industry organizations in the US and Europe, researchers said Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/12/fraudulent-gambling-network-may-be… ∗∗∗ Sparkurs bei MacOS: Apple verärgert Forscher mit gekürzten Bug-Bounty-Prämien ∗∗∗ --------------------------------------------- Forscher, die Sicherheitslücken in dem Apple-Betriebssystem MacOS erkunden und an den Hersteller melden, erhalten dafür künftig geringere Belohnungen. Darauf machte kürzlich der Sicherheitsforscher Csaba Fitzl in einem Beitrag auf Linkedin aufmerksam. Er wirft Apple vor, MacOS mit diesem Schritt abzuwerten und sich nicht mehr für den Datenschutz der Nutzer zu interessieren. --------------------------------------------- https://www.golem.de/news/macos-apple-veraergert-forscher-mit-gekuerzten-bu… ∗∗∗ Attempts to Bypass CDNs, (Wed, Dec 3rd) ∗∗∗ --------------------------------------------- Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well. --------------------------------------------- https://isc.sans.edu/diary/rss/32532 ∗∗∗ Nation-State Attack or Compromised Government? [Guest Diary], (Thu, Dec 4th) ∗∗∗ --------------------------------------------- The ISC internship didn't just teach me about security, it changed how I thought about threats entirely. There's something intriguing about watching live attacks materialize on your DShield Honeypot, knowing that somewhere across the world, an attacker just made a move. And the feedback loop of writing detailed attack observations, then having experienced analysts critique and refine your analysis? That's where real learning happens. One attack observation in particular stands out as a perfect example of what makes this internship so powerful. Let me show you what I discovered! --------------------------------------------- https://isc.sans.edu/diary/rss/32536 ∗∗∗ Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts ∗∗∗ --------------------------------------------- The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide. --------------------------------------------- https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html ∗∗∗ Gartenfreude oder Betrugsfalle? Warnung vor betrügerischen Pflanzenshops ∗∗∗ --------------------------------------------- Der Beginn des Winters ist einer der besten Zeitpunkte, um Obstbäume zu pflanzen. Das wissen nicht nur Gartenfreund:innen, sondern leider auch Kriminelle. Immer mehr Fake-Shops locken mit vermeintlich attraktiven Angeboten und führen Konsument:innen in die Falle. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-betruegerischen-pflanzen… ∗∗∗ BRICKSTORM Backdoor ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples. --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar25-338a ∗∗∗ ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading ∗∗∗ --------------------------------------------- Job seekers looking out for opportunities might instead find their personal devices compromised, as a ValleyRAT campaign propagated through email leverages Foxit PDF Reader for concealment and DLL side-loading for initial entry. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html ∗∗∗ Fake ChatGPT Atlas Browser Used in ClickFix Attack to Steal Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a critical ChatGPT Atlas browser attack, confirming the danger of the ongoing surge in the ClickFix threat. --------------------------------------------- https://hackread.com/fake-chatgpt-atlas-clickfix-steal-passwords/ ∗∗∗ Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue ∗∗∗ --------------------------------------------- Despite extensive scrutiny and public reporting, commercial surveillance vendors continue to operate unimpeded. A prominent name continues to surface in the world of mercenary spyware, Intellexa. Known for its “Predator” spyware, the company was sanctioned by the US Government. New Google Threat Intelligence Group (GTIG) analysis shows that Intellexa is evading restrictions and thriving. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day… ∗∗∗ New Stealthy Linux Malware Combines Mirai DDoS Botnet with Cryptominer ∗∗∗ --------------------------------------------- Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. --------------------------------------------- https://thecyberexpress.com/linux-malware-mirai-botnet-cryptominer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1049251/ ∗∗∗ Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app ∗∗∗ --------------------------------------------- Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367. Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/ ∗∗∗ Jetzt patchen! Kritische Schadcodelücke bedroht React ∗∗∗ --------------------------------------------- Softwareentwickler, die mit React arbeiten, sollten die JavaScript-Programmbibliothek aus Sicherheitsgründen umgehend auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer eine Schwachstelle ausnutzen und Systeme durch das Ausführen von Schadcode vollständig kompromittieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-11102366 ∗∗∗ Chrome 143.0.7499.40 / 41 schließt Schwachstellen ∗∗∗ --------------------------------------------- Zum 2. Dezember 2025 hat Google den Chrome-Browser auf die Versionen 143.0.7499.40 / 41 aktualisiert, um gleich mehrere Schwachstellen zu schließen. Auch der Extended Stable Chromium-Entwicklungszweig hat ein Update erhalten. Ich ziehe mal einige Informationen zu diesen Themen nachfolgend kurz zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/12/04/chrome-143-0-7499-40-41-schliesst-… ∗∗∗ DSA-6069-1 openvpn - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00235.html ∗∗∗ K000158050: SQLite vulnerability CVE-2019-8457 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158050 ∗∗∗ K000158042: Apache HTTP server vulnerabilities CVE-2024-47252 and CVE-2025-49812 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158042 ∗∗∗ K000158059: Next.js vulnerability CVE-2025-66478 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000158059 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.12.2025
by Daily end-of-shift report 03 Dec '25

03 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-12-2025 18:00 − Mittwoch 03-12-2025 18:30 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Aisuru botnet behind new record-breaking 29.7 Tbps DDoS attack ∗∗∗ --------------------------------------------- In just three months, the massive Aisuru botnet launched more than 1,300 distributed denial-of-service attacks, one of them setting a new record with a peak at 29.7 terabits per second. --------------------------------------------- https://www.bleepingcomputer.com/news/security/aisuru-botnet-behind-new-rec… ∗∗∗ Deep dive into DragonForce ransomware and its Scattered Spider connection ∗∗∗ --------------------------------------------- DragonForce expanded its ransomware operation in 2025 by working with English-speaking hackers known for advanced social engineering and initial access. Acronis explains how the "Scattered Spider" collaboration enables coordinated, multistage intrusions across major environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-r… ∗∗∗ Technical Analysis of Matanbuchus 3.0 ∗∗∗ --------------------------------------------- Matanbuchus is a malicious downloader, written in C++, which has been offered as a Malware-as-a-Service (MaaS) since 2020. Over this time, Matanbuchus has undergone several development stages. In July 2025, version 3.0 of Matanbuchus was identified in-the-wild. Matanbuchus offers threat actors the option to deploy additional payloads and perform hands-on keyboard activity via shell commands. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuc… ∗∗∗ Grundrechte: Gericht stoppt Massenüberwachung des Schweizer Geheimdienstes ∗∗∗ --------------------------------------------- Das Schweizer Bundesverwaltungsgericht erklärt die Fernmeldeaufklärung des Nachrichtendienstes des Bundes nach Klage von Bürgerrechtlern für verfassungswidrig. --------------------------------------------- https://www.heise.de/news/Grundrechte-Gericht-stoppt-Massenueberwachung-des… ∗∗∗ Falsche Schlangen: Neues von MuddyWater ∗∗∗ --------------------------------------------- MuddyWater hat es auf kritische Infrastrukturen in Israel und Ägypten abgesehen und setzt dabei auf maßgeschneiderte Malware, verbesserte Taktiken und ein vorhersehbares Spielbuch. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/falsche-schlangen-neues-von… ∗∗∗ Aktuelle Welle: Phishing im Namen der Volksbank ∗∗∗ --------------------------------------------- Seit einigen Wochen versenden Kriminelle ihre Phishing-Versuche besonders häufig im Namen der Volksbank. Sie setzen dabei auf die altbekannten E-Mails bzw. SMS-Nachrichten. Wer dem Link zur „Datenaktualisierung“ oder „Konto-Entsperrung“ folgt, läuft Gefahr, Logindaten für Onlinebanking preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/starke-welle-phishing-volksbank/ ∗∗∗ India backs off mandatory cyber safety app after surveillance backlash ∗∗∗ --------------------------------------------- Mobile phone makers will no longer be required to load the Indian governments Sanchar Saathi app onto new devices after the initial announcement prompted pushback from companies and privacy groups. --------------------------------------------- https://therecord.media/india-drops-mandate-sanchar-saathi-app-privacy-surv… ∗∗∗ Small numbers of Notepad++ users reporting security woes ∗∗∗ --------------------------------------------- I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors. --------------------------------------------- https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-… ∗∗∗ Everest Ransomware Claims ASUS Breach and 1TB Data Theft ∗∗∗ --------------------------------------------- Everest ransomware group claims it breached ASUS, stealing over 1TB of data including camera source code. ASUS has been given 21 hours to respond via Qtox. --------------------------------------------- https://hackread.com/everest-ransomware-asus-breach-1tb-data/ ∗∗∗ Paying the Ransom: A Short-Term Fix or Long-Term Risks? ∗∗∗ --------------------------------------------- Ransomware attacks rose by nearly 25% in 2024. If compromised, should you pay ransomware demands or not? We review the risks, reasons to pay or not, and more. --------------------------------------------- https://www.bitsight.com/blog/paying-ransom-for-ransomware ∗∗∗ Industrielle Kontrollsysteme: Iskra iHUB bleibt vorerst ohne Sicherheitspatch ∗∗∗ --------------------------------------------- Für einige industrielle Steuerungs- und Automatisierungssysteme von etwa Mitsubishi sind Sicherheitsupdates erschienen. Eine kritische Lücke bleibt aber offen. --------------------------------------------- https://heise.de/-11101017 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability & Patch Roundup — November 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2025/11/vulnerability-patch-roundup-november-2025.h… ∗∗∗ 100,000 WordPress Sites Affected by Remote Code Execution Vulnerability in Advanced Custom Fields: Extended WordPress Plugin ∗∗∗ --------------------------------------------- On November 18th, 2025, we received a submission for an unauthenticated Remote Code Execution vulnerability in Advanced Custom Fields: Extended, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged to execute code remotely. --------------------------------------------- https://www.wordfence.com/blog/2025/12/100000-wordpress-sites-affected-by-r… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound). --------------------------------------------- https://lwn.net/Articles/1049103/ ∗∗∗ Microsoft schließt stillschweigend LNK-Schwachstelle CVE-2025-9491 ∗∗∗ --------------------------------------------- Seit Ende August 2025 ist eine LNK-File-Schwachstelle (CVE-2025-9491) bekannt. Diese lässt sich unter Windows für eine Remote Code-Ausführung missbrauchen. Microsoft wollte erst keinen Patch bereitstellen, hat dann aber doch was per Update getan. --------------------------------------------- https://www.borncity.com/blog/2025/12/03/microsoft-schliesst-stillschweigen… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-336-01 Industrial Video & Control LongwatchICSA-25-336-02 Iskra iHUB and iHUB Lite. ICSMA-25-336-01 Mirion Medical EC2 Software NMIS BioDose. ICSA-25-201-01 Mitsubishi Electric CNC Series (Update A) and ICSA-23-157-02 Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/12/02/cisa-releases-five-indus… ∗∗∗ ZDI-25-1039: (Pwn2Own) Synology BeeStation Plus auth_info Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1039/ ∗∗∗ Splunk SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1209 ∗∗∗ Splunk SVD-2025-1206: Incorrect permissions assignment on Splunk Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1206 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.12.2025
by Daily end-of-shift report 02 Dec '25

02 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-12-2025 18:00 − Dienstag 02-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Glassworm malware returns in third wave of malicious VS Code packages ∗∗∗ --------------------------------------------- The Glassworm campaign, which first emerged on the OpenVSX and Microsoft Visual Studio marketplaces in October, is now in its third wave, with 24 new packages added on the two platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/glassworm-malware-returns-in… ∗∗∗ [Guest Diary] Hunting for SharePoint In-Memory ToolShell Payloads, (Tue, Dec 2nd) ∗∗∗ --------------------------------------------- In July 2025, many of us were introduced to the Microsoft SharePoint exploit chain known as ToolShell. ToolShell exploits the deserialization and authentication bypass vulnerabilities, CVE-2025-53770 [2] and CVE-2025-53771 [3], in on-premises SharePoint Server 2016, 2019, and Subscription editions. --------------------------------------------- https://isc.sans.edu/diary/rss/32524 ∗∗∗ Iran-Linked Hackers Hits Israeli Sectors with New MuddyViper Backdoor in Targeted Attacks ∗∗∗ --------------------------------------------- Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper. --------------------------------------------- https://thehackernews.com/2025/12/iran-linked-hackers-hits-israeli_2.html ∗∗∗ Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware ∗∗∗ --------------------------------------------- And some are still active in the Microsoft Edge store A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending peoples data to servers in China. --------------------------------------------- https://www.theregister.com/2025/12/01/chrome_edge_malicious_browser_extens… ∗∗∗ Dont say "Jehova" to an LLM ∗∗∗ --------------------------------------------- The Rabbi in the old skit from Monty Python's "Life of Brian" fell for it, and for a long time, philosophers argued whether quoting someone is fundamentally different to just saying the sentence. I remember a story where one actor smuggled a wedding promise in a co-actor's copy of his lines: After the vow was made on the set and the sentence couldn't be found in the official script: is the actor now bound in real life by his promise? --------------------------------------------- https://www.cert.at/en/blog/2025/12/dont-say-jehova-to-an-llm ∗∗∗ Proxyearth Tool Lets Anyone Trace Users in India with Just a Mobile Number ∗∗∗ --------------------------------------------- Proxyearth is a new site that shows names, Aadhaar numbers, and live locations of users in India using only mobile numbers, raising serious privacy and security concerns. --------------------------------------------- https://hackread.com/proxyearth-trace-users-india-mobile-number/ ∗∗∗ Android TV: YouTube-Client SmartTube war mit Malware verseucht ∗∗∗ --------------------------------------------- Unbekannte konnten SmartTube mit Malware verseuchen und die Version kurzzeitig in Umlauf bringen. Nun gibt der Entwickler Einblicke zum Vorfall. --------------------------------------------- https://heise.de/-11099310 ∗∗∗ Shai-Hulud 2.0 Aftermath: Trends, Victimology and Impact ∗∗∗ --------------------------------------------- A deeper look at the Shai-Hulud 2.0 supply chain attack: reviewing the infection spread, victimology, leaked secrets distribution, and community response so far. --------------------------------------------- https://www.wiz.io/blog/shai-hulud-2-0-aftermath-ongoing-supply-chain-attack ∗∗∗ 68% Of Phishing Websites Are Protected by CloudFlare ∗∗∗ --------------------------------------------- Earlier this year, our CTI team set out to build something wed been thinking about for a while: a phishing intelligence pipeline that could actually keep up with the threat. We combined feeds from hundreds of independent sources with our own real-time hunt for suspicious SSL/TLS certificates. --------------------------------------------- https://blog.sicuranext.com/68-of-phishing-websites-are-protected-by-cloudf… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac). --------------------------------------------- https://lwn.net/Articles/1048973/ ∗∗∗ Patchday: Attacken auf Geräte mit Android 13, 14, 15 und 16 beobachtet ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Androidversionen erschienen. Es gibt bereits Attacken. --------------------------------------------- https://heise.de/-11099576 ∗∗∗ Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability ∗∗∗ --------------------------------------------- Qualcomm warned partners and device manufacturers about multiple newly discovered vulnerabilities that span its chipset ecosystem. The Qualcomm released a detailed security bulletin on December 1, 2025, outlining six high-priority weaknesses in its proprietary software, including one flaw that directly compromises the secure boot process, one of the most sensitive stages in a device’s startup chain. --------------------------------------------- https://thecyberexpress.com/qualcomm-2025-security-alert/ ∗∗∗ Critical SQL Injection Flaw Exposes Sensitive Data in Devolutions Server ∗∗∗ --------------------------------------------- A batch of new vulnerabilities in Devolutions Server targets organizations that depend on the platform to manage privileged accounts, passwords, and sensitive authentication data. Devolutions has released a security advisory, identified as DEVO-2025-0018, warning customers of multiple vulnerabilities, including a critical flaw that could enable attackers to extract confidential data directly from the system’s database. --------------------------------------------- https://thecyberexpress.com/devolutions-server-sql-injection-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.12.2025
by Daily end-of-shift report 01 Dec '25

01 Dec '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-11-2025 18:00 − Montag 01-12-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Arkanix Stealer: Newly discovered short term profit malware ∗∗∗ --------------------------------------------- Recently, we stumbled upon a new stealer named Arkanix. This stealer possibly belongs to the short-lived category of stealers which aim for short-term quick financial gains. --------------------------------------------- https://feeds.feedblitz.com/~/930747470/0/gdatasecurityblog-en~Arkanix-Stea… ∗∗∗ Bis zu 16 Jahre alt: Zehntausende gültige Zugangsdaten bei Gitlab geleakt ∗∗∗ --------------------------------------------- Ein Forscher hat alle öffentlichen Gitlab-Repos auf Zugangsdaten gescannt. Er fand mehr als 17.000, erhielt aber nur eine recht dürftige Belohnung. --------------------------------------------- https://www.golem.de/news/bis-zu-16-jahre-alt-zehntausende-gueltige-zugangs… ∗∗∗ North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware ∗∗∗ --------------------------------------------- The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month. --------------------------------------------- https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html ∗∗∗ New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control ∗∗∗ --------------------------------------------- A new Android malware named Albiriox has been advertised under a malware-as-a-service (MaaS) model to offer a "full spectrum" of features to facilitate on-device fraud (ODF), screen manipulation, and real-time interaction with infected devices. --------------------------------------------- https://thehackernews.com/2025/12/new-albiriox-maas-malware-targets-400.html ∗∗∗ Google and Apple ordered to stop fake government TXTs ∗∗∗ --------------------------------------------- Singapore’s government last week told Google and Apple to prevent fake government messages. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/12/01/asia_tech_ne… ∗∗∗ The WIRED Guide to Digital Opsec for Teens ∗∗∗ --------------------------------------------- Practicing good “operations security” is essential to staying safe online. Here’s a complete guide for teenagers (and anyone else) who wants to button up their digital lives. --------------------------------------------- https://www.wired.com/story/digital-opsec-for-teens/ ∗∗∗ how i found a europa.eu compromise (thanks to cricket) ∗∗∗ --------------------------------------------- While looking for a way to stream the India vs Pakistan cricket match on 14th September 2025, I stumbled across a suspicious search result on a europa.eu dev subdomain. It was being abused for blackhat SEO and redirecting users to scam streaming sites. I traced similar behavior across other high-profile domains, reported the issue to CERT-EU via email (after some Twitter help) and the problem was later confirmed as fixed on 6th November 2025. This post walks through how I found it, how I reported it and what we can learn from it. --------------------------------------------- https://blog.himanshuanand.com/2025/11/how-i-found-a-europa.eu-compromise-t… ∗∗∗ Südkorea: Bei Onlinehändler Daten zu zwei Dritteln der Bevölkerung abgegriffen ∗∗∗ --------------------------------------------- Ein inzwischen nicht mehr bei Coupang arbeitender Angestellter soll bei Südkoreas größtem Onlinehändler Daten zur gesamten Kundschaft abgegriffen haben. --------------------------------------------- https://www.heise.de/news/Suedkorea-Bei-Onlinehaendler-Daten-zu-zwei-Dritte… ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? Wie erkenne ich Viren und Trojaner auf meinem Gerät - und was ist dann zu tun? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ∗∗∗ Fußballtrikots zum Schnäppchenpreis? Bei diesen Fake-Shops gibt es nur Eigentore ∗∗∗ --------------------------------------------- Fußballspieler:innen aufgepasst! Gerade wimmelt es von Fake-Shops mit günstigen Trikots. --------------------------------------------- https://www.watchlist-internet.at/news/fussballtrikots-zum-schnaeppchenprei… ∗∗∗ Awareness für Web-Security: Die OWASP Top Ten 2025 ∗∗∗ --------------------------------------------- Der erste Release Candidate der neuen OWASP Top Ten enthüllt die größten Sicherheitsrisiken in der Webentwicklung – von Konfiguration bis Software Supply Chain. --------------------------------------------- https://heise.de/-11098119 ∗∗∗ India Enforces Mandatory SIM-Binding for Messaging Apps Under New DoT Rules ∗∗∗ --------------------------------------------- India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device. --------------------------------------------- https://thecyberexpress.com/sim-binding-dot-rule/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#633103: Insufficient Session Cookie Invalidation in nopCommerce ASP.NET Core eCommerce Platform ∗∗∗ --------------------------------------------- nopCommerce, an ecommerce platform, fails to invalidate session cookies upon user logout or session termination, enabling attackers to use the captured cookie to gain access to the application. Version 4.70 and after, with the exception of 4.80.3, fixes the vulnerability put forth by CVE-2025-11699. Users on version 4.80.3, or any version of nopCommerce prior to version 4.70, should update to the latest version, 4.90.3, as soon as possible. --------------------------------------------- https://kb.cert.org/vuls/id/633103 ∗∗∗ CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2025/11/cisa-adds-actively-exploited-xss-bug.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2). --------------------------------------------- https://lwn.net/Articles/1048817/ ∗∗∗ Sicherheitsupdate: Präparierte XML-Dateien können GeoServer lahmlegen ∗∗∗ --------------------------------------------- Nutzen Angreifer erfolgreich Schwachstellen in GeoServer aus, können sie unter anderem Schadcode ausführen. In aktuellen Versionen haben die Entwickler nun die Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-11097923 ∗∗∗ Microsoft Entra ID blockt externe Fremd-Scripte ∗∗∗ --------------------------------------------- Kleiner Nachtrag von letzter Woche, der Administratoren in Unternehmensumgebungen tangieren kann. Microsoft will die Sicherheit der Microsoft Entra ID-Authentifizierung verbessern. Dazu sollen indem externe Skriptinjektionen blockiert werden, wie ein Entwickler in einem Blog-Beitrag im Microsoft Entra-Blog erklärt hat. --------------------------------------------- https://www.borncity.com/blog/2025/12/01/microsoft-entra-id-blockt-externe-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.11.2025
by Daily end-of-shift report 28 Nov '25

28 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-11-2025 18:00 − Freitag 28-11-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious LLMs empower inexperienced hackers with advanced tools ∗∗∗ --------------------------------------------- Unrestricted large language models (LLMs) like WormGPT 4 and KawaiiGPT are improving their capabilities to generate malicious code, delivering functional scripts for ransomware encryptors and lateral movement. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-llms-empower-inexp… ∗∗∗ GreyNoise launches free scanner to check if youre part of a botnet ∗∗∗ --------------------------------------------- GreyNoise Labs has launched a free tool called GreyNoise IP Check that lets users check if their IP address has been observed in malicious scanning operations, like botnet and residential proxy networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/greynoise-launches-free-scan… ∗∗∗ Seit Wochen auf Github: Virenscanner scheitern an öffentlichem Android-Trojaner ∗∗∗ --------------------------------------------- Ein neuer Android-Trojaner namens Radzarat kursiert seit Wochen auf Github. Nur die wenigsten Virenscanner sehen ihn bisher als Bedrohung. --------------------------------------------- https://www.golem.de/news/auf-github-verfuegbar-virenscanner-erkennen-oeffe… ∗∗∗ Tomiris wreaks Havoc: New tools and techniques of the APT group ∗∗∗ --------------------------------------------- Kaspersky discloses new tools and techniques discovered in 2025 Tomiris activities: multi-language reverse shells, Havoc and AdaptixC2 open-source frameworks, communications via Discord and Telegram. --------------------------------------------- https://securelist.com/tomiris-new-tools/118143/ ∗∗∗ Prompt Injection Through Poetry ∗∗∗ --------------------------------------------- In a new paper, “Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models,” researchers found that turning LLM prompts into poetry resulted in jailbreaking the models. --------------------------------------------- https://www.schneier.com/blog/archives/2025/11/prompt-injection-through-poe… ∗∗∗ MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams. --------------------------------------------- https://thehackernews.com/2025/11/ms-teams-guest-access-can-remove.html ∗∗∗ The Anatomy of a Bulletproof Hoster: A Data-Driven Reconstruction of Media Land ∗∗∗ --------------------------------------------- This post uses the leaked internal database of Media Land, a sanctioned bulletproof hosting provider, to reconstruct how its platform organised customers, subscriptions, virtual machines, and IP address space across billing, compute, and network layers. --------------------------------------------- https://disclosing.observer/2025/11/24/bulletproof-hoster-anatomy-data-driv… ∗∗∗ How CVSS v4.0 works: characterizing and scoring vulnerabilities ∗∗∗ --------------------------------------------- This blog explains why vulnerability scoring matters, how CVSS works, and what’s new in version 4.0. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/how-cvss-v4-0-works-characte… ∗∗∗ Achtung, Falle! Gefälschte BMF-Rückerstattung-Mails im Umlauf ∗∗∗ --------------------------------------------- Wer aktuell eine E-Mail im Postfach hat, in der das Bundesministerium für Finanzen (BMF) eine Steuerrückerstattung verspricht, sollte vorsichtig sein. Denn derzeit versenden Kriminelle solche E-Mails, um Sie zur Preisgabe von Daten und zur Überweisung von Geld zu bewegen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-falle-gefaelschte-bmf-ruecke… ∗∗∗ 3 OAuth TTPs Seen This Month — and How to Detect Them with Entra ID Logs ∗∗∗ --------------------------------------------- How OAuth tokens, JWT fields and Entra sign-in logs reveal attacker behavior, and how to turn those signals into reliable detections. --------------------------------------------- https://www.wiz.io/blog/recent-oauth-attacks-detection-strategies ===================== = Vulnerabilities = ===================== ∗∗∗ Installer of INZONE Hub may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- The installer of INZONE Hub provided by Sony Corporation may insecurely load Dynamic Link Libraries. --------------------------------------------- https://jvn.jp/en/jp/JVN28247549/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krita and tryton-server), Oracle (bind9.18, ipa, kernel, libssh, redis, redis:7, sqlite, sssd, and vim), Slackware (cups), SUSE (containerd, cups, curl, dovecot24, git-bug, gitea-tea, glib2, grub2, himmelblau, java-25-openjdk, kernel, libmicrohttpd, libvirt, pnpm, powerpc-utils, python311, python313, redis, rnp, runc, sssd, tomcat11, unbound, and xwayland), and Ubuntu (cups, libxml2, openvpn, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1048596/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.11.2025
by Daily end-of-shift report 27 Nov '25

27 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-11-2025 18:00 − Donnerstag 27-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Ein kurzer Blick auf das NISG 2026 ∗∗∗ --------------------------------------------- Wirklich viel hat sich zwischen dem abgelehnten Entwurf von 2024 und dem am 20. November eingebrachten Text nicht geändert. Ich will hier nur kurz zwei Punke ansprechen. Recital 44: [..] Wie schon im Sommer angemerkt, ist uns nicht klar, was der EU-Gesetzgeber uns damit sagen will. [..] Eine kurze Umfrage im CSIRTs Network hat gezeigt, dass auch die anderen Teams an dieser Frage kiefeln. --------------------------------------------- https://www.cert.at/de/blog/2025/11/ein-kurzer-blick-auf-das-nisg-2026 ∗∗∗ Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets ∗∗∗ --------------------------------------------- The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the "setup_bun.js" loader and the main payload "bun_environment.js. --------------------------------------------- https://thehackernews.com/2025/11/shai-hulud-v2-campaign-spreads-from-npm.h… ∗∗∗ New ShadowV2 botnet malware used AWS outage as a test opportunity ∗∗∗ --------------------------------------------- A new Mirai-based botnet malware named ShadowV2 has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shadowv2-botnet-malware-… ∗∗∗ Zendesk users targeted as Scattered Lapsus$ Hunters spin up fake support sites ∗∗∗ --------------------------------------------- ReliaQuest finds fresh crop of phishing domains and toxic tickets Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/27/scattered_la… ∗∗∗ Rituals Adventkalender zu gewinnen? Vorsicht vor der Phishing-Falle! ∗∗∗ --------------------------------------------- Die neueste virale Variante: Ein angeblich kostenloser Adventkalender von Rituals. Dahinter versteckt sich allerdings eine Kombination aus unterschiedlichen Betrugsmaschen: Abo-Falle & Diebstahl von Kreditkartendaten, garniert mit einem Kettenbrief. --------------------------------------------- https://www.watchlist-internet.at/news/rituals-adventkalender-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kdeconnect, libssh, and samba), Fedora (7zip, docker-buildkit, and docker-buildx), Oracle (bind, buildah, cups, delve and golang, expat, firefox, gimp, go-rpm-macros, haproxy, kernel, lasso, libsoup, libtiff, mingw-expat, openssl, podman, python-kdcproxy, qt5-qt3d, runc, squid, thunderbird, tigervnc, valkey, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (buildah, cloudflared, containerd, expat, firefox, gnutls, helm, kernel, libxslt, mysql-connector-java, ongres-scram, openbao, openexr, openssh, podman, python311, python312, ruby2.5, rubygem-rack, runc, samba, sssd, tiff, unbound, and yelp), and Ubuntu (edk2, ffmpeg, h2o, python3.13, rust-openssl, and valkey) --------------------------------------------- https://lwn.net/Articles/1048448/ ∗∗∗ GitLab Patch Release: 18.6.1, 18.5.3, 18.4.5 ∗∗∗ --------------------------------------------- GitLab releases fixes for vulnerabilities in patch releases. [..] We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. --------------------------------------------- https://about.gitlab.com/releases/2025/11/26/patch-release-gitlab-18-6-1-re… ∗∗∗ Sicherheitsupdates: Angreifer können Anmeldung von Asus-Routern umgehen ∗∗∗ --------------------------------------------- Unter anderem eine kritische Sicherheitslücke gefährdet Router von Asus. Es kann Schadcode auf Geräte gelangen. [..] Welche Modelle konkret betroffen sind, geht aus dem Sicherheitsbereich der Asus-Website nicht hervor. Dort wird nur „Asus-Router-Firmware“ als verwundbar genannt. [..] Am gefährlichsten gilt eine „kritische“ Schwachstelle (CVE-2025-59366) in der AiCloud-Komponente. [..] Drei weitere Lücken (CVE-2025-59370, CVE-2025-59371, CVE-2025-12003) sind mit dem Bedrohungsgrad „hoch“ versehen. --------------------------------------------- https://heise.de/-11093767 ∗∗∗ ABB Ability Camera Connect Vulnerabilities in outdated 3rd party component (VLC) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=4HZM000603&Language… ∗∗∗ Splunk: SVD-2025-1104: Third-Party Package Updates in Splunk SOAR - November 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1104 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.11.2025
by Daily end-of-shift report 26 Nov '25

26 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-11-2025 18:30 − Mittwoch 26-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Old tech, new vulnerabilities: NTLM abuse, ongoing exploitation in 2025 ∗∗∗ --------------------------------------------- This article covers NTLM relay, credential forwarding, and other NTLM-related vulnerabilities and cyberattacks discovered in 2025. --------------------------------------------- https://securelist.com/ntlm-abuse-in-2025/118132/ ∗∗∗ Chrome Extension Caught Injecting Hidden Solana Transfer Fees Into Raydium Swaps ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store thats capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet. --------------------------------------------- https://thehackernews.com/2025/11/chrome-extension-caught-injecting.html ∗∗∗ Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim Korean Leaks Data Heist ∗∗∗ --------------------------------------------- South Koreas financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware. --------------------------------------------- https://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.h… ∗∗∗ HashJack attack shows AI browsers can be fooled with a simple ‘#’ ∗∗∗ --------------------------------------------- Hashtag-do-whatever-I-tell-you Cato Networks says it has discovered a new attack, dubbed "HashJack," that hides malicious prompts after the "#" in legitimate URLs, tricking AI browser assistants into executing them while dodging traditional network and server-side defenses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/11/25/hashjack_att… ∗∗∗ Zscaler Threat Hunting Discovers and Reconstructs a Sophisticated Water Gamayun APT Group Attack ∗∗∗ --------------------------------------------- This blog is intended to share an in-depth analysis of a recent multi-stage attack attributed to the Water Gamayun advanced persistent threat group (APT). Drawing on telemetry, forensic reconstruction, and known threat intelligence, the Zscaler Threat Hunting team reconstructed how a seemingly innocuous web search led to a sophisticated exploitation of a Windows MMC vulnerability, ultimately delivering hidden PowerShell payloads and final malware loaders. --------------------------------------------- https://www.zscaler.com/blogs/security-research/water-gamayun-apt-attack ∗∗∗ Studie: [EXTERN]-Tags schützen nicht vor Phishing ∗∗∗ --------------------------------------------- Eine großangelegte Simulation an einer deutschen Universitätsklinik zeigt: Gängige Schutzmaßnahmen wie [EXTERN]-Tags versagen, technische Filter wirken. --------------------------------------------- https://www.heise.de/news/Studie-EXTERN-Tags-schuetzen-nicht-vor-Phishing-1… ∗∗∗ So erkennen Sie Fake-Apotheken wie grazapotheke.com ∗∗∗ --------------------------------------------- Mit Beginn der Erkältungssaison steigt die Nachfrage nach Onlineapotheken. Doch neben seriösen Anbietern tummeln sich auch gefährliche Fälschungen im Netz. Ein Beispiel ist grazapotheke.com, die rezeptpflichtige Medikamente scheinbar frei verkauft. --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-fake-apotheken-wie-g… ∗∗∗ The Golden Scale: Tis the Season for Unwanted Gifts ∗∗∗ --------------------------------------------- Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: Tis the Season for Unwanted Gifts appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/ ∗∗∗ MySQL 8.0 fällt am 30. April 2026 aus dem Support ∗∗∗ --------------------------------------------- Baut sich ein weiteres Software-Problem in der IT-Landschaft auf? Das Open Source-Datenbanksystem MySQL ist sehr populär und breit im Einsatz. Aber MySQL 8.0 fällt am 30. April 2026 aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2025/11/26/mysql-8-0-faellt-am-30-april-2026-… ∗∗∗ Sharjah Police Experiment Exposes How Easily People Fall for Fake QR Codes ∗∗∗ --------------------------------------------- A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source. The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. --------------------------------------------- https://thecyberexpress.com/free-wifi-qr-code-risk-experiment/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#521113: Forge JavaScript library impacted by a vulnerability in signature verification. ∗∗∗ --------------------------------------------- The Forge JavaScript library provides TLS-related cryptographic utilities. A vulnerability that allows signature verification to be bypassed through crafted manipulation of ASN.1 structures, particularly in fields such as Message Authentication Code (MAC) data, was identified. --------------------------------------------- https://kb.cert.org/vuls/id/521113 ∗∗∗ ZDI-25-1019: Arista NG Firewall replace_marker Exposed Dangerous Function Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to to bypass authentication on affected installations of Arista NG Firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-6979. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-1019/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/1048195/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) Advisories: ICSA-25-329-01 Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt, Share. ICSA-25-329-02 Rockwell Automation Arena Simulation. ICSA-25-329-03 Zenitel TCIV-3+. ICSA-25-329-04 Opto 22 groov View. ICSA-25-329-05 Festo Compact Vision System, Control Block, Controller, and Operator Unit products. ICSA-25-329-06 SiRcom SMART. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/25/cisa-releases-seven-indu… ∗∗∗ Nvidia DGX Spark, NeMo: Kritische Lücken gefährden KI-Hard- und Software ∗∗∗ --------------------------------------------- Nvidias KI-Hard- und Software DGX Spark und NeMo Framework sind verwundbar. Sicherheitsupdates schließen mehrere Schwachstellen. Im schlimmsten Fall können Angreifer Systeme nach der Ausführung von Schadcode in Gänze kompromittieren. Bislang gibt es keine Berichte zu laufenden Attacken. --------------------------------------------- https://heise.de/-11092387 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.11.2025
by Daily end-of-shift report 25 Nov '25

25 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-11-2025 19:30 − Dienstag 25-11-2025 18:30 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious Blender model files deliver StealC infostealing malware ∗∗∗ --------------------------------------------- A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-blender-model-file… ∗∗∗ Tor switches to new Counter Galois Onion relay encryption algorithm ∗∗∗ --------------------------------------------- Tor has announced improved encryption and security for the circuit traffic by replacing the old tor1 relay encryption algorithm with a new design called Counter Galois Onion (CGO). --------------------------------------------- https://www.bleepingcomputer.com/news/security/tor-switches-to-new-counter-… ∗∗∗ JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign thats leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a "critical" Windows security update. --------------------------------------------- https://thehackernews.com/2025/11/jackfix-uses-fake-windows-update-pop.html ∗∗∗ Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys ∗∗∗ --------------------------------------------- New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code. --------------------------------------------- https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.h… ∗∗∗ Ex-CISA officials, CISOs dispel hacklore, spread cybersecurity truths ∗∗∗ --------------------------------------------- Dont believe everything you read Afraid of connecting to public Wi-Fi? Terrified to turn your Bluetooth on? You may be falling for "hacklore," tall tales about cybersecurity that distract you from real dangers. Dozens of chief security officers and ex-CISA officials have launched an effort and website to dispel these myths and show you how not to get hacked for real. --------------------------------------------- www.theregister.com/2025/11/24/hacklore_launch/ ∗∗∗ Is Your Android TV Streaming Box Part of a Botnet? ∗∗∗ --------------------------------------------- On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers. --------------------------------------------- https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-o… ∗∗∗ New ClickFix wave infects users with hidden malware in images and fake Windows updates ∗∗∗ --------------------------------------------- ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-us… ∗∗∗ UEFI SecureBoot DB Update: Microsoft 2023er CAs installieren ∗∗∗ --------------------------------------------- Die SecureBoot-Zertifikate (KEK und DB) von Microsoft stammen aus dem Jahr 2011 und laufen im Jahr 2026 ab. --------------------------------------------- https://hitco.at/blog/uefi-secureboot-db-update-installieren/ ∗∗∗ Meldungen häufen sich: Kopierte Kleinanzeigen füllen Fake-Shops ∗∗∗ --------------------------------------------- Kriminelle stopfen ihre Fake-Shops immer öfter mit Bildmaterial und Produktinfos von Kleinanzeigen-Portalen voll. Komplette Annoncen landen, leicht verändert und mit einem ordentlichen Rabatt, in den betrügerischen Stores. --------------------------------------------- https://www.watchlist-internet.at/news/kopierte-kleinanzeigen-fuellen-fake-… ∗∗∗ Russia arrests young cybersecurity entrepreneur on treason charges ∗∗∗ --------------------------------------------- Details of the case are classified, but Russian media say Timur Kilin may have drawn official ire after publicly criticizing the state-owned messaging app Max and the government’s anti-cybercrime legislation. --------------------------------------------- https://therecord.media/russia-arrests-tech-entrepreneur-treason ∗∗∗ Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users ∗∗∗ --------------------------------------------- AI security firm AISLE revealed CVE-2025-13016, a critical Firefox Wasm bug that risked 180M users for six months. Learn how the memory flaw allowed code execution. --------------------------------------------- https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/ ∗∗∗ Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications ∗∗∗ --------------------------------------------- CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps). These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-thr… ∗∗∗ The Hidden Dangers of Calendar Subscriptions: 4 Million Devices at Risk ∗∗∗ --------------------------------------------- Bitsight TRACE discovered more than 390 abandoned domains related to iCalendar synchronization (sync) requests for subscribed calendars, potentially putting ~4 million devices at risk. --------------------------------------------- https://www.bitsight.com/blog/hidden-dangers-calendar-subscriptions-4-milli… ∗∗∗ Stop Putting Your Passwords Into Random Websites (Yes, Seriously, You Are The Problem) ∗∗∗ --------------------------------------------- Welcome to watchTowr vs the Internet, part 68.That feeling you’re experiencing? Dread. You should be used to it by now. As is fast becoming an unofficial and, apparently, frowned upon tradition - we identified incredible amounts of publicly exposed passwords, secrets, keys and more for very sensitive environments - and then spent a number of months working out if we could travel back in time to a period in which we just hadn't. --------------------------------------------- https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable). --------------------------------------------- https://lwn.net/Articles/1047950/ ∗∗∗ Synology-SA-25:15 ActiveProtect Agent ∗∗∗ --------------------------------------------- Synology has released a security update for the ActiveProtect Agent on Windows to address a vulnerability: CVE-2025-13593 allows local users to write arbitrary files with restricted content.Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_15 ∗∗∗ Azure Bastion mit schwerer Schwachstelle CVE-2025-49752 ∗∗∗ --------------------------------------------- Der Microsoft Azure Bastion-Dienst zum sicheren und nahtlosen RDP- und SSH-Zugriff auf virtuelle Azure-Maschinen (VMs) weist für alle Bereitstellungen vor dem 20. November 2025 eine schwere Schwachstelle CVE-2025-49752 (CVSS Score 10.0) auf. --------------------------------------------- https://www.borncity.com/blog/2025/11/25/azure-bastion-mit-schwerer-schwach… ∗∗∗ Asus stopft hochriskante Rechteausweitungslücke in MyAsus ∗∗∗ --------------------------------------------- Asus warnt vor einer als hochriskant eingestuften Sicherheitslücke in der MyAsus-Software. Ein Update steht bereit. --------------------------------------------- https://heise.de/-11090371 ∗∗∗ Security Advisory for SiRcom SMART Alert (SiSA) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-06 ∗∗∗ Security Advisory for Festo Compact Vision System, Control Block, Controller, and Operator Unit products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-05 ∗∗∗ Security Advisory for Zenitel TCIV-3+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-03 ∗∗∗ Security Advisory for Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-329-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.11.2025
by Daily end-of-shift report 24 Nov '25

24 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-11-2025 18:00 − Montag 24-11-2025 19:30 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Shai-Hulud 2.0: Ongoing Supply Chain Attack ∗∗∗ --------------------------------------------- Detect and mitigate malicious npm packages linked to the recent Shai-Hulud-style campaign. Over 25,000 affected repositories across ~350 unique users. --------------------------------------------- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack ∗∗∗ How to know if your Asus router is one of thousands hacked by China-state hackers ∗∗∗ --------------------------------------------- So far, the hackers are laying low, likely for later use. --------------------------------------------- https://arstechnica.com/security/2025/11/thousands-of-hacked-asus-routers-a… ∗∗∗ CrowdStrike catches insider feeding information to hackers ∗∗∗ --------------------------------------------- American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crowdstrike-catches-insider-… ∗∗∗ Ausgesperrt aus dem eigenen Körper: Zauberkünstler vergisst Passwort für Hand-Chip ∗∗∗ --------------------------------------------- Ein Magier hat sich durch ein vergessenes Passwort dauerhaft aus dem RFID-Chip in seiner eigenen Hand ausgesperrt. --------------------------------------------- https://www.golem.de/news/ausgesperrt-aus-dem-eigenen-koerper-zauberkuenstl… ∗∗∗ ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access ∗∗∗ --------------------------------------------- A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad. --------------------------------------------- https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html ∗∗∗ ShinyHunters does not like Salesforce at all, claims the crew accessed Gainsight 3 months ago ∗∗∗ --------------------------------------------- Shiny talks to The Reg EXCLUSIVE ShinyHunters has claimed responsibility for the Gainsight breach that allowed the data thieves to snarf data from hundreds more Salesforce customers. --------------------------------------------- www.theregister.com/2025/11/21/shinyhunters_salesforce_gainsight_breach/ ∗∗∗ Amazon Is Using Specialized AI Agents for Deep Bug Hunting ∗∗∗ --------------------------------------------- Born out of an internal hackathon, Amazon’s Autonomous Threat Analysis system uses a variety of specialized AI agents to detect weaknesses and propose fixes to the company’s platforms. --------------------------------------------- https://www.wired.com/story/amazon-autonomous-threat-analysis/ ∗∗∗ DHL-Phishing zur Online-Handel-Blütezeit ∗∗∗ --------------------------------------------- Mit der "Cyber-Week" startet der Online-Handel in den Jahresendspurt. Online-Betrüger wollen Opfer mit angeblichen Nachzahlungen ködern. --------------------------------------------- https://www.heise.de/news/DHL-Phishing-zur-Online-Handel-Bluetezeit-1108844… ∗∗∗ Fahrradhersteller Woom: IT-Einbruch durch Cybergang INC Ransom ∗∗∗ --------------------------------------------- Vor zwei Wochen gab es einen IT-Einbruch beim Kinderradhersteller Woom. Die Cybergang INC Ransom droht mit Datenveröffentlichung. --------------------------------------------- https://www.heise.de/news/Fahrradhersteller-Woom-IT-Einbruch-durch-Cybergan… ∗∗∗ IT-Sicherheit: BSI will Webmail-Anbieter stärker in die Pflicht nehmen ∗∗∗ --------------------------------------------- Die E-Mail-Sicherheit lastet größtenteils auf den Schultern der Anwender, moniert das BSI. Es sieht die Betreiber etwa bei der Anmeldung in der Verantwortung. --------------------------------------------- https://www.heise.de/news/IT-Sicherheit-BSI-will-Webmail-Anbieter-staerker-… ∗∗∗ Matrix Push C2 abuses browser notifications to deliver phishing and malware ∗∗∗ --------------------------------------------- Attackers can send highly realistic push notifications through your browser, including fake alerts that can lead to malware or phishing pages. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/matrix-push-c2-abuses-browse… ∗∗∗ Vorsicht vor gefälschten Rückerstattungen der ÖGK! ∗∗∗ --------------------------------------------- Derzeit verbreitet sich erneut eine Phishing-Welle, die viele Österreicher:innen betrifft. In betrügerischen E-Mails wird behauptet, man habe Anspruch auf eine Rückerstattung der Österreichischen Gesundheitskasse (ÖGK). Wer der Aufforderung folgt, führt jedoch eine Überweisung an Kriminelle durch. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rueckersta… ∗∗∗ Kundendaten von US-Banken nach Cyberattacke womöglich kompromittiert ∗∗∗ --------------------------------------------- Ein Cyberangriff auf den Dienstleister SitusAMC könnte Kundendaten großer US-Banken wie JPMorgan Chase, Citi und Morgan Stanley kompromittiert haben. --------------------------------------------- https://www.derstandard.at/story/3000000297610/kundendaten-von-us-banken-na… ∗∗∗ SmbCrawler – SMB Share Discovery and Secret-Hunting ∗∗∗ --------------------------------------------- SmbCrawler is a credentialed SMB share crawler for red teams that discovers misconfigured shares and hunts secrets across Windows networks. --------------------------------------------- https://www.darknet.org.uk/2025/11/smbcrawler-smb-share-discovery-and-secre… ∗∗∗ GhostAd: Hidden Google Play Adware Drains Devices and Disrupts Millions of Users ∗∗∗ --------------------------------------------- Check Point researchers uncover a large-scale Android adware campaign that silently drains resources and disrupts normal phone use through persistent background activity. During an internal threat-hunting investigation, Check Point Harmony Mobile Detection Team identified a network of Android applications on Google Play masquerading as harmless utility and emoji-editing tools. --------------------------------------------- https://blog.checkpoint.com/research/ghostad-hidden-google-play-adware-drai… ∗∗∗ SesameOp: Neuartige Backdoor in OpenAI API für C&C missbraucht ∗∗∗ --------------------------------------------- Sicherheitsforscher von Microsoft sind auf eine neuartige Backdoor in der OpenAI Assistant API gestoßen, und haben diese SesameOp genannt. Diese neuartige Backdoor, die von einem Angreifer verwendet wurde, nutzt die API des OpenAI Assistant, um Befehls- und Kontrollfunktionen für Cyberangriffe zu implementieren. --------------------------------------------- https://www.borncity.com/blog/2025/11/22/sesameop-neuartige-backdoor-in-ope… ∗∗∗ Smartmeter: Daten wecken Begehrlichkeiten (der Polizei in Sacramento) ∗∗∗ --------------------------------------------- Smartmeter erfassen ja den Stromverbrauch in Haushalten, und es gibt große Bedenken, dass diese neue Technologie missbraucht werden könnte. In den USA hat die Stadt Sacramento einen entsprechenden Skandal, bei dem der Betreiber der intelligenten Stromzähler ohne richterlichen Beschluss an die örtliche Polizei weitergegeben hat. Die Praxis wurde jetzt von einem Richter gestoppt. --------------------------------------------- https://www.borncity.com/blog/2025/11/23/smartmeter-daten-wecken-begehrlich… ∗∗∗ WTF: Schlüssel weg – Kryptologen kommen nicht an ihre Wahlergebnisse ∗∗∗ --------------------------------------------- Eine renommierte Gruppe von Kryptologie-Forschern nutzt ein ausgefeiltes Schutzsystem – und fällt ihm schließlich selbst zum Opfer. --------------------------------------------- https://heise.de/-11088550 ∗∗∗ A Reverse Engineer’s Anatomy of the macOS Boot Chain & Security Architecture ∗∗∗ --------------------------------------------- The security of the macOS platform on Apple Silicon is not defined by the kernel; it is defined by the physics of the die. Before the first instruction of kernelcache is fetched, a complex, cryptographic ballet has already concluded within the Application Processor (AP). This section dissects the immutable hardware logic that establishes the initial link in the Chain of Trust. --------------------------------------------- http://stack.int.mov/a-reverse-engineers-anatomy-of-the-macos-boot-chain-se… ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana warns of max severity admin spoofing vulnerability ∗∗∗ --------------------------------------------- Grafana Labs is warning of a maximum severity vulnerability (CVE-2025-41115) in its Enterprise product that can be exploited to treat new users as administrators or for privilege escalation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-warns-of-max-severit… ∗∗∗ CISA warns Oracle Identity Manager RCE flaw is being actively exploited ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning government agencies to patch an Oracle Identity Manager tracked as CVE-2025-61757 that has been exploited in attacks, potentially as a zero-day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-m… ∗∗∗ Malware im Anmarsch: Kritische Windows-Lücke ermöglicht Angriffe über JPEG-Daten ∗∗∗ --------------------------------------------- Forscher warnen vor einer kritischen Sicherheitslücke in einer Windows-Bibliothek. Angreifer können über JPEG-Bilddaten Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-kritische-windows-luecke-ermo… ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Oracle Identity Manager beobachtet ∗∗∗ --------------------------------------------- Es gibt Hinweise, dass Angreifer Oracle Identity Manager bereits seit August dieses Jahres attackieren. Ein Sicherheitsupdate ist vorhanden. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Schadcode-Attacken-auf-Oracle-Ident… ∗∗∗ HCL BigFix: Sicherheitsprobleme bei SAML-Authentifizierung ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform BigFix von HCL ist verwundbar. Nun haben die Entwickler eine kritische Sicherheitslücke geschlossen. --------------------------------------------- https://www.heise.de/news/HCL-BigFix-Sicherheitsprobleme-bei-SAML-Authentif… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14). --------------------------------------------- https://lwn.net/Articles/1047682/ ∗∗∗ Synology-SA-25:14 DSM (PWN2OWN 2025) ∗∗∗ --------------------------------------------- Synology has released a security update for the DSM to address ZDI-CAN-28409: CVE-2025-13392 allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_14 ∗∗∗ VU#761751: fluentbit contains stack buffer overflow, authentication bypass, and path traversal flaws ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/761751 ∗∗∗ F5: K000157948, BIND vulnerability CVE-2025-40780 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000157948 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.11.2025
by Daily end-of-shift report 21 Nov '25

21 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-11-2025 18:00 − Freitag 21-11-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ ‘Matrix Push’ C2 Tool Hijacks Browser Notifications for Phishing ∗∗∗ --------------------------------------------- Have you ever given two seconds of thought to a browser notification? No? Thats what hackers are counting on. --------------------------------------------- https://www.darkreading.com/threat-intelligence/matrix-push-c2-tool-hijacks… ∗∗∗ Schutz vor Betrug: Wo bleibt Österreichs SMS-Firewall? ∗∗∗ --------------------------------------------- Beim angekündigten Schutzmechanismus gegen Phishing-SMS hat sich offenbar kaum etwas getan. --------------------------------------------- https://futurezone.at/netzpolitik/sms-firewall-oesterreich-spamnachrichten-… ∗∗∗ ToddyCat: your hidden email assistant. Part 1 ∗∗∗ --------------------------------------------- Kaspersky experts analyze the ToddyCat APT attacks targeting corporate email. We examine the new version of TomBerBil, the TCSectorCopy and XstReader tools, and methods for stealing access tokens from Outlook. --------------------------------------------- https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/ ∗∗∗ Fired techie admits sabotaging ex-employer, causing $862K in damage ∗∗∗ --------------------------------------------- PowerShell script locked thousands of workers out of their accounts An Ohio IT contractor has pleaded guilty to breaking into his former employers systems and causing nearly $1 million worth of damage after being fired. --------------------------------------------- https://www.theregister.com/2025/11/20/it_contractor_sabotage/ ∗∗∗ LLM-generated malware is improving, but dont expect autonomous attacks tomorrow ∗∗∗ --------------------------------------------- Researchers tried to get ChatGPT to do evil, but it didnt do a good job LLMs are getting better at writing malware - but theyre still not ready for prime time. --------------------------------------------- https://www.theregister.com/2025/11/20/llmgenerated_malware_improving/ ∗∗∗ Virenscanner ClamAV: Große Aufräumaktion der Entwickler angekündigt ∗∗∗ --------------------------------------------- Entrümpelung beim Virenscanner ClamAV: Cisco lässt die Entwickler alte Signaturen rauswerfen, auch alte Docker-Images müssen gehen. --------------------------------------------- https://www.heise.de/news/Virenscanner-ClamAV-Entwickler-starten-Entruempel… ∗∗∗ Budget Samsung phones shipped with unremovable spyware, say researchers ∗∗∗ --------------------------------------------- Samsung is under fire again for shipping phones in parts of the world with a hidden system app, AppCloud, that users can’t easily remove. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/budget-samsung-phones-shippe… ∗∗∗ Vorsicht vor Fake-Shops rund um den Black Friday ∗∗∗ --------------------------------------------- Der Black Friday steht vor der Tür und viele Online-Händler locken bereits jetzt mit großzügigen Rabatten. Doch Sparfüchse sollten vor einer Bestellung genau hinsehen, denn auch betrügerische Shops versuchen, von der erhöhten Kauflaune zu profitieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-rund-um-den-… ∗∗∗ NIS2: Gesetz für mehr Cybersicherheit ist auf dem Weg ∗∗∗ --------------------------------------------- Die Regierung holt ein Versäumnis nach: Das Gesetz hätte schon vor einem Jahr beschlossen werden sollen --------------------------------------------- https://www.derstandard.at/story/3000000297503/nis2-gesetz-fuer-mehr-cybers… ∗∗∗ Inside Europe’s AI-Fuelled GLP-1 Scam Epidemic: How Criminal Networks Are Hijacking the Identities of the NHS, AEMPS, ANSM, BfArM and AIFA to Sell Fake Weight-Loss Products ∗∗∗ --------------------------------------------- The global appetite for GLP-1 medications like Ozempic, Wegovy and Mounjaro have created something far more dangerous than a cultural trend. It has created the perfect opening for cyber criminals who understand how desperation, scarcity and online misinformation intersect. As clinics struggle with shortages and manufacturers warn of supply limits extending .. --------------------------------------------- https://blog.checkpoint.com/research/inside-europes-ai-fuelled-glp-1-scam-e… ∗∗∗ Stolen VPN Credentials Most Common Ransomware Attack Vector ∗∗∗ --------------------------------------------- Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access .. --------------------------------------------- https://thecyberexpress.com/stolen-vpn-credentials-most-common-ransomware-a… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-885: (0Day) Digilent DASYLab DSB File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-885/ ∗∗∗ CVE-2025-50165: Critical Flaw in Windows Graphics Component ∗∗∗ --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2025-50165-critical-fla… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.11.2025
by Daily end-of-shift report 20 Nov '25

20 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-11-2025 18:00 − Donnerstag 20-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critics scoff after Microsoft warns AI feature can infect machines and pilfer data ∗∗∗ --------------------------------------------- Integration of Copilot Actions into Windows is off by default, but for how long? --------------------------------------------- https://arstechnica.com/security/2025/11/critics-scoff-after-microsoft-warn… ∗∗∗ Salesforce investigates customer data theft via Gainsight breach ∗∗∗ --------------------------------------------- Salesforce says it revoked refresh tokens linked to Gainsight-published applications while investigating a new wave of data theft attacks targeting customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/salesforce-investigates-cust… ∗∗∗ Sicherheitslücke wird ausgenutzt: Angreifer attackieren 7-Zip-Nutzer ∗∗∗ --------------------------------------------- Ältere Versionen des Packprogramms 7-Zip weisen eine gefährliche Schadcode-Lücke auf, die inzwischen ausgenutzt wird. Nutzer sollten handeln. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-wird-ausgenutzt-angreifer-attac… ∗∗∗ Fake-Softwareupdates: Cyberspione verteilen Malware über manipulierten DNS-Traffic ∗∗∗ --------------------------------------------- Eine APT-Gruppe leitet gezielt DNS-Traffic kompromittierter Router um, um Anwendern falsche Softwareupdates mit einer Backdoor unterzuschieben. --------------------------------------------- https://www.golem.de/news/dns-traffic-umgeleitet-cyberspione-verbreiten-mal… ∗∗∗ Banking-Trojaner: Neue Android-Malware liest verschlüsselte Chats mit ∗∗∗ --------------------------------------------- Egal ob Signal, Telegram oder Whatsapp - kein Chat kann sich vor dem Sturnus-Trojaner verstecken. Opfer bemerken den Datenklau nicht. --------------------------------------------- https://www.golem.de/news/banking-trojaner-neue-android-malware-liest-versc… ∗∗∗ Blockchain and Node.js abused by Tsundere: an emerging botnet ∗∗∗ --------------------------------------------- Kaspersky GReAT experts discovered a new campaign featuring the Tsundere botnet. Node.js-based bots abuse web3 smart contracts and are spread via MSI installers and PowerShell scripts. --------------------------------------------- https://securelist.com/tsundere-node-js-botnet-uses-ethereum-blockchain/117… ∗∗∗ Inside the dark web job market ∗∗∗ --------------------------------------------- This report examines how employment and recruitment function on the dark web, based on over 2,000 job-related posts collected from shadow forums between January 2023 and June 2025. --------------------------------------------- https://securelist.com/dark-web-job-market-2023-2025/118057/ ∗∗∗ SpiderLabs IDs New Banking Trojan Distributed Through WhatsApp ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified a banking Trojan we dubbed Eternidade Stealer, which is distributed through WhatsApp hijacking and social engineering lures. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spiderlabs-… ∗∗∗ Iran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt ∗∗∗ --------------------------------------------- Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting.The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giants .. --------------------------------------------- https://thehackernews.com/2025/11/iran-linked-hackers-mapped-ship-ais.html ∗∗∗ Zu gut, um wahr zu sein? Vorsicht vor betrügerischen Kredit-Angeboten! ∗∗∗ --------------------------------------------- Kein Einkommensnachweis nötig? Die Zinsen weit unter dem üblichen Niveau? Maximale Flexibilität? Kriminelle locken ihre Opfer mit unrealistischen Kredit-Versprechen in die Falle. Sie drängen sie zur Überweisung verschiedenster Steuern, Gebühren etc. – zu einer Auszahlung kommt es allerdings nie. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-kredit-angebote/ ∗∗∗ NSO seeks to overturn WhatsApp case, saying it is ‘catastrophic’ for the spyware maker ∗∗∗ --------------------------------------------- In a court filing ahead of the ruling, NSO told the judge that blocking it from targeting WhatsApp infrastructure to implant its spyware could “put NSO’s entire enterprise at risk” and “force NSO out of business.” --------------------------------------------- https://therecord.media/nso-seeks-to-overturn-whatsapp-case ∗∗∗ Reoccurring Use of Highly Suspicious PDF Editors to Infiltrate Environments ∗∗∗ --------------------------------------------- The activities observed are the following: — File is downloaded from conmateapp[.]com ortrm[.]conmateapp[.]com (OSINT suggests that these are downloaded through ads but this has not .. --------------------------------------------- https://www.truesec.com/hub/blog/reoccurring-use-of-highly-suspicious-pdf-e… ∗∗∗ FortiWeb CVE‑2025‑64446: What We’re Seeing in the Wild ∗∗∗ --------------------------------------------- GreyNoise has begun seeing active exploitation of CVE‑2025‑64446, the critical path‑traversal flaw that lets an unauthenticated actor run administrative commands on Fortinet FortiWeb appliances. --------------------------------------------- https://www.greynoise.io/blog/fortiweb-cve-2025-64446 ∗∗∗ Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day High ∗∗∗ --------------------------------------------- GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high. --------------------------------------------- https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.11.2025
by Daily end-of-shift report 19 Nov '25

19 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-11-2025 18:00 − Mittwoch 19-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ShadowRay attacks convert Ray clusters into crypto miners ∗∗∗ --------------------------------------------- A global campaign dubbed ShadowRay 2.0 hijacks exposed Ray Clusters by exploiting an old code execution flaw to turn them into a self-propagating cryptomining botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-shadowray-attacks-conver… ∗∗∗ Russian bulletproof hosting provider sanctioned over ransomware ties ∗∗∗ --------------------------------------------- Today, the United States, the United Kingdom, and Australia announced sanctions targeting Russian bulletproof hosting (BPH) providers that have supported ransomware gangs and other cybercrime operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-sanctions-russian-bulletp… ∗∗∗ Gen Z ist bei Passwörtern so schlecht wie 80-Jährige ∗∗∗ --------------------------------------------- Das beliebteste Passwort weltweit lautet: “Passwort”. --------------------------------------------- https://futurezone.at/digital-life/passwort-gen-z-aeltere-generation-80-jae… ∗∗∗ Microsoft: Windows 11 bekommt hardwarebeschleunigtes Bitlocker ∗∗∗ --------------------------------------------- Bisher war Bitlocker ausschließlich als Softwareverschlüsselung vorgesehen. Das soll sich in Windows bald ändern. --------------------------------------------- https://www.golem.de/news/microsoft-windows-11-bekommt-hardwarebeschleunigt… ∗∗∗ NIS-2-Richtlinie: Zentrale Anlaufstelle für Cybervorfälle geplant ∗∗∗ --------------------------------------------- Firmen sollen in der EU künftig Sicherheitsvorfälle nur noch bei einer Behörde melden müssen. Das soll den Berichtsaufwand verringern. --------------------------------------------- https://www.golem.de/news/nis-2-richtlinie-zentrale-anlaufstelle-fuer-cyber… ∗∗∗ IT threat evolution in Q3 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report features statistics on mobile threats for the third quarter of 2025, along with interesting findings and trends from the quarter, including an increase in ransomware activity in Germany, and more. --------------------------------------------- https://securelist.com/malware-report-q3-2025-mobile-statistics/118013/ ∗∗∗ IT threat evolution in Q3 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents key trends and statistics on malware that targets personal computers running Windows and macOS, as well as Internet of Things (IoT) devices, during the third quarter of 2025. --------------------------------------------- https://securelist.com/malware-report-q3-2025-pc-iot-statistics/118020/ ∗∗∗ Sneaky 2FA Phishing Kit Adds BitB Pop-ups Designed to Mimic the Browser Address Bar ∗∗∗ --------------------------------------------- The malware authors associated with a Phishing-as-a-Service (PhaaS) kit known as Sneaky 2FA have incorporated Browser-in-the-Browser (BitB) functionality into their arsenal, underscoring the continued evolution of such offerings and further making it easier for .. --------------------------------------------- https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html ∗∗∗ Tens of thousands more ASUS routers pwned by suspected, evolving China operation ∗∗∗ --------------------------------------------- Researchers say attacks are laying the groundwork for stealthy espionage activity Around 50,000 ASUS routers have been compromised in a sophisticated attack that researchers believe may be linked to China, according to findings released today by SecurityScorecards STRIKE team. --------------------------------------------- https://www.theregister.com/2025/11/19/thousands_more_asus_routers_pwned/ ∗∗∗ Fakeshops: Vorsicht bei Black-Week- und Heizöl-Angeboten ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor Fakeshops mit vermeintlichen Heizöl-Schnäppchen. Die Black-Week lockt Betrüger auf den Plan. --------------------------------------------- https://www.heise.de/news/Fakeshops-Vorsicht-bei-Black-Week-und-Heizoel-Ang… ∗∗∗ Sicherheitslücken: Solarwinds Platform und Serv-U für Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Solarwinds Netzwerkmonitoringlösung Platform und die Dateitransfersoftware Serv-U attackieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Solarwinds-Platform-und-Serv-U… ∗∗∗ Vorsicht: Kombinierte Phishing & Abo-Falle statt neuem iPhone 17 pro! ∗∗∗ --------------------------------------------- Das neueste iPhone – völlig kostenlos – direkt nach Hause geschickt! Gibt’s nicht? Gibt’s tatsächlich nicht! Hinter dem verlockenden Angebot versteckt sich in Wahrheit nichts anderes als eine Betrugs-Kombi aus Kreditkartendiebstahl und Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-iphone-17-pro/ ∗∗∗ Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise ∗∗∗ --------------------------------------------- Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-captcha-to-compromise/ ∗∗∗ Unwanted Gifts: Major Campaign Lures Targets with Fake Party Invites ∗∗∗ --------------------------------------------- Prolific threat actor delivering RMM packages using variety of lures, including seasonal party invites --------------------------------------------- https://www.security.com/threat-intelligence/rmm-logmein-attacks ∗∗∗ LG battery subsidiary says ransomware attack targeted overseas facility ∗∗∗ --------------------------------------------- A "specific overseas facility" fell prey to a ransomware attack but is now operating normally, according to LG Energy Solution — the South Korean multinationals battery-making subsidiary. --------------------------------------------- https://therecord.media/lg-energy-solution-ransomware-incident-battery-maker -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.11.2025
by Daily end-of-shift report 18 Nov '25

18 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-11-2025 18:00 − Dienstag 18-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: Azure hit by 15 Tbps DDoS attack using 500,000 IP addresses ∗∗∗ --------------------------------------------- Microsoft said today that the Aisuru botnet hit its Azure network with a 15.72 terabits per second (Tbps) DDoS attack, launched from over 500,000 IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-aisuru-botnet-use… ∗∗∗ RondoDox botnet malware now hacks servers using XWiki flaw ∗∗∗ --------------------------------------------- The RondoDox botnet malware is now exploiting a critical remote code execution (RCE) flaw in XWiki Platform tracked as CVE-2025-24893. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rondodox-botnet-malware-now-… ∗∗∗ The Tycoon 2FA Phishing Platform and the Collapse of Legacy MFA ∗∗∗ --------------------------------------------- Tycoon 2FA enables turnkey real-time MFA relays behind 64,000+ attacks this year, proving legacy MFA collapses the moment a phishing kit targets it. Learn from Token Ring how biometric, phishing-proof FIDO2 hardware blocks these relay attacks before they succeed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-tycoon-2fa-phishing-plat… ∗∗∗ Sicherheitslücke in V8: Hacker attackieren Chrome-Nutzer über Javascript-Engine ∗∗∗ --------------------------------------------- Zur Ausnutzung der Chrome-Lücke reicht der bloße Aufruf einer bösartigen Webseite. Angreifer können daraufhin Schadcode zur Ausführung bringen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-v8-angreifer-attackieren-chr… ∗∗∗ A Simple WhatsApp Security Flaw Exposed 3.5 Billion Phone Numbers ∗∗∗ --------------------------------------------- By plugging tens of billions of phone numbers into WhatsApp’s contact discovery tool, researchers found “the most extensive exposure of phone numbers” ever—along with profile photos and more. --------------------------------------------- https://www.wired.com/story/a-simple-whatsapp-security-flaw-exposed-billion… ∗∗∗ IT-Vorfall: Stadtwerke Detmold nicht mehr erreichbar ∗∗∗ --------------------------------------------- Die Stadtwerke Detmold sind Opfer eines IT-Angriffs geworden. Sie sind derzeit nicht mehr erreichbar. Die Versorgung soll gesichert sein. --------------------------------------------- https://www.heise.de/news/Stadtwerke-Detmold-nach-IT-Vorfall-offline-110829… ∗∗∗ Common Kubernetes misconfigurations and how to avoid them ∗∗∗ --------------------------------------------- TL;DR Introduction Kubernetes has changed the way we deploy and scale workloads. It’s powerful, flexible, and very good at hiding a lot of complexity. It is also very good at hiding security problems until someone starts poking at it. Attackers usually take the path of least resistance. If they find an exposed API, dashboard, or port, that is often .. --------------------------------------------- https://www.pentestpartners.com/security-blog/common-kubernetes-misconfigur… ∗∗∗ ASFINAG Phishing-Welle fordert Bezahlung angeblicher Verkehrsstrafe ∗∗∗ --------------------------------------------- Eine Verkehrsstrafe möchte man meist schnell begleichen, um zusätzliche Kosten zu vermeiden. Genau diesen Reflex nutzen derzeit Kriminelle aus: Im Umlauf befindet sich eine gefälschte Mahn-SMS, die angeblich von der ASFINAG stammt. --------------------------------------------- https://www.watchlist-internet.at/news/asfinag-phishing-welle-fordert-bezah… ∗∗∗ MI5 warns of Chinese spies using LinkedIn to gain intel on lawmakers ∗∗∗ --------------------------------------------- The alert identifies two specific LinkedIn profiles, featuring fake personas, that are being used by China’s Ministry of State Security in an attempt to build relationships in Westminster and gain intelligence. --------------------------------------------- https://therecord.media/mi5-warns-chinese-spies-using-linkedin-lawmakers ∗∗∗ Russian suspect detained in Thailand is allegedly tied to Void Blizzard group ∗∗∗ --------------------------------------------- More details are emerging about a 35-year-old Russian man arrested by Thai police in Phuket earlier this month with reported help from the FBI. --------------------------------------------- https://therecord.media/russian-arrested-thailand-allegedly-void-blizzard-a… ∗∗∗ Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses ∗∗∗ --------------------------------------------- In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html ∗∗∗ When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Game ∗∗∗ --------------------------------------------- EU sanctions hit Stark Industries in May 2025. GreyNoise data shows how the group quietly rebranded to THE.Hosting and kept its malicious infrastructure running. --------------------------------------------- https://www.greynoise.io/blog/stark-industries-shell-game ∗∗∗ Nordkoreas Remote-Angestellte: Fünf Helfer in den USA bekennen sich schuldig ∗∗∗ --------------------------------------------- Schon seit Jahren lässt Nordkorea Menschen über das Internet in den USA arbeiten, um an Gehälter zu kommen. Nun zeigt sich in den USA, wie dabei geholfen wird. --------------------------------------------- https://heise.de/-11082874 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebsockets), Fedora (chromium and fvwm3), Mageia (apache, firefox, and postgresql13, postgresql15), Oracle (idm:DL1), Red Hat (bind, bind9.18, firefox, and openssl), SUSE (alloy, ghostscript, and openssl-1_0_0), and Ubuntu (ffmpeg and freeglut). --------------------------------------------- https://lwn.net/Articles/1046891/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.11.2025
by Daily end-of-shift report 17 Nov '25

17 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-11-2025 18:00 − Montag 17-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Jaguar Land Rover cyberattack cost the company over $220 million ∗∗∗ --------------------------------------------- Jaguar Land Rover (JLR) published its financial results for July 1 to September 30, warning that the cost of a recent cyberattack totaled £196 million ($220 million) in the quarter. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jaguar-land-rover-cyberattac… ∗∗∗ Decades-old 'Finger' protocol abused in ClickFix malware attacks ∗∗∗ --------------------------------------------- The decades-old "finger" command is making a comeback, with threat actors using the protocol to retrieve remote commands to execute on Windows devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-… ∗∗∗ DoorDash email spoofing vulnerability sparks messy disclosure dispute ∗∗∗ --------------------------------------------- A vulnerability in DoorDashs systems could allow anyone to send "official" DoorDash-themed emails right from companys authorized servers, paving a near-perfect phishing channel. DoorDash has now patched the issue, but a contentious disclosure dispute has erupted, with both sides accusing each other of acting in bad faith. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doordash-email-spoofing-vuln… ∗∗∗ Cursor Issue Paves Way for Credential-Stealing Attacks ∗∗∗ --------------------------------------------- Researchers discovered a security weakness in the AI-powered coding tool that allows malicious MCP server to hijack Cursors internal browser. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cursor-issue-credential… ∗∗∗ Ransomware: Kunden- und Mitarbeiterdaten von Logitech gehackt ∗∗∗ --------------------------------------------- Der Zubehörhersteller Logitech hat ein Datenleck eingeräumt. Der Angriff erfolgte wohl über Oracle-Software. --------------------------------------------- https://www.golem.de/news/ransomware-kunden-und-mitarbeiterdaten-von-logite… ∗∗∗ Rust Adoption Drives Android Memory Safety Bugs Below 20% for First Time ∗∗∗ --------------------------------------------- Google has disclosed that the companys continued adoption of the Rust programming language in Android has resulted in the number of memory safety vulnerabilities falling below 20% for the first time. --------------------------------------------- https://thehackernews.com/2025/11/rust-adoption-drives-android-memory.html ∗∗∗ Overconfidence is the new zero-day as teams stumble through cyber simulations ∗∗∗ --------------------------------------------- Readiness metrics have flatlined since 2023, with most sectors slipping backward as teams fumble crisis drills. Teams that think theyre ready for a major cyber incident are scoring barely 22 percent accuracy and taking more than a day to contain simulated attacks, according to new data out Monday. --------------------------------------------- www.theregister.com/2025/11/17/immersive_cyber_resilience_report/ ∗∗∗ DOJ Issued Seizure Warrant to Starlink Over Satellite Internet Systems Used at Scam Compound ∗∗∗ --------------------------------------------- A new US law enforcement initiative is aimed at crypto fraudsters targeting Americans—and now seeks to seize infrastructure it claims is crucial to notorious scam compounds. --------------------------------------------- https://www.wired.com/story/doj-issued-seizure-warrants-to-starlink-over-sa… ∗∗∗ Cyberangriff: Bundestagspolizei warnt Fraktionen vor gefährlichen USB-Sticks ∗∗∗ --------------------------------------------- In vielen Abgeordnetenbüros sind Postsendungen auf Englisch mit einem USB-Stick eingegangen. Die Polizei mahnt, solche Geräte nicht an Computer anzuschließen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-Bundestagspolizei-warnt-Fraktionen-v… ∗∗∗ Autonome KI-Cyberattacke: Hat sie wirklich so stattgefunden? ∗∗∗ --------------------------------------------- Eine weitgehend autonome, KI-gesteuerte Cyberattacke will Anthropic nicht nur entdeckt, sondern auch gestoppt haben. Aber stimmt das wirklich? --------------------------------------------- https://www.heise.de/news/Autonomer-KI-Cyberangriff-Zweifel-an-Anthropics-U… ∗∗∗ IT-Vorfall bei Washington Post: Daten von knapp 10.000 Leuten abgeflossen ∗∗∗ --------------------------------------------- Über eine Oracle-Schwachstelle sind Kriminelle auch bei der Washington Post eingedrungen. Daten von fast 10.000 Menschen sind abgeflossen. --------------------------------------------- https://www.heise.de/news/IT-Vorfall-bei-Washington-Post-Daten-von-knapp-10… ∗∗∗ Cyberangriffe erschüttern Börsen: Massive finanzielle Folgen ∗∗∗ --------------------------------------------- Eine neue Umfrage zeigt drastische finanzielle Folgen von Cyberangriffen: 70 Prozent der börsennotierten Unternehmen mussten ihre Gewinnprognosen anpassen. --------------------------------------------- https://www.heise.de/news/Studie-Cyberangriffe-treffen-Aktienkurse-und-Fina… ∗∗∗ Scammers are sending bogus copyright warnings to steal your X login ∗∗∗ --------------------------------------------- A copyright violation sounds serious, so cybercriminals are faking messages from the DMCA to lure you into handing over your X credentials. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/11/scammers-are-sending-bogus-c… ∗∗∗ Advent, Advent – nicht alles glänzt! Vorsicht vor unseriösen Adventkalender-Shops! ∗∗∗ --------------------------------------------- Adventkalender versüßen Groß und Klein die Vorweihnachtszeit. Doch alle Jahre wieder versuchen auch unseriöse Anbieter, Profit aus dem Weihnachtsgeschäft zu schlagen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-adventkalen… ∗∗∗ Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT ∗∗∗ --------------------------------------------- Two campaigns delivering Gh0st RAT to Chinese speakers show a deep understanding of the target populations virtual environment and online behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-r… ∗∗∗ Initial Access Brokers (IAB) in 2025 – >From Dark Web Listings to Supply Chain Ransomware Events ∗∗∗ --------------------------------------------- Initial access brokers in 2025, how dark web access listings feed ransomware supply chain events like JLR, and what CISOs can do to detect and disrupt them. --------------------------------------------- https://www.darknet.org.uk/2025/11/initial-access-brokers-iab-in-2025-from-… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This JavaScript file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Cat’s Got Your Files: Lynx Ransomware ∗∗∗ --------------------------------------------- The intrusion began in early March 2025 with a single successful Remote Desktop Protocol (RDP) logon to an internet-exposed system. Notably, there was no evidence of credential stuffing, brute forcing, or other failed authentication attempts from the source IP, indicating the threat actor likely possessed valid credentials before the activity occurred. --------------------------------------------- https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/ ∗∗∗ MISP v2.5.25 Release Notes ∗∗∗ --------------------------------------------- This release introduces a security fix, significant performance improvements for REST searches, new default feeds, and several important bug fixes. Security: Fixed a vulnerability that could expose user passwords in workflows. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.25 ∗∗∗ AIPAC Discloses Data Breach, Says Hundreds Affected ∗∗∗ --------------------------------------------- AIPAC reports data breach after external system access, hundreds affected, investigation ongoing with added security steps. --------------------------------------------- https://hackread.com/aipac-data-breach-hundreds-affected/ ∗∗∗ EchoGram Flaw Bypasses Guardrails in Major LLMs ∗∗∗ --------------------------------------------- HiddenLayer reveals the EchoGram vulnerability, which bypasses safety guardrails on GPT-5.1 and other major LLMs, giving security teams just a 3-month head start. --------------------------------------------- https://hackread.com/echogram-flaw-bypass-guardrails-major-llms/ ∗∗∗ Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem ∗∗∗ --------------------------------------------- Last year, Mandiant published a blog post highlighting suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East. In this follow-up post, Mandiant discusses additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc154… ∗∗∗ No Leak, No Problem - Bypassing ASLR with a ROP Chain to Gain RCE ∗∗∗ --------------------------------------------- After my previous post on ARM exploitation, where we crafted an exploit for a known vulnerability, I decided to continue the research on a more modern IoT target. In this follow-up post, I will take you through building a considerably more complex binary exploit. We will explore the path from firmware extraction and analysis to the discovery of a previously unknown vulnerability and its exploitation. --------------------------------------------- https://modzero.com/en/blog/no-leak-no-problem/ ∗∗∗ npm Malware Campaign Uses Adspect Cloaking to Deliver Malicious Redirects ∗∗∗ --------------------------------------------- The Socket Threat Research Team recently discovered dino_reborn, an npm threat actor with seven packages constructing an intricate malware campaign. Upon visiting a fake website constructed by one of the packages, the threat actor determines if the visitor is a victim or a security researcher. If the visitor is a victim, they see a fake CAPTCHA, eventually bringing them to a malicious site. If they are a security researcher, only a few tells on the fake website would tip them off that something nefarious may be occurring. --------------------------------------------- https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliv… ∗∗∗ MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper ∗∗∗ --------------------------------------------- This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey. --------------------------------------------- https://pberba.github.io/security/2025/11/11/macos-infection-vector-applesc… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Fortinet FortiWeb wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke (CVE-2025-64446) in Fortinet FortiWeb erlaubt es unauthentifizierten Angreifer:innen, eigene Admin-Konten zu erstellen und somit die vollständige Kontrolle über betroffene Geräte zu erlangen. Die Schwachstelle wird mindestens seit dem 6. Oktober 2025 aktiv ausgenutzt und Exploitcode ist bereits öffentlich verfügbar. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/11/kritische-sicherheitslucke-in-fort… ∗∗∗ Mehrere Sicherheitslücken bedrohen Cisco Catalyst Center ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in Ciscos Netzwerk-Kontrollzentrum Catalyst Center. --------------------------------------------- https://www.heise.de/news/Admin-Sicherheitsluecke-bedroht-Cisco-Catalyst-Ce… ∗∗∗ Microsoft Patch Tuesday, November 2025 Edition ∗∗∗ --------------------------------------------- Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited. Microsoft also fixed a glitch that prevented some Windows 10 users from taking advantage of an extra year of security updates, which is nice because the zero-day flaw and other critical weaknesses patched today affect all versions of Windows, including Windows 10. --------------------------------------------- https://krebsonsecurity.com/2025/11/microsoft-patch-tuesday-november-2025-e… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, lasso, and thunderbird), Fedora (bind9-next, chromium, containerd, fvwm3, luksmeta, opentofu, python-pdfminer, python-uv-build, ruff, rust-get-size-derive2, rust-get-size2, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send reqwest, suricata, uv, and xmedcon), Mageia (apache-commons-beanutils, apache-commons-fileupload, apache-commons-lang, botan2, python-django, spdlog, stardict, webkit2, and yelp-xsl), Slackware (xpdf), and SUSE (bind, chromedriver, firefox, kernel, libxml2, and openssh). --------------------------------------------- https://lwn.net/Articles/1046756/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.11.2025
by Daily end-of-shift report 14 Nov '25

14 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-11-2025 18:00 − Freitag 14-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk ∗∗∗ --------------------------------------------- The ImunifyAV malware scanner for Linux server, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rce-flaw-in-imunifyav-puts-m… ∗∗∗ New ‘IndonesianFoods’ worm floods npm with 100,000 packages ∗∗∗ --------------------------------------------- A self-spreading package published on npm spams the registry by spawning new packages every every seven seconds, creating large volumes of junk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-indonesianfoods-worm-flo… ∗∗∗ DoorDash hit by new data breach in October exposing user information ∗∗∗ --------------------------------------------- DoorDash has disclosed a data breach that hit the food delivery platform this October. Beginning yesterday evening, DoorDash, which serves millions of customers across the U.S., Canada, Australia, and New Zealand, started emailing those impacted by the newly discovered security incident. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doordash-hit-by-new-data-bre… ∗∗∗ ASUS warns of critical auth bypass flaw in DSL series routers ∗∗∗ --------------------------------------------- ASUS has released new firmware to patch a critical authentication bypass security flaw impacting several DSL series router models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-warns-of-critical-auth-… ∗∗∗ NIS-2-Umsetzung: Bundestag beschließt umstrittenes Cybersicherheitsgesetz ∗∗∗ --------------------------------------------- NIS 2 kann für Netzbetreiber fehlende Rechtssicherheit, Wirtschaftsrisiken und unnötige Bürokratie bringen. Noch kann der Bundesrat etwas ändern. --------------------------------------------- https://www.golem.de/news/nis-2-umsetzung-bundestag-beschliesst-umstrittene… ∗∗∗ Chinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded ∗∗∗ --------------------------------------------- Anthropic dubs this the first AI-orchestrated cyber snooping campaign Chinese cyber spies used Anthropics Claude Code AI tool to attempt digital break-ins at about 30 high-profile companies and government organizations – and the government-backed snoops "succeeded in a small number of cases," according to a Thursday report from the AI company. --------------------------------------------- https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/ ∗∗∗ Cybergang cl0p will Daten von Carglass, Fluke und NHS erbeutet haben ∗∗∗ --------------------------------------------- Auf der Darknet-Seite der kriminellen Bande cl0p sind neue Einträge zu Carglass, Fluke und NHS aufgetaucht. Dort will sie Daten geklaut haben. --------------------------------------------- https://www.heise.de/news/Datenlecks-Cybergang-cl0p-will-Daten-von-Carglass… ∗∗∗ FBI: Akira gang has received nearly $250 million in ransoms ∗∗∗ --------------------------------------------- The U.S. and European law enforcement released new information to help organizations defend themselves against the Akira ransomware gang, which has attacked small- and medium-sized businesses for years. --------------------------------------------- https://therecord.media/akira-gang-received-million ∗∗∗ Suspected Russian hacker reportedly detained in Thailand, faces possible US extradition ∗∗∗ --------------------------------------------- Russian news reports and Thai sources said police had detained an alleged Russian hacker on the island of Phuket and transferred him to Bangkok for possible transfer to the U.S. --------------------------------------------- https://therecord.media/russian-hacker-detained-thailand-possible-us-extrad… ∗∗∗ Increase in Lumma Stealer Activity Coincides with Use of Adaptive Browser Fingerprinting Tactics ∗∗∗ --------------------------------------------- In this blog entry, Trend™ Research analyses the layered command-and-control approaches that Lumma Stealer uses to maintain its ongoing operations while enhancing collection of victim-environment data. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/k/lumma-stealer-browser-finger… ∗∗∗ When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb (??) Auth. Bypass) ∗∗∗ --------------------------------------------- The Internet is ablaze, and once again we all have a front-row seat - a bad person, if you can believe it, is doing a bad thing!The first warning of such behaviour came from the great team at Defused:As many are now aware, an unnamed (and potentially silently --------------------------------------------- https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-imp… ∗∗∗ Fortinet: Neuer Exploit missbraucht Zero-Day-Lücke in Firewalls ∗∗∗ --------------------------------------------- IT-Forscher haben neuen Exploit-Code in ihrem Honeypot gefunden. Der attackiert eine bislang unbekannte Fortinet-Sicherheitslücke. --------------------------------------------- https://heise.de/-11078310 ∗∗∗ Nation state threat actor used Claude Code to orchestrate cyber attacks ∗∗∗ --------------------------------------------- We recently argued that an inflection point had been reached in cybersecurity: a point at which AI models had become genuinely useful for cybersecurity operations, both for good and for ill. This was based on systematic evaluations showing cyber capabilities doubling in six months .. --------------------------------------------- https://www.anthropic.com/news/disrupting-AI-espionage ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Thunderbird 145 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-90/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140.5 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-91/ ∗∗∗ Path confusion vulnerability in GUI ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-25-910 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.11.2025
by Daily end-of-shift report 13 Nov '25

13 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-11-2025 18:00 − Donnerstag 13-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ November Patch Tuesday does its chores ∗∗∗ --------------------------------------------- A cleanup month brings 63 patches… wait, no, 68… how about 61? --------------------------------------------- https://news.sophos.com/en-us/2025/11/12/november-patch-tuesday-does-its-ch… ∗∗∗ Over 67,000 Fake npm Packages Flood Registry in Worm-Like Spam Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort."The packages were systematically published .. --------------------------------------------- https://thehackernews.com/2025/11/over-46000-fake-npm-packages-flood.html ∗∗∗ Zohocorp ManageEngine: Mehrere Sicherheitslücken in unterschiedlichen Produkten ∗∗∗ --------------------------------------------- Mehrere Schwachstellenberichte zu Lücken in mehreren Zohocorp-ManageEngine-Produkten sind erschienen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Zohocorp-ManageEngine-Mehrere-Sicherheitsluecken-… ∗∗∗ Operation Endgame 3: 1025 Server von Netz genommen ∗∗∗ --------------------------------------------- Internationalen Strafverfolgern ist ein neuerlicher Schlag gegen Malware und dahinterliegende Infrastruktur gelungen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-3-1025-Server-von-Netz-genommen… ∗∗∗ Citrix Netscaler ADC und Gateway: Update schließt Cross-Site-Scripting-Lücke ∗∗∗ --------------------------------------------- In den Netscaler ADCs und Gateways von Citrix können Angreifer eine Cross-Site-Scripting-Lücke ausnutzen. Updates schließen sie. --------------------------------------------- https://www.heise.de/news/Citrix-Netscaler-ADC-und-Gateway-Update-schliesst… ∗∗∗ Google Sues to Disrupt Chinese SMS Phishing Triad ∗∗∗ --------------------------------------------- Google is suing more than two dozen unnamed individuals allegedly involved in peddling a popular China-based mobile phishing service that helps scammers impersonate hundreds of trusted brands, blast out text message lures, and convert phished payment card data into mobile wallets from Apple and Google. --------------------------------------------- https://krebsonsecurity.com/2025/11/google-sues-to-disrupt-chinese-sms-phis… ∗∗∗ Wenn sich die angebliche Copyright-Verletzung als Betrugsversuch entpuppt ∗∗∗ --------------------------------------------- Immer wieder sorgen E-Mails von vermeintlichen Anwaltskanzleien für Aufregung. Die Empfänger:innen haben angeblich gegen Urheberrechte verstoßen, die Geschädigten fordern Wiedergutmachung. Tatsächlich stimmt hier aber gar nichts. Die Copyright-Verletzung hat nicht stattgefunden, die Anwaltskanzlei existiert nicht. --------------------------------------------- https://www.watchlist-internet.at/news/copyright-verletzung-betrugsversuch/ ∗∗∗ TAG Bulletin: Q3 2025 ∗∗∗ --------------------------------------------- Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2025/ ∗∗∗ Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery ∗∗∗ --------------------------------------------- NVISO reports a new development to the Contagious Interview campaign. The threat actors have recently resorted to utilizing JSON storage services like JSON Keeper, JSONsilo and npoint.io to host and deliver malware from trojanized code projects, with the lure being a use case or demo project as part of an interview process. Background Contagious Interview .. --------------------------------------------- https://blog.nviso.eu/2025/11/13/contagious-interview-actors-now-utilize-js… ∗∗∗ CISA and Partners Release Advisory Update on Akira Ransomware ∗∗∗ --------------------------------------------- Today, Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation, Department of Defense Cyber Crime Center, Department of Health and Human Services, and international partners, released an updated joint Cybersecurity Advisory, #StopRansomware: Akira Ransomware, to provide network defenders with the latest indicators .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/13/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2025-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-006 ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2025-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-005 ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2025-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-008 ∗∗∗ Drupal core - Moderately critical - Defacement - SA-CORE-2025-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.11.2025
by Daily end-of-shift report 12 Nov '25

12 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-11-2025 18:00 − Mittwoch 12-11-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Rhadamanthys infostealer disrupted as cybercriminals lose server access ∗∗∗ --------------------------------------------- The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-dis… ∗∗∗ VU#553375: Unprotected temporary directories in Wolfram Cloud version 14.2 may result in privilege escalation ∗∗∗ --------------------------------------------- Wolfram Cloud version 14.2 allows Java Virtual Machine (JVM) unrestricted access to temporary resources in the /tmp/ directory of the cloud environment which may result in privilege escalation, information exfiltration, and remote code execution. In the same cloud instance, temporary directories of other users may be accessible. --------------------------------------------- https://kb.cert.org/vuls/id/553375 ∗∗∗ WhatsApp Malware Maverick Hijacks Browser Sessions to Target Brazils Biggest Banks ∗∗∗ --------------------------------------------- Threat hunters have uncovered similarities between a banking malware called Coyote and a newly disclosed malicious program dubbed Maverick that has been propagated via WhatsApp. --------------------------------------------- https://thehackernews.com/2025/11/whatsapp-malware-maverick-hijacks.html ∗∗∗ Cl0p Ransomware Lists NHS UK as Victim, Days After Washington Post Breach ∗∗∗ --------------------------------------------- Cl0p ransomware lists NHS UK as a victim days after The Washington Post confirms a major Oracle E-Business breach linked to CVE-2025-61882 --------------------------------------------- https://hackread.com/cl0p-ransomware-nhs-uk-washington-post-breach/ ∗∗∗ @facebookmail.com Invites Exploited to Phish Facebook Business Users ∗∗∗ --------------------------------------------- If you manage Facebook advertising for a small or medium-sized business, open your inbox with suspicion, because attackers have been sending highly convincing invites that look like they come straight from Meta. --------------------------------------------- https://hackread.com/facebookmail-com-invites-phish-facebook-business/ ∗∗∗ Hackers Use KakaoTalk and Google Find Hub in Android Spyware Attack ∗∗∗ --------------------------------------------- North Korea-linked KONNI hackers used KakaoTalk and Google Find Hub to spy on victims and remotely wipe Android devices in a targeted phishing campaign. --------------------------------------------- https://hackread.com/hackers-kakaotalk-google-find-hub-android-spyware/ ∗∗∗ Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101) ∗∗∗ --------------------------------------------- There’s an elegance to vulnerability research that feels almost poetic - the quiet dance between chaos and control. It’s the art of peeling back the layers of complexity, not to destroy but to understand; to trace the fragile threads that hold systems together and see where they might fray. --------------------------------------------- https://labs.watchtowr.com/is-it-citrixbleed4-well-no-is-it-good-also-no-ci… ∗∗∗ Miniatur Wunderland Ziel von IT-Angriff: Kreditkartendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle konnten in das Buchungssystem vom Miniatur Wunderland Hamburg eindringen. Dabei konnten sie offenbar Informationen aus dem Zahlungsverkehr mitlesen. Die Untersuchungen dauern noch an. --------------------------------------------- https://www.heise.de/news/Miniatur-Wunderland-Ziel-von-IT-Angriff-Kreditkar… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws ∗∗∗ --------------------------------------------- Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-pat… ∗∗∗ Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland ∗∗∗ --------------------------------------------- Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products that was demonstrated at the recent Pwn2Own hacking competition. The security issue (CVE-2025-12686) is described as a ‘buffer copy without checking the size of input’ problem, and can be exploited to allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synology-fixes-beestation-ze… ∗∗∗ Avast und AVG: Kritische Sicherheitslücke stillschweigend behoben ∗∗∗ --------------------------------------------- In den Malware-Schutzprogrammen der Marken Avast und AVG stand eine als kritisch eingeordnete Sicherheitslücke offen. Die ist inzwischen geschlossen, ebenso eine weitere, weniger schwerwiegende in Avast Free Antivirus. --------------------------------------------- https://www.heise.de/news/Avast-und-AVG-Kritische-Sicherheitsluecke-stillsc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and libtiff), Debian (kernel, libarchive, rust-sudo-rs, and squid), Fedora (chromium, dotnet8.0, forgejo, ruby, and webkitgtk), Oracle (bind, bind9.18, kernel, kernel-uek*, libtiff, and runc), Red Hat (firefox, kernel, and kernel-rt), Slackware (mozilla), SUSE (buildah, colord, containerd, kernel, lasso, libsoup, micropython, ongres-scram, openssh, proxy-helm, uyuni-tools, python-pdfminer.six, qatengine, qatlib, regclient, and runc), and Ubuntu (raptor and raptor2). --------------------------------------------- https://lwn.net/Articles/1046173/ ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen InDesign & Co. ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Adobe Illustrator, InCopy und Photoshop erschienen. --------------------------------------------- https://heise.de/-11074930 ∗∗∗ Patchday: Intel dichtet zig Sicherheitslücken ab ∗∗∗ --------------------------------------------- Intel hat auch einen Patchday veranstaltet und 30 Sicherheitsmitteilungen mit Updates veröffentlicht. Davon sind sieben hochriskant. --------------------------------------------- https://heise.de/-11075454 ∗∗∗ DSA-6053-1 linux - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00219.html ∗∗∗ ZDI-25-991: Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-991/ ∗∗∗ CVE-2025-13042: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desk… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/12/cisa-adds-three-known-ex… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.11.2025
by Daily end-of-shift report 11 Nov '25

11 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-11-2025 18:00 − Dienstag 11-11-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Quantum Route Redirect PhaaS targets Microsoft 365 users worldwide ∗∗∗ --------------------------------------------- A new phishing automation platform named Quantum Route Redirect is using around 1,000 domains to steal Microsoft 365 users credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quantum-route-redirect-phaas… ∗∗∗ How a CPU spike led to uncovering a RansomHub ransomware attack ∗∗∗ --------------------------------------------- A sudden CPU spike turned out to be the first clue of an in-progress RansomHub ransomware attack. Varonis breaks down how their team traced the attack from fake browser updates to domain-admin takeover, ultimately stopping the attack before files were encrypted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-a-cpu-spike-led-to-uncov… ∗∗∗ Fernzugriff aus China: Briten untersuchen ihre Elektrobusse auf Kill-Switch ∗∗∗ --------------------------------------------- Eine Untersuchung aus Norwegen ruft weitere Behörden auf den Plan. Der chinesische Hersteller Yutong soll aus der Ferne seine E-Busse lahmlegen können. --------------------------------------------- https://www.golem.de/news/fernzugriff-aus-china-briten-untersuchen-ihre-ele… ∗∗∗ GootLoader Is Back, Using a New Font Trick to Hide Malware on WordPress Sites ∗∗∗ --------------------------------------------- The malware known as GootLoader has resurfaced yet again after a brief spike in activity earlier this March, according to new findings from Huntress. The cybersecurity company said it observed three GootLoader infections since October 27, 2025, out of which two resulted in hands-on keyboard intrusions with domain controller compromise taking place within 17 hours of initial infection. --------------------------------------------- https://thehackernews.com/2025/11/gootloader-is-back-using-new-font-trick.h… ∗∗∗ Phishers try to lure 5K Facebook advertisers with fake business pages ∗∗∗ --------------------------------------------- One company alone was hit with more than 4,200 emails More than 5,000 businesses that use Facebook for advertising were bombarded by tens of thousands of phishing emails in a credential- and data-stealing campaign. --------------------------------------------- www.theregister.com/2025/11/10/5k_facebook_advertising_customers_phishing/ ∗∗∗ Unsichtbarer Wurm in Visual Studio Extensions: GlassWorm lebt ∗∗∗ --------------------------------------------- Der Mitte Oktober entdeckte Supply-Chain-Angriff über die Marktplätze von Visual Studio Code geht offenbar weiter: Auf dem Open-VSX-Marktplatz der Eclipse Foundation sind drei weitere Pakete mit GlassWorm aufgetaucht. --------------------------------------------- https://www.heise.de/news/Schadsoftware-weiter-aktiv-GlassWorm-erneut-in-Op… ∗∗∗ Achtung Phishing: WKO fordert keine Datenaktualisierung per E-Mail! ∗∗∗ --------------------------------------------- Aktuell kursiert eine neue Phishing-Variante im Namen der WKO. In der E-Mail werden Sie aufgefordert, Ihre Handelsregister-, Verzeichnis- oder Unternehmensdaten zu aktualisieren. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-wko-fordert-keine-d… ∗∗∗ You Thought It Was Over? Authentication Coercion Keeps Evolving ∗∗∗ --------------------------------------------- A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface. --------------------------------------------- https://unit42.paloaltonetworks.com/authentication-coercion/ ∗∗∗ Russian hacker to plead guilty to aiding Yanluowang ransomware group ∗∗∗ --------------------------------------------- Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang — breaking into the network of victims and then offering his access for a percentage of the ransom. --------------------------------------------- https://therecord.media/russian-hacker-to-plead-guilty-aiding-ransomware-gr… ∗∗∗ Cyber Action Toolkit: breaking down the barriers to resilience ∗∗∗ --------------------------------------------- How the NCSC’s "Cyber Action Toolkit" is helping small businesses to improve their cyber security. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cat-breaking-down-resilience-barriers ∗∗∗ Cisco Finds Open-Weight AI Models Easy to Exploit in Long Chats ∗∗∗ --------------------------------------------- Cisco’s new research shows that open-weight AI models, while driving innovation, face serious security risks as multi-turn attacks, including conversational persistence, can bypass safeguards and expose data. --------------------------------------------- https://hackread.com/cisco-open-weight-ai-models-long-chat-exploit/ ∗∗∗ Fake NPM Package With 206K Downloads Targeted GitHub for Credentials ∗∗∗ --------------------------------------------- Veracode Threat Research exposed a targeted typosquatting attack on npm, where the malicious package @acitons/artifact stole GitHub tokens. Learn how this supply chain failure threatened the GitHub organisations code. --------------------------------------------- https://hackread.com/fake-npm-package-downloads-github-credentials/ ∗∗∗ BSI zur Cybersicherheit: Stabil unsicher ∗∗∗ --------------------------------------------- Das aktuelle BSI-Lagebild zeigt eklatante Probleme auf – während der zuständige Minister auf die Wirksamkeit neuer Maßnahmen hofft. --------------------------------------------- https://heise.de/-11074222 ∗∗∗ MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper ∗∗∗ --------------------------------------------- TLDR This gives an overview of how .scpt AppleScript are used to creatively deliver macOS malware, such as fake office documents or fake Zoom/Teams updates. Previously a technique seen with APT campaigns for macOS, we can now see samples coming from the macOS stealer ecosystem like MacSync and Odyssey. --------------------------------------------- https://pberba.github.io/security/2025/11/11/macos-infection-vector-applesc… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular JavaScript library expr-eval vulnerable to RCE flaw ∗∗∗ --------------------------------------------- A critical vulnerability in the popular expr-eval JavaScript library, with over 800,000 weekly downloads on NPM, can be exploited to execute code remotely through maliciously crafted input. --------------------------------------------- https://www.bleepingcomputer.com/news/security/popular-javascript-library-e… ∗∗∗ SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor ∗∗∗ --------------------------------------------- SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credenti… ∗∗∗ Root-Sicherheitslücke bedroht IBMs Datenbanksystem Db2 ∗∗∗ --------------------------------------------- Angreifer können Systeme mit IBM Db2 und Business Automation Workflow attackieren und im schlimmsten Fall Root-Rechte erlangen, um PCs zu kompromittieren. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Root-Sicherheitsluecke-bedroht-IBMs-Datenbanksyst… ∗∗∗ Sicherheitslücke in Dell Display and Peripheral Manager gefährdet PCs ∗∗∗ --------------------------------------------- Wenn Angreifer erfolgreich an einer Lücke in Dell Display and Peripheral Manager unter Windows ansetzen, können sie sich höhere Nutzerrechte verschaffen. In einer aktuellen Version der Software haben die Entwickler eine Sicherheitslücke geschlossen. Bislang gibt es keine Hinweise auf bereits laufende Attacken. --------------------------------------------- https://heise.de/-11073226 ∗∗∗ Security Vulnerabilities fixed in Firefox 145 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/ ∗∗∗ Ivanti November 2025 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/november-2025-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.11.2025
by Daily end-of-shift report 10 Nov '25

10 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-11-2025 18:00 − Montag 10-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious NuGet packages drop disruptive time bombs ∗∗∗ --------------------------------------------- Several malicious packages on NuGet have sabotage payloads scheduled to activate in 2027 and 2028, targeting database implementations and Siemens S7 industrial control devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-dro… ∗∗∗ ClickFix Campaign Targets Hotels, Spurs Secondary Customer Attacks ∗∗∗ --------------------------------------------- Attackers compromise hospitality providers with an infostealer and RAT malware and then use stolen data to launch phishing attacks against customers via both email and WhatsApp. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/clickfix-targets-hot… ∗∗∗ Secure boot certificate rollover is real but probably wont hurt you ∗∗∗ --------------------------------------------- LWN wrote an article which opens with the assertion "Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September". This is, depending on interpretation, either misleading or just plain wrong, but also theres not a good source of truth here, so. --------------------------------------------- https://mjg59.dreamwidth.org/72892.html ∗∗∗ Whisper Leak: A novel side-channel attack on remote language models ∗∗∗ --------------------------------------------- Microsoft has discovered a side-channel attack on language models which allows adversaries to conclude model conversation topics, despite being encrypted. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-nov… ∗∗∗ Honeypot: Requests for (Code) Repositories ∗∗∗ --------------------------------------------- This is just a quick diary entry to report that I saw requests on my honeypot for (code) repositories. --------------------------------------------- https://isc.sans.edu/diary/rss/32460 ∗∗∗ Slot Gacor: The Rise of Online Casino Spam ∗∗∗ --------------------------------------------- Online casino spam has been without a doubt one of the most prevalent types of spam content that we’ve seen on infected websites in recent years. An extremely common method of promoting low-quality or otherwise undesirable websites is for spammers to hack websites and fill them full of backlinks to pump their SEO. --------------------------------------------- https://blog.sucuri.net/2025/11/slot-gacor-the-rise-of-online-casino-spam.h… ∗∗∗ Allianz UK joins growing list of Clop’s Oracle E-Business Suite victims ∗∗∗ --------------------------------------------- Insurance giant’s UK arm says cybercriminals misattributed the real victim Allianz UK confirms it was one of the many companies that fell victim to the Clop gangs Oracle E-Business Suite (EBS) attack after crims reported that they had attacked a subsidiary. --------------------------------------------- www.theregister.com/2025/11/10/allianz_uk_joins_growing_list/ ∗∗∗ Watchguard Firebox: Gefährdung durch Standardpasswort für Admin ∗∗∗ --------------------------------------------- Watchguard versieht die Firebox-Firewalls mit Standardpasswörtern. Angreifer können sich dadurch leicht Admin-Rechte verschaffen. --------------------------------------------- https://www.heise.de/news/Watchguard-Firebox-Gefaehrdung-durch-Standardpass… ∗∗∗ Drilling Down on Uncle Sam’s Proposed TP-Link Ban ∗∗∗ --------------------------------------------- The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Links ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box. --------------------------------------------- https://krebsonsecurity.com/2025/11/drilling-down-on-uncle-sams-proposed-tp… ∗∗∗ Handy-Guthaben aufladen? Vorsicht vor gefälschter HoT-Website ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche richtet sich derzeit gegen Kund:innen des Mobilfunkanbieters HoT. Im Internet ist eine täuschend echt gestaltete Website aufgetaucht, die vorgibt, den offiziellen Aufladeservice von HoT bereitzustellen. Wer dort sein Guthaben für Handy oder WLAN aufladen möchte, läuft Gefahr, seine Kreditkartendaten an Kriminelle weiterzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/handy-guthaben-aufladen-vorsicht-vor… ∗∗∗ Hack halts Dutch broadcaster, forcing radio hosts back to LPs ∗∗∗ --------------------------------------------- A Dutch TV and radio broadcaster has found itself at the mercy of cybercriminals after suffering a cyber attack, and leaving it scrambling to find ways to play music to its listeners. Read more in my article on the Hot for Security blog. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/hack-halts-dutch-broa… ∗∗∗ Dont call it Cyber Command 2.0: Master plan for digital forces will take years to implement ∗∗∗ --------------------------------------------- The latest model for improving U.S. Cyber Command is circulating at the Pentagon. Some of the initiatives will spill into the next decade — an approach that is sure to create friction on Capitol Hill and beyond. --------------------------------------------- https://therecord.media/revised-cyber-command-master-plan-dod-pentagon ∗∗∗ Short-term renewal of cyber information sharing law appears in bill to end shutdown ∗∗∗ --------------------------------------------- An expired 2015 law that gives companies liability protection when they share cyberthreat information with the federal government would be renewed through January 30 under Senate legislation to end the government shutdown. --------------------------------------------- https://therecord.media/cisa-2015-information-sharing-law-renewal-bill-endi… ∗∗∗ Russian missile barrage disrupts internet, customs databases in Ukraine ∗∗∗ --------------------------------------------- Emergency blackouts lasting up to 12 hours were introduced following the attack, with Kyiv and other regions facing widespread internet and communication outages, according to internet watchdog NetBlocks. --------------------------------------------- https://therecord.media/russian-missile-barrage-disrupts-internet-ukraine ∗∗∗ Phishing-Kampagne zielt auf Führungskräfte ∗∗∗ --------------------------------------------- In letzter Zeit scheinen Führungskräfte und leitende Angestellte aus unterschiedlichen Branchen verstärkt ins Visier von Cyberkriminellen zu geraten. Diese versuchen die Adressaten mittels Phishing-Mails zur Herausgabe von Daten zu überlisten. --------------------------------------------- https://www.borncity.com/blog/2025/11/08/phishing-kampagne-zielt-auf-fuehru… ∗∗∗ No Place Like Localhost: Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480 ∗∗∗ --------------------------------------------- Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability, assigned CVE-2025-12480, allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerabil… ∗∗∗ EU will DSGVO schleifen – nicht nur bei Cookie-Bannern ∗∗∗ --------------------------------------------- Der von der EU-Kommission geplante "digitale Omnibus" würde bestehende Datenschutzrechte aufweichen. Es geht etwa um Cookies und das Training von KI-Systemen. --------------------------------------------- https://heise.de/-11071630 ∗∗∗ The state of the Rust dependency ecosystem ∗∗∗ --------------------------------------------- Over the past few days, I analyzed over 200,000 crates from crates.io to uncover patterns in maintenance, developer engagement, security, and overall ecosystem health. The results: a mix of fascinating insights, concerning trends, and reasons for optimism. --------------------------------------------- https://00f.net/2025/10/17/state-of-the-rust-ecosystem/ ∗∗∗ Balancer hack analysis and guidance for the DeFi ecosystem ∗∗∗ --------------------------------------------- On November 3, 2025, attackers exploited a vulnerability in Balancer v2 to drain more than $100M across nine blockchain networks. The attack targeted a number of Balancer v2 pools, exploiting a rounding direction error. --------------------------------------------- https://blog.trailofbits.com/2025/11/07/balancer-hack-analysis-and-guidance… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own ∗∗∗ --------------------------------------------- QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-da… ∗∗∗ Sicherheitslücken in RunC: Angreifer können aus Docker-Containern ausbrechen ∗∗∗ --------------------------------------------- Administratoren sollten aufpassen, welche Docker-Images sie nutzen. Angreifer können sich Root-Zugriff auf das Hostsystem verschaffen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-in-runc-angreifer-koennen-aus-… ∗∗∗ runC Container Escape Vulnerabilities ∗∗∗ --------------------------------------------- High-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in early November 2025. A malicious or compromised container image can abuse how runc handles masked paths, bind-mounts, and special files to write to the host /proc filesystem and escape the container boundary - enabling remote code execution on the host, persistence, or cluster-wide denial-of-service. These issues affect virtually all Linux container stacks that use runc (Docker, containerd, CRI-O, Kubernetes, and managed services). --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6248 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.11.2025
by Daily end-of-shift report 07 Nov '25

07 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-11-2025 18:00 − Freitag 07-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ID verification laws are fueling the next wave of breaches ∗∗∗ --------------------------------------------- ID laws are forcing companies to store massive amounts of sensitive data, turning compliance into a security risk. Acronis explains how integrated backup and cybersecurity platforms help MSPs reduce complexity and close the gaps attackers exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/id-verification-laws-are-fue… ∗∗∗ Test der EFF: Diese Anti-Virus-Tools schützen am besten vor Spionage-Apps ∗∗∗ --------------------------------------------- Mit Stalkerware lassen sich leicht Mitmenschen ausspionieren. Ein neuer Test zeigt, welche Anti-Virus-Tools für Android den besten Schutz bieten. --------------------------------------------- https://www.golem.de/news/test-der-eff-diese-anti-virus-tools-schuetzen-am-… ∗∗∗ The Cats Out of the Bag: A Meow Attack Data Corruption Campaign Simulation via MAD-CAT ∗∗∗ --------------------------------------------- In 2024, I published Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack), which explored the notorious Meow attack campaign that had plagued unsecured databases since 2020. That article focused on demonstrating the attack against a single MongoDB instance using a simple Python script. A proof-of-concept that illustrates how devastating misconfigurations can be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-cats-ou… ∗∗∗ Google Launches New Maps Feature to Help Businesses Report Review-Based Extortion Attempts ∗∗∗ --------------------------------------------- Google on Thursday said its rolling out a dedicated form to allow businesses listed on Google Maps to report extortion attempts made by threat actors who post inauthentic bad reviews on the platform and demand ransoms to remove the negative .. --------------------------------------------- https://thehackernews.com/2025/11/google-launches-new-maps-feature-to.html ∗∗∗ Gootloader malware back for the attack, serves up ransomware ∗∗∗ --------------------------------------------- Move fast - miscreants compromised a domain controller in 17 hours Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity. --------------------------------------------- https://www.theregister.com/2025/11/06/gootloader_back_ransomware/ ∗∗∗ Cybercrims plant destructive time bomb malware in industrial .NET extensions ∗∗∗ --------------------------------------------- Multi-year wait for destruction comes to an end for mystery attackers Security experts have helped remove malicious NuGet packages planted in 2023 that were designed to destroy systems years in advance, with some payloads not due to hit .. --------------------------------------------- https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_tim… ∗∗∗ Cisco: Tausende Firewalls verwundbar, neue Angriffswege beobachtet ∗∗∗ --------------------------------------------- Zum Missbrauch der seit Ende September bekannten Sicherheitslücken in Cisco-Firewalls haben Angreifer neue Wege gefunden. Tausende sind verwundbar. --------------------------------------------- https://www.heise.de/news/Cisco-Tausende-Firewalls-verwundbar-neue-Angriffs… ∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- In der Groupware Zimbra haben die Entwickler mit aktualisierten Paketen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Groupware-Zimbra-Updates-stopfen-mehrere-Sicherhe… ∗∗∗ Supply-Chain-Attacken: Fast jedes dritte Unternehmen betroffen ∗∗∗ --------------------------------------------- Ist die Firmen-IT zu gut geschützt, attackieren Angreifer gezielt Zulieferer. Knapp 28 Prozent der Firmen sind betroffen – viele davon mit spürbaren Folgen. --------------------------------------------- https://www.heise.de/news/Supply-Chain-Attacken-Fast-jedes-dritte-Unternehm… ∗∗∗ Exploiting AgTech connectivity to corner the grain market ∗∗∗ --------------------------------------------- I live in the countryside & as a result, know quite a few farmers. The subject of connected farming systems comes up quite a lot in the local pub. Those of you who have watched Clarkson’s Farm will understand just how complex and confusing some tractor systems .. --------------------------------------------- https://www.pentestpartners.com/security-blog/exploiting-agtech-connectivit… ∗∗∗ “Pay up or we share the tapes”: Hackers target massage parlour clients in blackmail scheme ∗∗∗ --------------------------------------------- South Korean police have uncovered a hacking operation that stole sensitive data from massage parlours and blackmailed their male clientele. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/pay-up-or-we-share-th… ∗∗∗ LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices ∗∗∗ --------------------------------------------- Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android’s image processing library. The spyware was embedded in malicious DNG files. --------------------------------------------- https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-androi… ∗∗∗ “I Paid Twice” Scam Infects Booking.com Users with PureRAT via ClickFix ∗∗∗ --------------------------------------------- Cybersecurity firm Sekoia reports a widespread fraud where criminals compromise hotel systems (Booking.com, Expedia and others) with PureRAT malware, then use stolen reservation data to phish and defraud guests. --------------------------------------------- https://hackread.com/i-paid-twice-scam-booking-com-purerat-clickfix/ ∗∗∗ What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299) ∗∗∗ --------------------------------------------- Happy Friday, friends and.. others.We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend!What’re We Doing Today, Mr Fox?Today, in a tale that seems all too --------------------------------------------- https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remot… ∗∗∗ Hausärztin: "Elektronische Patientenakte ist ein digitaler Pappkarton" ∗∗∗ --------------------------------------------- Datenschutz, Technik und Vertrauen bei der elektronischen Patientenakte. Darüber diskutierten Fachleute im rheinland-pfälzischen Landtag. --------------------------------------------- https://heise.de/-11069279 ∗∗∗ Kubevirt security audit ∗∗∗ --------------------------------------------- Security is a core concern in the development of any open-source project. To ensure reliability and resilience, many teams choose to conduct independent audits that help identify potential weaknesses and strengthen their systems. In this context, Quarkslab experts recently performed a security assessment of the KubeVirt with the goal of supporting its .. --------------------------------------------- http://blog.quarkslab.com/kubevirt-security-audit.html ∗∗∗ Results from Testing Six AI Models on Advanced Security Exploits ∗∗∗ --------------------------------------------- We ran three advanced security vulnerabilities through GPT-5, o3, Claude, Gemini, and Grok. --------------------------------------------- https://blog.kilocode.ai/p/we-tested-6-ai-models-on-3-advanced ∗∗∗ 9 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads ∗∗∗ --------------------------------------------- Sockets Threat Research Team discovered nine malicious NuGet packages that inject time-delayed destructive payloads into database operations and target industrial control systems. Published under the NuGet alias shanhai666 between 2023 and 2024, these packages terminate the host application process with 20% probability on each database query after specific .. --------------------------------------------- https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-des… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.11.2025
by Daily end-of-shift report 06 Nov '25

06 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-11-2025 18:00 − Donnerstag 06-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ 5 AI-developed malware families analyzed by Google fail to work and are easily detected ∗∗∗ --------------------------------------------- You wouldnt know it from the hype, but the results fail to impress. --------------------------------------------- https://arstechnica.com/security/2025/11/ai-generated-malware-poses-little-… ∗∗∗ Fernzugriff per SIM-Karte: Auch dänische Elektrobusse aus China steuerbar ∗∗∗ --------------------------------------------- Der Hersteller Yutong kann seine Elektrobusse theoretisch jederzeit aus der Ferne lahmlegen. In Dänemark sind die Fahrzeuge großflächig im Einsatz. --------------------------------------------- https://www.golem.de/news/fernzugriff-per-sim-karte-auch-daenische-elektrob… ∗∗∗ Extortion and ransomware drive over half of cyberattacks ∗∗∗ --------------------------------------------- In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering. --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/10/16/mddr-2025/ ∗∗∗ Hackers Weaponize Windows Hyper-V to Hide Linux VM and Evade EDR Detection ∗∗∗ --------------------------------------------- The threat actor known as Curly COMrades has been observed exploiting virtualization technologies as a way to bypass security solutions and execute custom malware. According to a new report from Bitdefender, the adversary is said to have enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. --------------------------------------------- https://thehackernews.com/2025/11/hackers-weaponize-windows-hyper-v-to.html ∗∗∗ Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine ∗∗∗ --------------------------------------------- A previously unknown threat activity cluster has been observed impersonating Slovak cybersecurity company ESET as part of phishing attacks targeting Ukrainian entities. The campaign, detected in May 2025, is tracked by the security outfit under the moniker InedibleOchotense, describing it as Russia-aligned. --------------------------------------------- https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html ∗∗∗ Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362 ∗∗∗ --------------------------------------------- Cisco on Wednesday disclosed that it became aware of a new attack variant thats designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362. --------------------------------------------- https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html ∗∗∗ SonicWall fingers state-backed cyber crew for September firewall breach ∗∗∗ --------------------------------------------- Spies, not crooks, were behind digital heist – damage stopped at the backups, says US cybersec biz. SonicWall has blamed an unnamed, state-sponsored collective for the September break-in that saw cybercriminals rifle through a cache of firewall configuration backups. --------------------------------------------- https://www.theregister.com/2025/11/06/sonicwall_fingers_statebacked_cyber_… ∗∗∗ Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report ∗∗∗ --------------------------------------------- Mobile devices, IoT sensors, and OT systems are no longer distinct domains; they are the interconnected backbone of modern business and infrastructure. From the factory floor and hospital ward to the global supply chain, this convergence powers innovation and efficiency. However, it has also created a sprawling, interdependent attack surface that threat actors are exploiting with increasing speed and sophistication. --------------------------------------------- https://www.zscaler.com/blogs/security-research/industry-attacks-surge-mobi… ∗∗∗ Fakeshops täuschen Online-Käufer ∗∗∗ --------------------------------------------- Fakeshops ziehen den Menschen ohne Gegenleistung das Geld aus der Tasche. Laut einer Umfrage sind nicht gerade wenige User von dieser Betrugs-Masche betroffen. --------------------------------------------- https://www.heise.de/news/Fakeshops-taeuschen-Online-Kaeufer-11067321.html ∗∗∗ Have I Been Pwned: Milliarden neuer Passwörter in Sammlung ∗∗∗ --------------------------------------------- Aus Infostealer-Datensätzen konnte Have-I-Been-Pwned-Betreiber Troy Hunt 1,3 Milliarden einzigartige Passwörter extrahieren. --------------------------------------------- https://www.heise.de/news/Have-I-Been-Pwned-Milliarden-neuer-Passwoerter-in… ∗∗∗ Bundestag: Koalition einigt sich bei NIS2-Richtlinien-Umsetzung ∗∗∗ --------------------------------------------- Unions- und SPD-Fraktion haben sich nach intensiven Verhandlungen bei der Überarbeitung der Cybersicherheitsvorgaben für Kritische Infrastrukturen geeinigt. --------------------------------------------- https://www.heise.de/news/Bundestag-Koalition-einigt-sich-bei-NIS2-Richtlin… ∗∗∗ Windows: Oktober-Sicherheitsupdates können Bitlocker-Wiederherstellung auslösen ∗∗∗ --------------------------------------------- Die Sicherheitsupdates vom Oktober-Patchday für Windows können dazu führen, dass die Bitlocker-Wiederherstellung startet. --------------------------------------------- https://www.heise.de/news/Windows-Oktober-Sicherheitsupdates-koennen-Bitloc… ∗∗∗ Cloudflare Scrubs Aisuru Botnet from Top Domains List ∗∗∗ --------------------------------------------- For the past week, domains associated with the massive Aisuru botnet have repeatedly usurped Amazon, Apple, Google and Microsoft in Cloudflares public ranking of the most frequently requested websites. Cloudflare responded by redacting Aisuru domain names from their top websites list. The chief executive at Cloudflare says Aisurus overlords are using the botnet to boost their malicious domain rankings, while simultaneously attacking the companys domain name system (DNS) service. --------------------------------------------- https://krebsonsecurity.com/2025/11/cloudflare-scrubs-aisuru-botnet-from-to… ∗∗∗ Account-Takeover: Kriminelle wollen mithilfe einer Fake-Abstimmung die Kontrolle über WhatsApp-Konten erlangen ∗∗∗ --------------------------------------------- Das Smartphone meldet sich, eine neue WhatsApp-Mitteilung ist eingegangen. Es geht um ein Voting, eine Stimme für die Tochter einer Bekannten. Als Hauptpreis winkt ein „kostenloses Stipendium“ für eine junge Nachwuchstänzerin. Dahinter versteckt sich allerdings der Versuch von Kriminellen, das WhatsApp-Konto ihrer Opfer zu übernehmen. --------------------------------------------- https://www.watchlist-internet.at/news/account-takeover-fake-abstimmung/ ∗∗∗ Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming ∗∗∗ --------------------------------------------- How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data. --------------------------------------------- https://www.welivesecurity.com/en/scams/sharing-is-scaring-whatsapp-screen-… ∗∗∗ Russia’s Sandworm hackers deploying wipers against Ukraine’s grain industry ∗∗∗ --------------------------------------------- The Russian state-backed hacking unit Sandworm has been targeting Ukraines grain industry with wiper malware amid Moscows ongoing efforts to undermine Kyivs wartime economy. --------------------------------------------- https://therecord.media/russia-sandworm-grain-wipers ∗∗∗ An Unerring Spear: Cephalus Ransomware Analysis ∗∗∗ --------------------------------------------- Cephalus is a new ransomware group that first appeared in mid-June 2025. The group claims that they are motivated 100% by financial gain. Their main method of breaching organizations is by stealing credentials through Remote Desktop Protocol (RDP) accounts that do not have multi-factor authentication (MFA) enabled. --------------------------------------------- https://asec.ahnlab.com/en/90878/ ∗∗∗ Hackers Steal Personal Data and 17K Slack Messages in Nikkei Data Breach ∗∗∗ --------------------------------------------- Nikkei confirms breach after a virus infected an employee PC, exposing 17,368 names and Slack chat histories. The media giant reported the incident voluntarily. --------------------------------------------- https://hackread.com/nikkei-data-breach-hackers-steal-data-slack-messages/ ∗∗∗ What GreyNoise Learned from Deploying MCP Honeypots ∗∗∗ --------------------------------------------- GreyNoise deployed MCP honeypots to see what happens when AI middleware meets the open internet — revealing how attackers interact with this new layer of AI infrastructure. --------------------------------------------- https://www.greynoise.io/blog/deploying-mcp-honeypots ===================== = Vulnerabilities = ===================== ∗∗∗ [UPDATE] Cisco Secure Firewall Adaptive Security Appliance Software, Secure Firewall Threat Defense Software, IOS Software, IOS XE Software, and IOS XR Software Web Services Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Added information on first fixed releases for Cisco Secure Firewall ASA Software releases 9.12 and 9.14. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitslücken gefährden PCs mit Dell CloudLink und Command Monitor ∗∗∗ --------------------------------------------- Patches lösen mehrere Sicherheitsprobleme mit Dell CloudLink und Command Monitor. --------------------------------------------- https://www.heise.de/news/Unbefugte-Zugriffe-auf-Dell-CloudLink-und-Command… ∗∗∗ WatchGuard Fireware OS IKEv2 Out-of-Bounds Vulnerability ∗∗∗ --------------------------------------------- A critical Out-of-Bounds Write vulnerability (CVE-2025-9242) exists in the WatchGuard Fireware OS iked process, which handles IKEv2 VPN connections. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected devices. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6247 ∗∗∗ Google Issues Emergency Chrome 142 Update to Fix Multiple High-Risk Vulnerabilities ∗∗∗ --------------------------------------------- Google has rolled out an emergency update for its Chrome browser, version 142, to address a series of serious remote code execution (RCE) vulnerabilities that could allow attackers to take control of affected systems. The update, released on November 5, 2025, is being distributed gradually across desktop platforms, Windows, macOS, and Linux, as well as Android devices through Google Play and Chrome’s built-in update mechanism. --------------------------------------------- https://thecyberexpress.com/google-chrome-142-fixes-rce-flaws/ ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS: ICSA-25-310-01 Advantech DeviceOn iEdge, ICSA-25-310-02 Ubia Ubox, ICSA-25-310-03 ABB FLXeon Controllers and ICSA-25-282-01 Hitachi Energy Asset Suite (Update A). CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/11/06/cisa-releases-four-indus… ∗∗∗ CISA warns of critical CentOS Web Panel bug exploited in attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning that threat actors are exploiting a critical remote command execution flaw in CentOS Web Panel (CWP). --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-cento… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.11.2025
by Daily end-of-shift report 05 Nov '25

05 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-11-2025 18:00 − Mittwoch 05-11-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Aktuelle Phishingwelle im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Aktuell erreichen uns vermehrt Meldungen über Phishing-Kampagnen im Namen des österreichischen FInanzministeriums. Während eine Welle an Mails versucht Nutzer:innen mit einer gefälschten Mehrwertsteuer-Rückerstattung in die Falle zu locken warnen SMS-Nachrichten vor einem angeblich abgelaufenen FinanzOnline-Zugang. Auch Watchlist Internet berichtet bereits über diese Angriffe. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/11/aktuelle-phishingwelle-im-namen-vo… ∗∗∗ Malicious Android apps on Google Play downloaded 42 million times ∗∗∗ --------------------------------------------- Hundreds of malicious Android apps on Google Play were downloaded more than 40 million times between June 2024 and May 2025, notes a report from cloud security company Zscaler. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-apps-on-go… ∗∗∗ Sicherheitsupdates: Windows 10 verwirrt Nutzer mit Anzeigefehler zum Supportende ∗∗∗ --------------------------------------------- Einige Windows-10-Systeme zeigen trotz bestehendem Support oder ESU-Lizenz an, nicht mehr unterstützt zu werden. Laut Microsoft ist das ein Bug. --------------------------------------------- https://www.golem.de/news/sicherheitsupdates-windows-10-verwirrt-nutzer-mit… ∗∗∗ Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly ∗∗∗ --------------------------------------------- Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. --------------------------------------------- https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.h… ∗∗∗ Microsoft gibt Tipps für erweiterten Support für kommerzielles Windows 10 ∗∗∗ --------------------------------------------- Inzwischen sollte es sattsam bekannt sein: Microsoft hat den Support für Windows 10 offiziell zum 14. Oktober 2025 eingestellt. Privatnutzer in der EU bekommen nach langem Hin und Her ein Jahr kostenlos erweiterten Support (Extended Security Updates, ESU), wenn sie sich dafür anmelden. --------------------------------------------- https://www.heise.de/news/Microsoft-gibt-Tipps-fuer-erweiterten-Support-fue… ∗∗∗ Ransomware: Apache OpenOffice bestreitet Cyber-Attacke ∗∗∗ --------------------------------------------- Bei der Apache Software Foundation soll es im Kontext von OpenOffice zu einer Cyberattacke gekommen sein, bei der Kriminelle interne Daten kopiert haben. Das gibt zumindest die Ransomwarebande Akira auf ihrer Website an. Nun schaltet sich Apache ein und dementiert eine Attacke. --------------------------------------------- https://www.heise.de/news/Cybercrime-Apache-OpenOffice-dementiert-Ransomwar… ∗∗∗ Nein, Europol & Interpol haben kein Ermittlungsverfahren eingeleitet! ∗∗∗ --------------------------------------------- Sie zählt zu den Klassikern des Online-Betrugs: Eine E-Mail, die über ein kürzlich eröffnetes Ermittlungsverfahren von Europol und/oder Interpol informiert. Es geht um schwere Anschuldigungen, alle relevanten Informationen finden sich in einem angehängten Dokument. Von derartigen Nachrichten gehen zwei Gefahren gleichzeitig aus! --------------------------------------------- https://www.watchlist-internet.at/news/europol-interpol-ermittlungsverfahre… ∗∗∗ 9 arrested in Europe in operation against fake platforms for crypto investments ∗∗∗ --------------------------------------------- A multinational operation in late October targeted a network that “created dozens of fake cryptocurrency investment platforms that looked like legitimate websites and promised high returns,” but simply took the money and laundered it, Eurojust said. --------------------------------------------- https://therecord.media/9-arrested-europe-crypto-platform-takedown ∗∗∗ Norton Crack Midnight Ransomware, Release Free Decryptor ∗∗∗ --------------------------------------------- Norton finds a flaw in the new Midnight ransomware built from Babuk code and releases a free decryptor to help victims recover files without paying a ransom. --------------------------------------------- https://hackread.com/norton-midnight-ransomware-free-decryptor/ ∗∗∗ GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools ∗∗∗ --------------------------------------------- Based on recent analysis of the broader threat landscape, Google Threat Intelligence Group (GTIG) has identified a shift that occurred within the last year: adversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations. This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage… ∗∗∗ Enormer Finanzanlage-Betrug: 9 Europäer verhaftet ∗∗∗ --------------------------------------------- Über dutzende Kryptowährungs-Angebote soll ein europäisches Verbrechernetzwerk mehr als 600 Millionen Euro eingenommen und über Blockchains gewaschen haben. Vergangene Woche wurden neun Personen an ihren jeweiligen Wohnsitzen verhaftet: in Köln, Katalonien und auf Zypern. --------------------------------------------- https://heise.de/-11056948 ∗∗∗ Kreditkartenbetrug: Durchsuchungen auf drei Kontinenten ∗∗∗ --------------------------------------------- In einer koordinierten Aktion auf drei Kontinenten sind Ermittler gegen mutmaßliche Betrugs- und Geldwäschenetzwerke vorgegangen – auch in Deutschland. Den Beschuldigten wird vorgeworfen, Kreditkartendaten von Geschädigten aus 193 Ländern genutzt zu haben, um mehr als 19 Millionen Abonnements über professionell betriebene Schein-Webseiten abzuschließen, wie das Bundeskriminalamt mitteilte. --------------------------------------------- https://heise.de/-11057117 ∗∗∗ Iran-linked Threat Group Claims Breach of Israeli Defense Contractor’s Security Cameras ∗∗∗ --------------------------------------------- An Iran-linked threat group claims to have accessed the security cameras of an Israeli defense contractor and leaked videos of internal meetings and employees working on defense systems. The threat group – Cyber Toufan – has been posting about the alleged breach of Maya Engineering on its Telegram channels for at least a few weeks, but the group’s claims became public in recent days in an X post and articles on media sites such as Straight Arrow News and Breached Company. --------------------------------------------- https://thecyberexpress.com/israeli-defense-contractors-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) ∗∗∗ --------------------------------------------- SummaryZscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/zscaler-discovers-vulnerabi… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and gimp), Fedora (chromium, fastapi-cli, fastapi-cloud-cli, gherkin, libnbd, maturin, openapi-python-client, python-annotated-doc, python-cron-converter, python-fastapi, python-inline-snapshot, python-jiter, python-openapi-core, python-platformio, python-pydantic, python-pydantic-core, python-pydantic-extra-types, python-rignore, python-starlette, python-typer, python-typing-inspection, python-uv-build, ruff, rust-astral-tokio-tar, rust-attribute-derive, rust-attribute-derive-macro, rust-collection_literals, rust-get-size-derive2, rust-get-size2, rust-interpolator, rust-jiter, rust-manyhow, rust-manyhow-macros, rust-proc-macro-utils, rust-quote-use, rust-quote-use-macros, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send-reqwest, rust-serde_json, rust-speedate, rust-tikv-jemalloc-sys, rust-tikv-jemallocator, and uv), Mageia (golang and libavif), Red Hat (bind9.16, pcs, and qt6-qtsvg), SUSE (colord, ffmpeg, govulncheck-vulndb, jasper, openjpeg, poppler, qatengine, qatlib, runc, sccache, and tiff), and Ubuntu (keystone, libssh, linux-hwe-6.14, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-raspi, runc-app, runc-stable, squid, squid3, and unbound). --------------------------------------------- https://lwn.net/Articles/1045124/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.11.2025
by Daily end-of-shift report 04 Nov '25

04 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-11-2025 18:00 − Dienstag 04-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Solidity VSCode extension on Open VSX backdoors developers ∗∗∗ --------------------------------------------- A remote access trojan dubbed SleepyDuck, and disguised as the well-known Solidity extension in the Open VSX open-source registry, uses an Ethereum smart contract to establish a communication channel with the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-solidity-vscode-extensi… ∗∗∗ Lösegeldverhandler angeklagt: Ex-Cyberangestellte sollen Unternehmen gehackt haben ∗∗∗ --------------------------------------------- Drei Ex-Mitarbeiter von Cybersecurityfirmen scheinen ein äußerst fragwürdiges Nebengeschäft betrieben zu haben. Es war Ransomware im Spiel. --------------------------------------------- https://www.golem.de/news/ex-mitarbeiter-angeklagt-loesegeldverhandler-wohl… ∗∗∗ SesameOp: Novel backdoor uses OpenAI Assistants API for command and control ∗∗∗ --------------------------------------------- Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. Instead of relying on more traditional methods, the threat actor behind this backdoor abuses OpenAI as .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/11/03/sesameop-novel-bac… ∗∗∗ Apple Patches Everything, Again, (Tue, Nov 4th) ∗∗∗ --------------------------------------------- Apple released its expected set of operating system upgrades. This is a minor feature upgrade that also includes fixes for 110 different vulnerabilities. As usual for Apple, many of the vulnerabilities affect multiple operating systems. None of the vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Apple+Patches+Everything+Again/32448 ∗∗∗ Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand ∗∗∗ --------------------------------------------- Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-l… ∗∗∗ Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks ∗∗∗ --------------------------------------------- Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain .. --------------------------------------------- https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.ht… ∗∗∗ Europol and Eurojust Dismantle €600 Million Crypto Fraud Network in Global Sweep ∗∗∗ --------------------------------------------- Nine people have been arrested in connection with a coordinated law enforcement operation that targeted a cryptocurrency money laundering network that defrauded victims of €600 million (~$688 million).According to a statement released by Eurojust today, the .. --------------------------------------------- https://thehackernews.com/2025/11/europol-and-eurojust-dismantle-600.html ∗∗∗ Chinas president Xi Jinping jokes about backdoors in Xiaomi smartphones ∗∗∗ --------------------------------------------- South Koreas president laughed, so perhaps it was funny? Unlike Chinas censorship and snooping Chinese president Xi Jinping has joked that smartphones from Xiaomi might include backdoors. --------------------------------------------- https://www.theregister.com/2025/11/04/chinas_president_xi_jinping_jokes/ ∗∗∗ Russland verhindert 2-Faktor-SMS für Telegram und Whatsapp ∗∗∗ --------------------------------------------- Der Kreml will Informationskontrolle. SMS- und Telefonanruf-Blockaden sollen Whatsapp und Telegram aushungern. --------------------------------------------- https://www.heise.de/news/Russland-verhindert-2-Faktor-SMS-fuer-Telegram-un… ∗∗∗ Patchday: Kritische Schadcode-Lücke in Android 13, 14, 15, 16 geschlossen ∗∗∗ --------------------------------------------- Angreifer können Geräte mit Android attackieren und im schlimmsten Fall Schadcode ausführen. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-in-Android-13… ∗∗∗ Rückerstattung und abgelaufene ID: Doppelte Phishing-Welle im Namen von FinanzOnline ∗∗∗ --------------------------------------------- Eine aktuell massenhaft versendete E-Mail im Namen von FinanzOnline verspricht eine üppige Mehrwertsteuerrückerstattung. Knapp 300 Euro warten angeblich. Tatsächlich haben es die Kriminellen auf Zugangsdaten zum Online-Banking und das Geld ihrer Opfer abgesehen. Daneben kursieren vermehrt die klassischen Fake-SMS, die vor einem Ablauf des FinanzOnline-Zugangs warnen. --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertsteuer-phishing-finanzonline/ ∗∗∗ Millionen für Abhörsysteme: EU förderte offenbar massiv die Spyware-Industrie ∗∗∗ --------------------------------------------- In Reaktion auf einen aktuellen Bericht meldeten sich 39 Mitglieder des Europäischen Parlaments "tief besorgt". Man wolle die Vergabe an fragwürdige Unternehmen nun prüfen --------------------------------------------- https://www.derstandard.at/story/3000000294846/millionen-fuer-abhoersysteme… ∗∗∗ Cargo theft gets a boost from hackers using remote monitoring tools ∗∗∗ --------------------------------------------- Cybersecurity researchers have been tracking thieves who are using their deep knowledge of trucking and transportation technology to steal cargo. --------------------------------------------- https://therecord.media/cargo-theft-hackers-remote-monitoring-tools ∗∗∗ More than $100 million stolen in exploit of Balancer DeFi protocol ∗∗∗ --------------------------------------------- Hackers pilfered millions of dollars worth of cryptocurrency on Monday from the decentralized finance protocol Balancer. --------------------------------------------- https://therecord.media/crypto-heist-balancer-exploit ∗∗∗ CyberSlop — meet the new threat actor, MIT and Safe Security ∗∗∗ --------------------------------------------- Cybersecurity vendors peddling nonsense isn’t new, but lately we have a new dimension — Generative AI. This has allowed vendors — and educators — to peddle cyberslop for profit. --------------------------------------------- https://doublepulsar.com/cyberslop-meet-the-new-threat-actor-mit-and-safe-s… ∗∗∗ PHP Cryptomining Campaign: October/November 2025 ∗∗∗ --------------------------------------------- >From Aug–Oct 2025, GreyNoise observed a surge in exploitation attempts against PHP and PHP-based frameworks as attackers deployed cryptominers—driven by rising Bitcoin prices and higher mining payoffs. --------------------------------------------- https://www.greynoise.io/blog/php-cryptomining-campaign ∗∗∗ Für Entkriminalisierung: BSI-Chefin fordert Überarbeitung des Hackerparagrafen ∗∗∗ --------------------------------------------- Die Präsidentin des Bundesamts für Sicherheit in der Informationstechnik hat Änderungen am Hackerparagrafen gefordert. Unterstützung kommt aus der Opposition. --------------------------------------------- https://heise.de/-11044176 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dcmtk, geographiclib, gimp, pure-ftpd, and ruby-rack), Fedora (dotnet9.0), Oracle (expat, kernel, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (git, mariadb:10.5, multiple packages, osbuild-composer, pcs, sssd, and tigervnc), SUSE (kernel and redis), and Ubuntu (google-guest-agent). --------------------------------------------- https://lwn.net/Articles/1044949/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.11.2025
by Daily end-of-shift report 03 Nov '25

03 Nov '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-10-2025 18:00 − Montag 03-11-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Open VSX rotates access tokens used in supply-chain malware attack ∗∗∗ --------------------------------------------- The Open VSX registry rotated access tokens after they were accidentally leaked by developers in public repositories and allowed threat actors to publish malicious extensions in an attempted supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-vsx-rotates-tokens-used… ∗∗∗ Hackers use RMM tools to breach freighters and steal cargo shipments ∗∗∗ --------------------------------------------- Threat actors are targeting freight brokers and trucking carriers with malicious links and emails to deploy remote monitoring and management tools (RMMs) that enable them to hijack cargo and steal physical goods. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-rmm-tools-to-bre… ∗∗∗ Attacken auf EU: Ungepatchte Windows-Lücke wird seit Jahren ausgenutzt ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist Microsoft schon seit über einem Jahr bekannt. Bisher lehnt der Konzern es jedoch ab, einen Patch bereitzustellen. --------------------------------------------- https://www.golem.de/news/attacken-auf-eu-ungepatchte-windows-luecke-wird-s… ∗∗∗ Cyberbedrohung: China kann jederzeit Norwegens Elektrobusse lahmlegen ∗∗∗ --------------------------------------------- Möglich ist das aufgrund einer in den Bussen verbauten SIM-Karte, über die OTA-Updates bezogen werden. Die potenziellen Folgen sind weitreichend. --------------------------------------------- https://www.golem.de/news/cyberbedrohung-china-kann-jederzeit-norwegens-ele… ∗∗∗ Warnung vor Angriffen auf Lücken in VMware und XWiki ∗∗∗ --------------------------------------------- Angreifer missbauchen Schwachstellen in VMware und XWiki, warnt die IT-Sicherheitsbehörde CISA. Updates stopfen die Lücken. --------------------------------------------- https://www.heise.de/news/Warnung-vor-Angriffen-auf-Luecken-in-VMware-und-X… ∗∗∗ Monitoring-Software: Schwachstellen bedrohen IBM Tivoli Monitoring und Nagios XI ∗∗∗ --------------------------------------------- Angreifer können IBM Tivoli Monitoring und Nagios XI attackieren und Dateien manipulieren oder sogar Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Monitoring-Software-IBM-Tivoli-Monitoring-und-Nag… ∗∗∗ Alleged Jabber Zeus Coder ‘MrICQ’ in U.S. Custody ∗∗∗ --------------------------------------------- A Ukrainian man indicted in 2012 for conspiring with a prolific hacking group to steal tens of millions of dollars from U.S. businesses was arrested in Italy and is now in custody in the United States, KrebsOnSecurity has learned. Sources close to the investigation say Yuriy Igorevich Rybtsov, a 41-year-old from the Russia-controlled city of Donetsk, .. --------------------------------------------- https://krebsonsecurity.com/2025/11/alleged-jabber-zeus-coder-mricq-in-u-s-… ∗∗∗ Wer verschenkt schon einen Porsche?! Datendiebstahl statt Wohltätigkeit ∗∗∗ --------------------------------------------- Mit Hilfe von Fake-Profilen auf Social Media ködern Kriminelle ihre Opfer. Sie locken sie auf eine Website, wo ein angebliches Gewinnspiel für einen Porsche wartet. Wer teilnehmen will, muss (sehr persönliche) Informationen übermitteln. Eine direkte Gefahr für das Bankkonto besteht zwar nicht, die erbeuteten Daten kommen allerdings bei späteren Betrugsmaschen zum Einsatz. --------------------------------------------- https://www.watchlist-internet.at/news/porsche-zu-verschenken/ ∗∗∗ Politischer Cyberangriff an der University of Pennsylvania zielt auf "woke" Studenten ab ∗∗∗ --------------------------------------------- Die Hacker griffen unter anderem eine Gruppe an, die sich gegen die Berücksichtigung von Ethnie im Bewerbungsprozess einsetzt --------------------------------------------- https://www.derstandard.at/story/3000000294635/politischer-cyberangriff-an-… ∗∗∗ Betrugsmasche: Warnung vor vermeintlichen Finanz-Online-Nachrichten ∗∗∗ --------------------------------------------- Ein Opfer in Oberösterreich wurde um eine halbe Million Euro geprellt --------------------------------------------- https://www.derstandard.at/story/3000000294680/betrugsmasche-warnung-vor-ve… ∗∗∗ Ernst & Young (EY): 4TB DB-Backup im Internet gefunden ∗∗∗ --------------------------------------------- Kleiner Nachtrag von voriger Woche. Bei Ernst & Young (kurz EY) hat es mutmaßlich einen veritablen Datenschutz- und Sicherheitsvorfall gegeben. Sicherheitsforscher sind im Internet auf eine Backup-Datei für einen .. --------------------------------------------- https://www.borncity.com/blog/2025/11/03/ernst-young-ey-4tb-db-backup-im-in… ∗∗∗ North Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews ∗∗∗ --------------------------------------------- North Korean hackers from the Famous Chollima group used AI deepfakes and stolen identities in fake job interviews to infiltrate crypto and Web3 companies. --------------------------------------------- https://hackread.com/north-korean-hackers-video-ai-filter-fake-job-intervie… ===================== = Vulnerabilities = ===================== ∗∗∗ Ilevia EVE X1/X5 Server 4.7.18.0.eden Default Credentials ∗∗∗ --------------------------------------------- The EVE X1 server uses a weak set of default administrative credentials that can be found and used to gain full control of the system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5963.php ∗∗∗ Normal Drupal core security window rescheduled for November 12, 2025 due to DrupalCon - PSA-2025-11-03 ∗∗∗ --------------------------------------------- The upcoming Drupal core security release window has been rescheduled from November 19, 2025 to November 12, 2025. As normal, the window will occur between 1600 UTC and 2200 UTC.Schedule change for back-to-back DrupalConsThis schedule change is due to DrupalCons Vienna and Nara overlapping the October and November core security windows. We do not schedule core security windows .. --------------------------------------------- https://www.drupal.org/psa-2025-11-03 ∗∗∗ HashiCorp Consul <= 1.21.5 Event Denial of Service (CVE-2025-11375) ∗∗∗ --------------------------------------------- ADVISORY INFORMATION Product: HashiCorp ConsulVendor URL: https://developer.hashicorp.com/consulCWE: Memory Allocation with Excessive Size Value [CWE-789]Date found: 2025-09-19Date published: 2025-11-02CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)CVE: CVE-2025-11375 VERSIONS AFFECTED Consul Community Edition <= 1.21.5Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11 INTRODUCTION Consul is a service networking solution that enables teams to --------------------------------------------- https://www.rcesecurity.com/2025/11/hashicorp-consul-1-21-5-event-denial-of… ∗∗∗ HashiCorp Consul <= 1.21.5 KVS Denial of Service (CVE-2025-11374) ∗∗∗ --------------------------------------------- ADVISORY INFORMATION Product: HashiCorp ConsulVendor URL: https://developer.hashicorp.com/consulCWE: Memory Allocation with Excessive Size Value [CWE-789]Date found: 2025-09-19Date published: 2025-11-02CVSSv4 Score: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)CVE: CVE-2025-11374 VERSIONS AFFECTED Consul Community Edition <= 1.21.5Consul Enterprise <= 1.21.5, 1.20.7, 1.19.9 and 1.18.11 INTRODUCTION Consul is a service networking solution that enables teams to --------------------------------------------- https://www.rcesecurity.com/2025/11/hashicorp-consul-1-21-5-kvs-denial-of-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 31.10.2025
by Daily end-of-shift report 31 Oct '25

31 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-10-2025 18:00 − Freitag 31-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation. --------------------------------------------- https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html ∗∗∗ Windows zero-day actively exploited to spy on European diplomats ∗∗∗ --------------------------------------------- A China-linked hacking group is exploiting a Windows zero-day in attacks targeting European diplomats in Hungary, Belgium, and other European nations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-hackers-exploit-wind… ∗∗∗ Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks ∗∗∗ --------------------------------------------- The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs. AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. --------------------------------------------- https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.h… ∗∗∗ Massive surge of NFC relay malware steals Europeans’ credit cards ∗∗∗ --------------------------------------------- Near-Field Communication (NFC) relay malware has grown massively popular in Eastern Europe, with researchers discovering over 760 malicious Android apps using the technique to steal peoples payment card information in the past few months. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-surge-of-nfc-relay-m… ∗∗∗ China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems ∗∗∗ --------------------------------------------- The exploitation of a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager has been attributed to a cyber espionage group known as Tick. The vulnerability, tracked as CVE-2025-61932 (CVSS score: 9.3), allows remote attackers to execute arbitrary commands with SYSTEM privileges on on-premise versions of the program. --------------------------------------------- https://thehackernews.com/2025/10/china-linked-tick-group-exploits.html ∗∗∗ Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack ∗∗∗ --------------------------------------------- A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack. Palo Alto Networks Unit 42 said its tracking the cluster under the moniker CL-STA-1009, where "CL" stands for cluster and "STA" refers to state-backed motivation. --------------------------------------------- https://thehackernews.com/2025/10/nation-state-hackers-deploy-new.html ∗∗∗ Proton trains new service to expose corporate infosec cover-ups ∗∗∗ --------------------------------------------- Service will tell on compromised organizations, even if they didnt plan on doing so themselves Some orgs would rather you not know when theyve suffered a cyberattack, but a new platform from privacy-focused tech firm Proton will shine a light on the big breaches that might otherwise stay buried. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/30/proton_data_… ∗∗∗ Open VSX: Eclipse Foundation zieht Konsequenzen aus GlassWorm-Attacke ∗∗∗ --------------------------------------------- Die Eclipse Foundation hat ihren jüngsten Sicherheitsvorfall rund um Open VSX – den Open-Source-Marktplatz für VS-Code-Erweiterungen – aufgearbeitet. In den vergangenen Wochen war bekannt geworden, dass Zugangstokens versehentlich in öffentlichen Repositories gelandet waren. Ein Teil davon wurde missbraucht, um manipulierte Erweiterungen einzuschleusen. --------------------------------------------- https://www.heise.de/news/Open-VSX-Eclipse-Foundation-zieht-Konsequenzen-au… ∗∗∗ Hacking India’s largest automaker: Tata Motors ∗∗∗ --------------------------------------------- If you are in the US and ask your friends and family if they have heard of “Tata Motors”, they would likely say no. However, if you go overseas, Tata Motors and the Tata Group in general are a massive, well-known conglomerate. Back in 2023, I took my hacking adventures overseas and found many vulnerabilities with Tata Motors. This post covers 4 of the most impactful findings I discovered that I am finally ready to share today. Let’s dive in! --------------------------------------------- https://eaton-works.com/2025/10/28/tata-motors-hack/ ∗∗∗ Hacktivist ICS Attacks Target Canadian Critical Infrastructure ∗∗∗ --------------------------------------------- Canadian cybersecurity officials are warning that hacktivists are increasingly targeting critical infrastructure in the country. In an October 29 alert, the Canadian Centre for Cyber Security described three recent attacks on internet-accessible industrial control systems (ICS). --------------------------------------------- https://thecyberexpress.com/hacktivist-ics-attacks-canada/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, java-17-openjdk, libtiff, redis, and redis:6), Debian (chromium, mediawiki, pypy3, and squid), Fedora (openbao), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, chromium, chrony, expat, haproxy, himmelblau, ImageMagick, iputils, kernel, libssh, libxslt, openssl-3, podman, strongswan, xorg-x11-server, and xwayland), and Ubuntu (kernel, libxml2, libyaml-syck-perl, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, and netty). --------------------------------------------- https://lwn.net/Articles/1044380/ ∗∗∗ ZDI-25-983: evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-983/ ∗∗∗ ZDI-25-982: oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-982/ ∗∗∗ ZDI-25-980: Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-980/ ∗∗∗ ZDI-25-979: Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-979/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.10.2025
by Daily end-of-shift report 30 Oct '25

30 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-10-2025 18:00 − Donnerstag 30-10-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kein Fix verfügbar: Milliarden von Webbrowsern lassen sich in Sekunden crashen ∗∗∗ --------------------------------------------- Eine bisher ungepatchte Sicherheitslücke betrifft Nutzer Chromium-basierter Browser. Die Software lässt sich sekundenschnell zum Absturz bringen. --------------------------------------------- https://www.golem.de/news/kein-fix-verfuegbar-milliarden-von-webbrowsern-la… ∗∗∗ GIMP: Manipulierte Bilder können Schadcode einschmuggeln ∗∗∗ --------------------------------------------- Die GIMP-Version 3.0.6 schließt einige hochriskante Sicherheitslücken. Angreifer können mit präparierten Bildern Malware einschleusen. --------------------------------------------- https://www.heise.de/news/Bildbarbeitung-GIMP-Version-3-0-6-schliesst-Codes… ∗∗∗ Sicherheitslücke: MOVEit Transfer ist für Attacken anfällig ∗∗∗ --------------------------------------------- Ein Patch schließt eine Schwachstelle in der Dateiübertragungssoftware MOVEit Transfer. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecke-Angreifer-koennen-Dienst-von-MO… ∗∗∗ USA: Verkaufsverbot für TP-Link-Router wird immer wahrscheinlicher ∗∗∗ --------------------------------------------- Das US-Handelsministerium schlägt ein Verkaufsverbot für TP-Link-Router vor. Mehrere Bundesbehörden sehen ein Sicherheitsrisiko durch Verbindungen nach China. --------------------------------------------- https://www.heise.de/news/USA-Verkaufsverbot-fuer-TP-Link-Router-wird-immer… ∗∗∗ Security awareness: four pillars for staying safe online ∗∗∗ --------------------------------------------- TL;DR Introduction When it comes to being security aware, there are seemingly endless things you need to consider. Here are four key areas as a user you can focus on to keep yourself secure. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-awareness-four-pilla… ∗∗∗ #5TageGegenDeepfakes: Kriminelle nutzen Deepfakes von Promis für Investmentscams ∗∗∗ --------------------------------------------- Einige Prominente genießen aufgrund ihrer Persönlichkeit eine hohe Vertrauenswürdigkeit. Kriminelle machen sich dies zunutze und erstellen Deepfakes der Promis, um sie betrügerische Investments bewerben zu lassen. --------------------------------------------- https://www.watchlist-internet.at/news/5tagegegendeepfakes-kriminelle-nutze… ∗∗∗ Former Trenchant exec pleads guilty to selling cyber exploits to Russian broker ∗∗∗ --------------------------------------------- The former executive sold the trade secrets to a Russian cyber-tools broker that “publicly advertises itself as a reseller of cyber exploits to various customers, including the Russian government,” according to the Department of Justice. --------------------------------------------- https://therecord.media/trenchant-exec-pleads-guilty-russia-secrets ∗∗∗ Cyber info sharing ‘holding steady’ despite lapse in CISA 2015, official says ∗∗∗ --------------------------------------------- The comments come roughly a month after the expiration of the 2015 Cybersecurity Information Sharing Act, which incentivized private entities to share threat data with the government with antitrust and liability safeguards. --------------------------------------------- https://therecord.media/cyber-info-sharing-holding-steady-official-says ∗∗∗ Russian Hackers Exploit Adaptix Pentesting Tool in Ransomware Attacks ∗∗∗ --------------------------------------------- Silent Push wars of Russian hackers exploiting Adaptix, a pentesting tool built for Windows, Linux, and macOS, in ransomware campaigns. --------------------------------------------- https://hackread.com/russian-hackers-adaptix-pentest-ransomware/ ∗∗∗ New Guidance Released on Microsoft Exchange Server Security Best Practices ∗∗∗ --------------------------------------------- Today, CISA, in partnership with the National Security Agency and international cybersecurity partners, released Microsoft Exchange Server Security Best Practices, a guide to help network defenders harden on-premises Exchange servers against exploitation .. at high risk of compromise. Best practices in this guide focus on hardening user --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/30/new-guidance-released-mi… ∗∗∗ Learnings from recent npm supply chain compromises ∗∗∗ --------------------------------------------- A look at recent npm supply chain compromises and how we can learn from them to better prepare for future incidents. --------------------------------------------- https://securitylabs.datadoghq.com/articles/learnings-from-recent-npm-compr… ∗∗∗ Vulnerabilities in LUKS2 disk encryption for confidential VMs ∗∗∗ --------------------------------------------- Trail of Bits is disclosing vulnerabilities in eight different confidential computing systems that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily. The vulnerabilities are caused by malleable metadata headers that allow an attacker to trick a trusted execution environment guest into encrypting .. --------------------------------------------- https://blog.trailofbits.com/2025/10/30/vulnerabilities-in-luks2-disk-encry… ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2025-1011: Third-Party Package Updates in Splunk Operator for Kubernetes Add-on - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Operator for Kubernetes Add-on version 3.0.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1011 ∗∗∗ SVD-2025-1010: Third-Party Package Updates in Splunk AppDynamics Analytics Agent - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Analytics Agent version 25.7.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1010 ∗∗∗ SVD-2025-1009: Third-Party Package Updates in Splunk AppDynamics Private Synthetic Agent - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Private Synthetic Agent version 25.7.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1009 ∗∗∗ SVD-2025-1008: Third-Party Package Updates in Splunk AppDynamics Machine Agent - October 2025 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Machine Agent version 25.7.0 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-1008 ∗∗∗ Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-114 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.10.2025
by Daily end-of-shift report 29 Oct '25

29 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-10-2025 18:00 − Mittwoch 29-10-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ How typosquatting tricked me (a bit) ∗∗∗ --------------------------------------------- Typosquatting is a popular method using similarly looking names to draw people into malicious content – such as phishing websites or fake software packages. It leverages our “brain optimization” that matches what we see with what we already know – even if it’s not exactly the same. I haven’t installed any shady software, but it’s still a good example how easily our brain could be used against us by utilizing our biases. --------------------------------------------- https://www.cert.at/en/blog/2025/10/how-typosquatting-tricked-me-a-bit ∗∗∗ Qilin ransomware abuses WSL to run Linux encryptors in Windows ∗∗∗ --------------------------------------------- The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-abuses-wsl-… ∗∗∗ Collins Aerospace: Mangelhafte Passwörter ermöglichten Nachrichten an Cockpits ∗∗∗ --------------------------------------------- Durch mangelhaften Zugriffsschutz bei Collins Aerospace ließen sich Nachrichten an Flugzeug-Cockpits schicken. --------------------------------------------- https://www.heise.de/news/Collins-Aerospace-Mangelhafte-Passwoerter-ermoegl… ∗∗∗ Aisuru Botnet Shifts from DDoS to Residential Proxies ∗∗∗ --------------------------------------------- Aisuru, the botnet responsible for a series of record-smashing distributed denial-of-service (DDoS) attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services that help cybercriminals anonymize their traffic. Experts say a glut of proxies from Aisuru and other sources is fueling large-scale data harvesting efforts tied to various artificial intelligence (AI) projects, helping content scrapers evade detection by routing their traffic through residential connections that appear to be regular Internet users. --------------------------------------------- https://krebsonsecurity.com/2025/10/aisuru-botnet-shifts-from-ddos-to-resid… ∗∗∗ HTTPS by default ∗∗∗ --------------------------------------------- One year from now, with the release of Chrome 154 in October 2026, we will change the default settings of Chrome to enable “Always Use Secure Connections”. This means Chrome will ask for the user's permission before the first access to any public site without HTTPS. --------------------------------------------- http://security.googleblog.com/2025/10/https-by-default.html ∗∗∗ Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28) ∗∗∗ --------------------------------------------- On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, necessitating an emergency out-of-band security update released Oct. 23, 2025. Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild. The combination of a remotely exploitable, unauthenticated RCE in a core infrastructure service, coupled with observed active exploitation in the wild, represents a severe and time-sensitive risk. --------------------------------------------- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ ∗∗∗ Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack ∗∗∗ --------------------------------------------- We have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity. --------------------------------------------- https://unit42.paloaltonetworks.com/new-windows-based-malware-family-airsta… ∗∗∗ Cybersecurity on a budget: Strategies for an economic downturn ∗∗∗ --------------------------------------------- This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. --------------------------------------------- https://blog.talosintelligence.com/cybersecurity-on-a-budget-strategies-for… ∗∗∗ Hackers Hijack Corporate XWiki Servers for Crypto Mining ∗∗∗ --------------------------------------------- Hackers exploit critical XWiki flaw CVE-2025-24893 to hijack corporate servers for cryptomining, with active attacks confirmed by VulnCheck researchers. --------------------------------------------- https://hackread.com/hackers-hijack-xwiki-servers-crypto-mining/ ∗∗∗ iOS: Sicherheitsforscher warnen vor Third-Party-App-Store "Flekst0re" ∗∗∗ --------------------------------------------- Apple muss in der EU Konkurrenten zum iOS App Store zulassen. Flekst0re ist eines der Angebote, wobei es Sonderwege beschreitet. Das reißt Sicherheitslücken. --------------------------------------------- https://heise.de/-10961981 ∗∗∗ What We Talk About When We Talk About Sideloading ∗∗∗ --------------------------------------------- We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies. --------------------------------------------- https://f-droid.org/2025/10/28/sideloading.html ===================== = Vulnerabilities = ===================== ∗∗∗ BSI warnt vor Bind-Lücke: Daten unzähliger DNS-Server manipulierbar ∗∗∗ --------------------------------------------- In der weitverbreiteten DNS-Lösung Bind klafft eine gefährliche Sicherheitslücke, die es Angreifern ermöglicht, durch sogenanntes Cache-Poisoning DNS-Einträge zu manipulieren. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat eine Warnung herausgegeben (öffnet im neuen Fenster), laut der inzwischen auch ein Proof of Concept (PoC) zur Ausnutzung der Lücke im Netz kursiert. Admins sollten zügig handeln. --------------------------------------------- https://www.golem.de/news/exploit-code-verfuegbar-dns-eintraege-unzaehliger… ∗∗∗ Lücken gefährden Systeme mit IBMs Sicherheitslösungen Concert und QRadar SIEM ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM Concert und QRadar SIEM ansetzen. Patches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Luecken-gefaehrden-Systeme-mit-IBMs-Sicherheitslo… ∗∗∗ Jetzt patchen! Attacken auf DELMIA Apriso beobachtet ∗∗∗ --------------------------------------------- Das Fertigungsmanagementtool DELMIA Apriso ist derzeit im Fokus von Angreifern. Sicherheitspatches stehen schon seit Sommer dieses Jahres zum Download bereit. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-DELMIA-Apriso-beobacht… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp, python-authlib, and xorg-server), Fedora (chromium and git-lfs), Mageia (poppler and tomcat), Red Hat (kernel, kernel-rt, redis, and redis:6), SUSE (fetchmail, grafana, ImageMagick, kernel-devel, libluajit-5_1-2, proxy-helm, python-Authlib, and xen), and Ubuntu (linux-intel-iotg, linux-intel-iotg-5.15 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/1043983/ ∗∗∗ Ungeschützte NFC-Kartenmanipulation führt zu kostenloser Aufladung in GiroWeb Cashless Catering Solutions bei veralteter Kundeninfrastruktur ∗∗∗ --------------------------------------------- Bei Verwendung der GiroWeb Cashless Catering-Lösung mit älteren NFC-Karten kann das gespeicherte Kartenguthaben ohne Backend-Überprüfung geändert werden. Dieses Verhalten tritt auf, weil der Guthabenwert ausschließlich auf der Karte gespeichert ist. Der Anbieter hat erklärt, dass dieses Verhalten mit dem Design des spezifischen NFC-Kartentyps zusammenhängt und daher keine Schwachstelle in der Zahlungslösung selbst darstellt, sondern auf die unsicheren Karten zurückzuführen ist, die von seinen Kunden in älteren Umgebungen verwendet werden. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/ungeschuetzte-nfc-kar… ∗∗∗ ZDI-25-977: Delta Electronics ASDA-Soft PAR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-977/ ∗∗∗ ZDI-25-975: X.Org Server XkbSetCompatMap Numeric Truncation Error Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-975/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.10.2025
by Daily end-of-shift report 28 Oct '25

28 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 27-10-2025 18:00 − Dienstag 28-10-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Google disputes false claims of massive Gmail data breach ∗∗∗ --------------------------------------------- Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-disputes-false-claims… ∗∗∗ Millionen Gmail-Passwörter gestohlen: Ist eures darunter? ∗∗∗ --------------------------------------------- Laut dem Cybersecurity-Experten Troy Hunt, der das Datenleck aufgedeckt hat, könnten 3,5 Terabyte an Daten betroffen sein. --------------------------------------------- https://futurezone.at/digital-life/gmail-passwoerter-datenleak-pwned-cybers… ∗∗∗ Ransomware: Immer weniger Unternehmen zahlen Hackern ein Lösegeld ∗∗∗ --------------------------------------------- Die Rentabilität von Ransomware-Attacken fällt. Nicht nur zahlen immer weniger Opfer das Lösegeld. Auch die Höhe der Zahlungen ist zuletzt stark gefallen. --------------------------------------------- https://www.golem.de/news/ransomware-immer-weniger-unternehmen-zahlen-hacke… ∗∗∗ Admin-Zugang gekapert: Insasse hackt Gefängnis-IT und macht Mithäftlinge reich ∗∗∗ --------------------------------------------- Aufgeflogen ist alles, weil Inhaftierte ihre Gier nicht im Griff hatten. Ein Millionenbetrag auf dem Konto eines Insassen ist dann doch etwas auffällig. --------------------------------------------- https://www.golem.de/news/admin-zugang-gekapert-insasse-hackt-gefaengnis-it… ∗∗∗ Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs ∗∗∗ --------------------------------------------- Kaspersky GReAT experts dive deep into the BlueNoroff APTs GhostCall and GhostHire campaigns. Extensive research detailing multiple malware chains targeting macOS, including a stealer suite, fake Zoom and Microsoft Teams clients and ChatGPT-enhanced images. --------------------------------------------- https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117… ∗∗∗ BSI: Checkliste für Vorgehen bei geknackten Konten ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat zusammen mit dem Programm polizeiliche Kriminalprävention (ProPK) eine Checkliste veröffentlicht, die Privatanwendern helfen soll, wenn ihre Zugänge von Kriminellen übernommen wurden. --------------------------------------------- https://www.heise.de/news/BSI-Checkliste-fuer-Vorgehen-bei-geknackten-Konte… ∗∗∗ Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild ∗∗∗ --------------------------------------------- On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, necessitating an emergency out-of-band security update released Oct. 23, 2025. Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild. --------------------------------------------- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/ ∗∗∗ US declines to join more than 70 countries in signing UN cybercrime treaty ∗∗∗ --------------------------------------------- More than 70 countries signed the landmark UN Convention against Cybercrime in Hanoi this weekend, a significant step in the yearslong effort to create a global mechanism to counteract digital crime. --------------------------------------------- https://therecord.media/us-declines-signing-cybercrime-treaty ∗∗∗ Steigende Cyber-Attacken auf die Fertigungsindustrie ∗∗∗ --------------------------------------------- Die Fertigungsindustrie gerät wohl immer mehr ins Visier von Cyber-Kriminellen. Check Point Research stellt steigende Fallzahlen von Angriffen fest. Führungskräfte sollten sich mit diesem Trend auseinandersetzen, denn Cyber-Sicherheit ist kein exklusives Thema mehr, welches man seiner IT-Abteilung überlässt. --------------------------------------------- https://www.borncity.com/blog/2025/10/28/steigende-cyber-attacken-auf-die-f… ∗∗∗ Vulnerability Management – Process Perspective ∗∗∗ --------------------------------------------- In this post, we dive deeper into the HOW of vulnerability management. This post is dedicated to the processes to provide a comprehensive overview. --------------------------------------------- https://blog.nviso.eu/2025/10/28/vulnerability-management-process-perspecti… ∗∗∗ Keys to the Kingdom: A Defenders Guide to Privileged Account Monitoring ∗∗∗ --------------------------------------------- Privileged access stands as the most critical pathway for adversaries seeking to compromise sensitive systems and data. Its protection is not only a best practice, it is a fundamental imperative for organizational resilience. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/privileged-account… ∗∗∗ Friends don’t let friends reuse IVs ∗∗∗ --------------------------------------------- If you’ve encountered cryptography software, you’ve probably heard the advice to never use an IV (initial value) twice—in fact, that’s where the other common name for that concept, nonce (number used once), comes from. Depending on the cryptography involved, a reused nonce can reveal encrypted messages, or even leak your secret key! But common knowledge may not cover every possible way to accidentally reuse nonces. Sometimes, the techniques that are supposed to prevent nonce reuse have subtle flaws. --------------------------------------------- https://blog.trailofbits.com/2024/09/13/friends-dont-let-friends-reuse-nonc… ===================== = Vulnerabilities = ===================== ∗∗∗ Docker Desktop: Windows-Installer für Ausführung von Schadcode anfällig ∗∗∗ --------------------------------------------- Der Windows-Installer von Docker Desktop lässt sich falsche DLLs unterschieben. Die Entwickler steuern mit einer aktualisierten Software-Version gegen. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Windows-Installer-fuer-Ausfuehrung… ∗∗∗ Proxmon Backup Server: Angreifer können Backup-Snapshots zerstören ∗∗∗ --------------------------------------------- Die Entwickler der Backuplösung Proxmon Backup Server haben Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/Proxmon-Backup-Server-Angreifer-koennen-Backup-Sn… ∗∗∗ 100,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress Plugin ∗∗∗ --------------------------------------------- On October 3rd, 2025, we received a submission for an Arbitrary File Read vulnerability in Anti-Malware Security and Brute-Force Firewall, a WordPress plugin with more than 100,000 active installations. --------------------------------------------- https://www.wordfence.com/blog/2025/10/100000-wordpress-sites-affected-by-a… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, libtiff, squid:4, and thunderbird), Debian (strongswan and webkit2gtk), Fedora (pcre2, qt5-qtbase, squid, unbound, and xen), Mageia (icu and libtpms), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, squid:4, and thunderbird), Red Hat (libtiff, squid, squid:4, and webkit2gtk3), SUSE (cmake, dracut-saltboot, erlang, exim, expat, ffmpeg-4, firefox, golang-github-prometheus-alertmanager, haproxy, java-11-openjdk, kernel, libxslt, multi-linux-manager, openssl-3, podman, rabbitmq-server, spacewalk-web, strongswan, and wireshark), and Ubuntu (gst-plugins-good1.0, linux-aws-5.15, radare2, ruby2.3, ruby2.5, ruby2.7, and strongswan). --------------------------------------------- https://lwn.net/Articles/1043776/ ∗∗∗ Security Vulnerabilities fixed in Firefox 144.0.2, High impact ∗∗∗ --------------------------------------------- Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-86/ ∗∗∗ "ChatGPT Tainted Memories" Exploit Enables Command Injection in Atlas Browser ∗∗∗ --------------------------------------------- LayerX Security found a flaw in OpenAI’s ChatGPT Atlas browser that lets attackers inject commands into its memory, posing major security and phishing risks. --------------------------------------------- https://hackread.com/chatgpt-tainted-memories-atlas-browser/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released three Industrial Control Systems (ICS) Advisories: ICSA-25-301-01 Schneider Electric EcoStruxure, ICSMA-25-301-01 Vertikal Systems Hospital Manager Backend Services and ICSA-24-352-04 Schneider Electric Modicon (Update B). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/28/cisa-releases-three-indu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.10.2025
by Daily end-of-shift report 27 Oct '25

27 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-10-2025 18:00 − Montag 27-10-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New CoPhish attack steals OAuth tokens via Copilot Studio agents ∗∗∗ --------------------------------------------- A new phishing technique dubbed CoPhish weaponizes Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cophish-attack-steals-oa… ∗∗∗ Hackers steal Discord accounts with RedTiger-based infostealer ∗∗∗ --------------------------------------------- Attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data and payment information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-discord-accoun… ∗∗∗ Dringend patchen: Hacker attackieren Windows-Server über kritische WSUS-Lücke ∗∗∗ --------------------------------------------- Angreifer können unter anderem manipulierte Windows-Updates einschleusen und diese an Clients verteilen lassen. Admins sollten schnell handeln. --------------------------------------------- https://www.golem.de/news/dringend-patchen-windows-server-werden-ueber-wsus… ∗∗∗ Mem3nt0 mori – The Hacking Team is back! ∗∗∗ --------------------------------------------- Kaspersky researchers discovered previously unidentified commercial Dante spyware developed by Memento Labs (formerly Hacking Team) and linked it to the ForumTroll APT attacks. --------------------------------------------- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/ ∗∗∗ North Korea Has Stolen Billions in Cryptocurrency and Tech Firm Salaries, Report Says ∗∗∗ --------------------------------------------- The Associated Press reports that "North Korean hackers have pilfered billions of dollars" by breaking into cryptocurrency exchanges and by creating fake identities to get remote tech jobs at foreign companies — all orchestrated by the North Korean government to finance R&D on nuclear arms. Thats according to a new the 138-page report by a group watching .. --------------------------------------------- https://yro.slashdot.org/story/25/10/25/1246241/north-korea-has-stolen-bill… ∗∗∗ ChatGPT Atlas Browser Can Be Tricked by Fake URLs into Executing Hidden Commands ∗∗∗ --------------------------------------------- The newly released OpenAI Atlas web browser has been found to be susceptible to a prompt injection attack where its omnibox can be jailbroken by disguising a malicious prompt as a seemingly harmless URL to .. --------------------------------------------- https://thehackernews.com/2025/10/chatgpt-atlas-browser-can-be-tricked-by.h… ∗∗∗ Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack ∗∗∗ --------------------------------------------- The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in .. --------------------------------------------- https://thehackernews.com/2025/10/qilin-ransomware-combines-linux-payload.h… ∗∗∗ X says passkey reset isnt about a security issue – its to finally kill off twitter.com ∗∗∗ --------------------------------------------- Social media site dispatches crucial clarification days after curious announcement X (formerly Twitter) sparked security concerns over the weekend when it announced users must re-enroll their security keys by November 10 or face account lockouts — without initially explaining why. --------------------------------------------- https://www.theregister.com/2025/10/27/x_passkey_reset/ ∗∗∗ Collins Aerospace: Alte Passwörter und verzögerte Reaktion ermöglichen Datenklau ∗∗∗ --------------------------------------------- Neue Details zum Cyberangriff auf Collins Aerospace: Alte Passwörter ermöglichten Datenklau, wohl Millionen Passagierdaten betroffen – mehr als nur Ransomware. --------------------------------------------- https://www.heise.de/news/Collins-Aerospace-Alte-Passwoerter-und-verzoegert… ∗∗∗ Ubiquiti UniFi Access: Angreifer können sich unbefugt Zugriff verschaffen ∗∗∗ --------------------------------------------- In Ubiquitis UniFi Door Access klafft eine kritische Sicherheitslücke, die Angreifern unbefugten Zugriff ermöglicht. --------------------------------------------- https://www.heise.de/news/Ubiquiti-UniFi-Access-Angreifer-koennen-sich-unbe… ∗∗∗ Angreifer können Authentifizierung bei Dell Storage Manager umgehen ∗∗∗ --------------------------------------------- In einer aktuellen Version von Dells Storage Manager haben die Entwickler drei Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-Authentifizierung-bei-Dell-Stor… ∗∗∗ Schneider Electric Opfer der Oracle E-Business Suite 0-day Schwachstelle CVE-2025-61882 ∗∗∗ --------------------------------------------- Nutzer der Oracle Oracle E-Business Suite (EBS) werden seit Juli 2025 über eine erst am 4. Oktober 2025 gepatchte 0-day-Schwachstelle CVE-2025-61882 erfolgreich angegriffen. Inzwischen werden die Namen von Opfern bekannt. So ist .. --------------------------------------------- https://www.borncity.com/blog/2025/10/24/oracle-e-business-suite-0-day-schw… ∗∗∗ Distribution of Rhadamanthys Malware Disguised as a Game Developed with Ren’Py ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Infostealer malware Rhadamanthys is being distributed disguised as a game created with RenPy. RenPy is a game development tool based on Python that allows users to easily .. --------------------------------------------- https://asec.ahnlab.com/en/90767/ ∗∗∗ Uncovering Qilin attack methods exposed through multiple cases ∗∗∗ --------------------------------------------- Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence. --------------------------------------------- https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-… ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated Local File Disclosure in MPDV Mikrolab MIP 2 / FEDRA 2 / HYDRA X Manufacturing Execution System ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/unauthenticated-local-fi… ∗∗∗ Potential Security Impact of ASP.NET Vulnerability on NetBak PC Agent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-44 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.10.2025
by Daily end-of-shift report 24 Oct '25

24 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-10-2025 18:00 − Freitag 24-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Angriffe gegen Microsoft WSUS Installationen - Update verfügbar ∗∗∗ --------------------------------------------- Microsoft hat eine kritische Sicherheitslücke in Windows Server Update Service (WSUS) veröffentlicht, die es unauthentifizierten Angreifern ermöglicht, aus der Ferne beliebigen Code auf betroffenen Servern auszuführen. Die Schwachstelle entsteht durch unsichere Deserialisierung von nicht vertrauenswürdigen Daten in einem veralteten Serialisierungsmechanismus. Microsoft hatte hierzu bereits am 14. Oktober einen ersten Patch veröffentlicht. Dieser erwies sich allerdings als unzureichend und wurde nun außerplanmäßig nachgebessert. --------------------------------------------- https://www.cert.at/de/warnungen/2025/10/angriffe-gegen-microsoft-wsus-inst… ∗∗∗ Fake LastPass death claims used to breach password vaults ∗∗∗ --------------------------------------------- LastPass is warning customers of a phishing campaign sending emails with an access request to the password vault as part of a legacy inheritance process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-lastpass-death-claims-u… ∗∗∗ 3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation ∗∗∗ --------------------------------------------- A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads. --------------------------------------------- https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.ht… ∗∗∗ APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign ∗∗∗ --------------------------------------------- A Pakistan-nexus threat actor has been observed targeting Indian government entities as part of spear-phishing attacks designed to deliver a Golang-based malware known as DeskRAT. --------------------------------------------- https://thehackernews.com/2025/10/apt36-targets-indian-government-with.html ∗∗∗ LockBit Returns — and It Already Has Victims ∗∗∗ --------------------------------------------- LockBit is back. After being disrupted in early 2024, the ransomware group has resurfaced and is already extorting new victims. --------------------------------------------- https://blog.checkpoint.com/research/lockbit-returns-and-it-already-has-vic… ∗∗∗ Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques ∗∗∗ --------------------------------------------- Trend Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/j/agenda-ransomware-deploys-li… ∗∗∗ Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X ∗∗∗ --------------------------------------------- New Android malware Baohuo hijacks Telegram X accounts, stealing data and controlling chats. Over 58,000 devices infected, mainly in India and Brazil. --------------------------------------------- https://hackread.com/baohuo-android-malware-telegram-x-hijacks-accounts/ ∗∗∗ Help Wanted: Vietnamese Actors Using Fake Job Posting Campaigns to Deliver Malware and Steal Credentials ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. The actor effectively uses social engineering to deliver malware and phishing kits, ultimately aiming to compromise high-value corporate accounts, in order to hijack digital advertising accounts. GTIG tracks parts of this activity as UNC6229. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/vietnamese-actors-… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Jira Data Center: Angreifer können Daten abgreifen ∗∗∗ --------------------------------------------- Sicherheitsupdates lösen IT-Sicherheitsprobleme in Atlassian Confluence Data Center und Jira Data Center. --------------------------------------------- https://www.heise.de/news/Atlassian-Jira-Data-Center-Angreifer-koennen-Date… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (webkit2gtk3), Debian (bind9, chromium, python-internetarchive, and tryton-sao), Fedora (dokuwiki and php-php81_bc-strftime), Mageia (firefox, nss & rootcerts and thunderbird), Slackware (openssl), SUSE (bleachbit, chromium, kernel, mozilla-nss, and python311-uv), and Ubuntu (fetchmail, golang-go.crypto, and linux-oracle-5.4). --------------------------------------------- https://lwn.net/Articles/1043235/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released eight Industrial Control Systems (ICS) Advisories. ICSA-25-296-01 AutomationDirect Productivity Suite, ICSA-25-296-02 ASKI Energy ALS-Mini-S8 and ALS-Mini-S4, ICSA-25-296-03 Veeder-Root TLS4B Automatic Tank Gauge System, ICSA-25-296-04 Delta Electronics ASDA-Soft, ICSMA-25-296-01 NIHON KOHDEN Central Monitor CNS-6201, ICSA-25-037-02 Schneider Electric EcoStruxure (Update C), ICSA-24-116-02 Hitachi Energy MACH SCM (Update A), ICSA-25-259-01 Schneider Electric Altivar products, ATVdPAC module, ILC992 InterLink Converter (Update A). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/23/cisa-releases-eight-indu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.10.2025
by Daily end-of-shift report 23 Oct '25

23 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-10-2025 18:00 − Donnerstag 23-10-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cache poisoning vulnerabilities found in 2 DNS resolving apps ∗∗∗ --------------------------------------------- The makers of BIND, the Internet’s most widely used software for resolving domain names, are warning of two vulnerabilities that allow attackers to poison entire caches of results and send users to malicious destinations that are indistinguishable from the real ones. --------------------------------------------- https://arstechnica.com/security/2025/10/bind-warns-of-bugs-that-could-brin… ∗∗∗ BSI warnt: Laufende Angriffe gefährden fast 7.000 deutsche Firewalls ∗∗∗ --------------------------------------------- Die Anzahl anfälliger Watchguard-Firewalls geht bisher nur schleppend zurück. Jetzt schlägt das BSI Alarm und warnt vor laufenden Attacken. --------------------------------------------- https://www.golem.de/news/bsi-warnt-laufende-angriffe-gefaehrden-fast-7-000… ∗∗∗ Over 250 Magento Stores Hit Overnight as Hackers Exploit New Adobe Commerce Flaw ∗∗∗ --------------------------------------------- E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms, with more than 250 attack attempts recorded against multiple stores over the past 24 hours. --------------------------------------------- https://thehackernews.com/2025/10/over-250-magento-stores-hit-overnight.html ∗∗∗ The Smishing Deluge: China-Based Campaign Flooding Global Text Messages ∗∗∗ --------------------------------------------- We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad. Our analysis indicates this campaign is a significantly more extensive and complex threat than previously reported. Attackers have impersonated international services across a wide array of critical sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/global-smishing-campaign/ ∗∗∗ Bitter APT Exploiting Old WinRAR Vulnerability in New Backdoor Attacks ∗∗∗ --------------------------------------------- A cyber-espionage group known as Bitter (APT-Q-37), widely thought to operate from South Asia, is using new, sneaky methods to install a malicious backdoor program on computers belonging to high-value targets. --------------------------------------------- https://hackread.com/bitter-apt-winrar-vulnerability-backdoor-attacks/ ∗∗∗ PhantomCaptcha RAT Attack Targets Aid Groups Supporting Ukraine ∗∗∗ --------------------------------------------- SentinelLABS’ research reveals PhantomCaptcha, a highly coordinated, one-day cyber operation on Oct 8, 2025, targeting the International Red Cross, UNICEF, and Ukraine government groups using fake emails and a Remote Access Trojan (RAT) linked to Russian infrastructure. --------------------------------------------- https://hackread.com/phantomcaptcha-rat-attack-targets-ukraine/ ∗∗∗ North Korean Hackers Lure Defense Engineers With Fake Jobs to Steal Drone Secrets ∗∗∗ --------------------------------------------- Threat actors with ties to North Korea have been attributed to a new wave of attacks targeting European companies active in the defense industry as part of a long-running campaign known as Operation Dream Job. --------------------------------------------- https://thehackernews.com/2025/10/north-korean-hackers-lure-defense.html ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken: GitLab-Entwickler raten zu zügigem Update ∗∗∗ --------------------------------------------- Um GitLab-Instanzen gegen mögliche Angriffe zu schützen, sollten Admins die verfügbaren Sicherheitspatches zeitnah installieren. Geschieht das nicht, können Angreifer an sieben Sicherheitslücken ansetzen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-GitLab-Entwickler-raten-zu-zue… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ipa, kernel, and thunderbird), Debian (gdk-pixbuf, gegl, gimp, intel-microcode, raptor2, request-tracker4, and request-tracker5), Fedora (samba and wireshark), Mageia (haproxy, nginx, openssl, and python-django), Oracle (kernel and thunderbird), Red Hat (redis and redis:7), Slackware (bind), SUSE (aws-cli, local-npm-registry, python-boto3, python- botocore, python-coverage, python-flaky, python-pluggy, python-pytest, python- pytest-cov, python-pytest-html, python-pytest-metada, cargo-audit-advisory-db-20251021, fetchmail, git-bug, ImageMagick, istioctl, kernel, krb5, libsoup, libxslt, python-Authlib, and sccache), and Ubuntu (bind9, linux, linux-aws, linux-azure, linux-azure-6.8, linux-gcp, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-gcp-5.15, linux-gcp-6.8, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and linux-realtime, linux-realtime-6.8). --------------------------------------------- https://lwn.net/Articles/1043027/ ∗∗∗ OpenWRT: Updates schließen Sicherheitslücken in Router-Betriebssystem ∗∗∗ --------------------------------------------- Im quelloffenen Linux-Betriebssystem OpenWRT haben die Entwickler zwei Sicherheitslücken geschlossen. Sie ermöglichen unter Umständen das Einschleusen und Ausführen von Schadcode sowie die Ausweitung von Rechten. Die Schwachstellen gelten als hochriskant. Wer OpenWRT einsetzt, sollte daher die aktualisierten Images installieren. --------------------------------------------- https://heise.de/-10811056 ∗∗∗ DSA-6030-1 intel-microcode - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00196.html ∗∗∗ DSA-6031-1 request-tracker5 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00197.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/22/cisa-adds-one-known-expl… ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/14/cisa-adds-five-known-exp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.10.2025
by Daily end-of-shift report 22 Oct '25

22 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-10-2025 18:00 − Mittwoch 22-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Sharepoint ToolShell attacks targeted orgs across four continents ∗∗∗ --------------------------------------------- Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sharepoint-toolshell-attacks… ∗∗∗ Russia Pivots, Cracks Down on Resident Hackers ∗∗∗ --------------------------------------------- Thanks to improving cybersecurity and law enforcement action from the West, Russias government is reevaluating which cybercriminals it wants to give safe haven from the law. --------------------------------------------- https://www.darkreading.com/threat-intelligence/russia-cracks-down-low-leve… ∗∗∗ Veraltete Chromium-Basis: Beliebte KI-Coding-IDEs gefährden Millionen Entwickler ∗∗∗ --------------------------------------------- Forscher schlagen Alarm: Die KI-Coding-IDEs Cursor und Windsurf enthalten eine uralte Chromium-Version mit mindestens 94 bekannten Sicherheitslücken. --------------------------------------------- https://www.golem.de/news/veraltete-chromium-basis-beliebte-ki-coding-ides-… ∗∗∗ Public Sector Ransomware Attacks Relentlessly Continue ∗∗∗ --------------------------------------------- In 2025, 36 years after the first ransomware attack was recorded, actors continue to zero in on the public sector, and there is no evidence they will slow down any time soon. In fact, our numbers suggest that ransomware attacks against government organizations are ramping up, causing crippling service outages, massive data loss, reputational damage, public distrust, and financial harm. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/public-sect… ∗∗∗ Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware ∗∗∗ --------------------------------------------- Government, financial, and industrial organizations located in Asia, Africa, and Latin America are the target of a new campaign dubbed PassiveNeuron, according to findings from Kaspersky.The cyber espionage activity was first flagged by the Russian .. --------------------------------------------- https://thehackernews.com/2025/10/researchers-identify-passiveneuron-apt.ht… ∗∗∗ Have I Been Pwned: 183 Millionen von Infostealern erbeutete Zugänge ergänzt ∗∗∗ --------------------------------------------- "Have I Been Pwned" sammelt veröffentlichte Zugangsdaten. Nun kamen 183 Millionen von Infostealern geklaute Konten hinzu. --------------------------------------------- https://www.heise.de/news/Have-I-Been-Pwned-183-Millionen-von-Infostealern-… ∗∗∗ Kritische Schadcode-Lücken bedrohen TP-Link Omada Gateways ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches schließen Schwachstellen in Omada Gateways. Netzwerkadmins sollten zügig handeln. --------------------------------------------- https://www.heise.de/news/Kritische-Schadcode-Luecken-bedrohen-TP-Link-Omad… ∗∗∗ Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign ∗∗∗ --------------------------------------------- Threat actors behind the gift card fraud campaign Jingle Thief target retail via phishing and smishing, maintaining long-term access in cloud environments. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-based-gift-card-fraud-campaign/ ∗∗∗ Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities ∗∗∗ --------------------------------------------- Trend Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades… ∗∗∗ Sicherheitsupdate: Unberechtigte Zugriffe auf Zyxel-Firewalls möglich ∗∗∗ --------------------------------------------- Angreifer können bestimmte Firewalls von Zyxel attackieren. Angriffe sind aber nicht ohne Weiteres möglich. --------------------------------------------- https://heise.de/-10794033 ∗∗∗ Schwachstelle in Rust-Library für tar-Archive entdeckt ∗∗∗ --------------------------------------------- Die Library async-tar und ihre Forks enthalten eine als TARmageddon benannte Schwachstelle. Der am weitesten verbreitete Fork tokio-tar bekommt keinen Patch. --------------------------------------------- https://heise.de/-10793899 ∗∗∗ Prompt injection to RCE in AI agents ∗∗∗ --------------------------------------------- We bypassed human approval protections for system command execution in AI agents, achieving RCE in three agent platforms. --------------------------------------------- https://blog.trailofbits.com/2025/10/22/prompt-injection-to-rce-in-ai-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (inih, mingw-exiv2, and mod_http2), SUSE (ffmpeg-4, kernel, libqt5-qtbase, protobuf, python-ldap, and python313), and Ubuntu (erlang, ffmpeg, linux, linux-aws, linux-gcp, linux-oem-6.14, linux-oracle, linux-oracle-6.14, linux-raspi, linux-realtime, linux-aws, linux-azure, linux-azure-6.14, linux-azure-nvidia-6.14, linux-azure-fips, linux-oracle-5.4, and linux-realtime-6.14). --------------------------------------------- https://lwn.net/Articles/1042911/ ∗∗∗ Multiple stored cross-site scripting vulnerabilities in Movable Type ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN24333679/ ∗∗∗ Oracle Critical Patch Update Advisory - October 2025 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2025.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.10.2025
by Daily end-of-shift report 21 Oct '25

21 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 20-10-2025 18:00 − Dienstag 21-10-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ The evolving landscape of email phishing attacks: how threat actors are reusing and refining established techniques ∗∗∗ --------------------------------------------- Common email phishing tactics in 2025 include PDF attachments with QR codes, password-protected PDF documents, calendar phishing, and advanced websites that validate email addresses. --------------------------------------------- https://securelist.com/email-phishing-techniques-2025/117801/ ∗∗∗ Inside the attack chain: Threat activity targeting Azure Blob Storage ∗∗∗ --------------------------------------------- Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics. [..] Therefore, in this blog, we outline some of the unique threats associated with the data storage layer, including relevant stages of the attack chain for Blob Storage to connect these risks to actionable Azure Security controls and applicable security recommendations. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/10/20/inside-the-attack-… ∗∗∗ PolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on the inner workings of a botnet malware called PolarEdge. PolarEdge was first documented by Sekoia in February 2025, attributing it to a campaign targeting routers from Cisco, ASUS, QNAP, and Synology with the goal of corralling them into a network for an as-yet-undetermined purpose. [..] There is evidence to suggest that the activity involving the malware may have started as far back as June 2023. --------------------------------------------- https://thehackernews.com/2025/10/polaredge-targets-cisco-asus-qnap.html ∗∗∗ Stop payroll diversion scams before they start ∗∗∗ --------------------------------------------- Scammers send emails to the payroll team in an attempt to change an unlucky employee’s banking details. They harvest LinkedIn for details about potential victims. --------------------------------------------- https://www.pentestpartners.com/security-blog/stop-payroll-diversion-scams-… ∗∗∗ GlassWorm – Self-Propagating VSCode Extension Worm ∗∗∗ --------------------------------------------- Seven OpenVSX extensions were compromised on October 17, 2025, with 35,800 total downloads, and ten extensions were still actively distributing malware two days later. [..] On October 19, a new infected extension was detected in Microsoft’s VSCode marketplace and it’s stiill active. --------------------------------------------- https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension ∗∗∗ Reducing abuse of Microsoft 365 Exchange Online’s Direct Send ∗∗∗ --------------------------------------------- Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Heres how to strengthen your defenses. --------------------------------------------- https://blog.talosintelligence.com/reducing-abuse-of-microsoft-365-exchange… ∗∗∗ Sicherheitsleck in Dolby Digital Plus Decoder in Android, iOS, macOS und Windows ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Dolby Digital Plus Unified Decoder machte Android, iOS, macOS und Windows anfällig für Angriffe. Sie ermöglichte etwa Zero-Click-Attacken auf Android-Geräte. --------------------------------------------- https://heise.de/-10793034 ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2025-58147,CVE-2025-58148 / XSA-475 ∗∗∗ --------------------------------------------- A buggy or malicious guest can cause Denial of Service (DoS) affecting the entire host, information leaks, or elevation of privilege. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-475.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, firefox, kernel, kernel-rt, libssh, and perl-JSON-XS), Debian (ark and libphp-adodb), Fedora (chromium and gi-docgen), Mageia (quictls), Oracle (.NET 8.0, .NET 9.0, firefox, httpd, kernel, libsoup3, libssh, microcode_ctl, and webkit2gtk3), SUSE (go1.24, go1.25, krb5, python-ldap, and webkit2gtk3), and Ubuntu (gst-plugins-base1.0, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, and python-ldap). --------------------------------------------- https://lwn.net/Articles/1042822/ ∗∗∗ Zahlreiche Schwachstellen in EfficientLab WorkExaminer Professional ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ Oxford Nanopore Technologies MinKNOW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-294-01 ∗∗∗ Rockwell Automation Compact GuardLogix 5370 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-02 ∗∗∗ Rockwell Automation 1783-NATR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-01 ∗∗∗ CloudEdge Online Cameras and App ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-05 ∗∗∗ Raisecomm RAX701-GC Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-294-06 ∗∗∗ Zyxel security advisory for post-authentication command injection and missing authorization vulnerabilities in ZLD firewalls ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.10.2025
by Daily end-of-shift report 20 Oct '25

20 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-10-2025 18:00 − Montag 20-10-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google ads for fake Homebrew, LogMeIn sites push infostealers ∗∗∗ --------------------------------------------- A new malicious campaign is targeting macOS developers with fake Homebrew, LogMeIn, and TradingView platforms that deliver infostealing malware like AMOS (Atomic macOS Stealer) and Odyssey. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ads-for-fake-homebrew… ∗∗∗ Fake-Shops, Phishing, Identitätsdiebstahl: „Die Bedrohungslage ist ernst“ ∗∗∗ --------------------------------------------- Eine Studie im Auftrag von A1 zeigt, dass vor allem junge Menschen ihre Kompetenz im Bereich Cybersecurity als gering einschätzen. --------------------------------------------- https://futurezone.at/digital-life/fake-shops-phishing-identitaetsdiebstahl… ∗∗∗ Internetanschluss: Millionen Balkonkraftwerke als Einfallstor für Hacker ∗∗∗ --------------------------------------------- 1,17 Millionen Balkonkraftwerke in Deutschland sind online - und damit verwundbar. Ein Sicherheitsexperte hat einige Sicherheitslücken gefunden. --------------------------------------------- https://www.golem.de/news/internetanschluss-millionen-balkonkraftwerke-als-… ∗∗∗ Russische Cyberkriminelle: Durchorganisiert und technisch spitze ∗∗∗ --------------------------------------------- Der russische Cyberuntergrund besitzt herausragende technische Fähigkeiten. Gruppen organisieren und vernetzen sich wie Unternehmen - doch es gibt Bruchlinien. --------------------------------------------- https://www.golem.de/news/russische-cyberkriminelle-durchorganisiert-und-te… ∗∗∗ Cyberangriff bei Auktionshaus Sothebys ∗∗∗ --------------------------------------------- Bei Sothebys kommen teuerste Kunst- und Luxusgegenstände unter den Hammer. Jetzt gerieten personenbezogene Daten in die Hände von Kriminellen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-bei-Auktionshaus-Sotheby-s-10778385.… ∗∗∗ Moxa Router: Hartkodierte Zugangsdaten ermöglichen Angreifern Vollzugriff ∗∗∗ --------------------------------------------- Patches schließen mehrere Schwachstellen in Security Appliances und Routern von Moxa. Bislang gibt es keine Hinweise auf Attacken. --------------------------------------------- https://www.heise.de/news/Moxa-Router-Hartkodierte-Zugangsdaten-ermoegliche… ∗∗∗ Verschlüsselnde USB-Sticks von Verbatim bleiben unsicher ∗∗∗ --------------------------------------------- Die Keypad-Datenträger von Verbatim sollen Daten vor Diebstahl schützen. Das funktioniert allerdings auch nach Firmware-Updates nicht zuverlässig. --------------------------------------------- https://www.heise.de/news/Verschluesselnde-USB-Sticks-von-Verbatim-bleiben-… ∗∗∗ #10TageGegenPhishing: Achtung Telefonbetrug! So gehen die Kriminellen vor ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle, Menschen am Telefon zu täuschen. Dabei geben sie sich als Mitarbeiter:innen von Banken oder bekannten Unternehmen wie Microsoft, PayPal, Amazon oder Apple aus. Ziel ist es, an sensible Daten, Zugänge oder direkt an Geld zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/10tage-telefonbetrug/ ∗∗∗ #10TageGegenPhishing: Der „Recovery Scam“ nimmt frühere Opfer erneut ins Visier ∗∗∗ --------------------------------------------- Wenn Kriminelle sich direkt mit dem Versprechen an ehemalige Opfer wenden, gestohlenes Geld oder Krypto-Guthaben zurückzuholen, spricht man von Recovery Scam. Die Betrüger:innen geben sich dabei als Behörde, Agentur oder eine ähnliche Institution aus. Für die Auswahl ihrer Ziele greifen sie auch auf ihre eigenen Datenbanken zurück. --------------------------------------------- https://www.watchlist-internet.at/news/10tage-recovery-scam/ ∗∗∗ Peking schlägt Alarm: US-Spionage bei chinesischer Forschungseinrichtung ∗∗∗ --------------------------------------------- Chinas Staatssicherheitsdienst wirft der NSA monatelange Cyberangriffe auf das Nationale Zeitdienstzentrum vor --------------------------------------------- https://www.derstandard.at/story/3000000292602/peking-schlaegt-alarm-us-spi… ∗∗∗ SAP behebt schwerwiegende Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- Im Rahmen des regulären Oktober-Patchday hat SAP insgesamt 13 Updates für Schwachstellen in seinen Produkten veröffentlicht. Besonders hervorzuheben sind dabei folgende Lücken: CVE-2025-42944, CVSS 10.0, ist eine Deserialization in SAP NetWeaver, mittels welcher unauthentifizierte Angreifer:innen betroffene Systeme vollständig kompromittieren können. Dieses Problem wurde bereits im vergangenen Monat durch SAP adressiert, laut Sicherheitsforscher:innen bietet das .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/10/sap-behebt-schwerwiegende-sicherhe… ∗∗∗ She Sells Web Shells by the Seashore (Part III) ∗∗∗ --------------------------------------------- The web shell starts by initializing a PHP session[1]: if the session already exists, the variables are retrieved in the dictionary $_SESSION, .. --------------------------------------------- https://www.truesec.com/hub/blog/she-sells-web-shells-by-the-seashore-part-… ∗∗∗ KI-Angriffsmethode "Lies-in-the-Loop" ∗∗∗ --------------------------------------------- Schritt für Schritt werden immer mehr Angriffsmethoden für AI-Modelle entdeckt bzw. bekannt. Das Research Team Checkmarx Zero hat eine neue Angriffsmethode gegen KI-Agenten identifiziert, die mit Human-in-the-Loop-Mechanismen arbeiten: Die Researcher sprechen von "Lies-in-the-Loop" (LITL). Die Information liegt .. --------------------------------------------- https://www.borncity.com/blog/2025/10/18/ki-angriffsmethode-lies-in-the-loo… ∗∗∗ To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER ∗∗∗ --------------------------------------------- COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia… ∗∗∗ 131 Spamware Extensions Targeting WhatsApp Flood Chrome Web Store ∗∗∗ --------------------------------------------- This cluster of Chrome extensions comprises 131 rebrands of a single tool, all sharing the same codebase, design patterns, and infrastructure. They are not classic malware, but they function as high-risk spam automation that abuses platform rules. The code injects directly into the WhatsApp Web page, running alongside WhatsApp’s own scripts, .. --------------------------------------------- https://socket.dev/blog/131-spamware-extensions-targeting-whatsapp-flood-ch… ∗∗∗ Lessons from the BlackBasta Ransomware Attack on Capita ∗∗∗ --------------------------------------------- When a company that manages data for millions of UK citizens falls victim to ransomware, the whole industry should pay attention to it. On 15 October 2025, the UK Information Commissioner’s Office (ICO) published a detailed 136 page report about the Capita breach. The aim of this blog is to extract actionable cybersecurity lessons .. --------------------------------------------- https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, incus, lxd, pgagent, svgpp, and sysstat), Fedora (chromium, complyctl, fetchmail, firefox, mbedtls, mingw-binutils, mingw-python3, mingw-qt5-qtsvg, mingw-qt6-qtsvg, python3.10, python3.11, python3.12, python3.9, runc, and suricata), Mageia (expat), Red Hat (firefox, kernel, qt5-qtbase, and qt6-qtbase), Slackware (stunnel), SUSE (chromium, coredns, ctdb, firefox, kernel, libexslt0, libpoppler-cpp2, ollama, openssl-1_1, pam, samba, .. --------------------------------------------- https://lwn.net/Articles/1042680/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.10.2025
by Daily end-of-shift report 17 Oct '25

17 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-10-2025 18:00 − Freitag 17-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Microsoft: Office 2016 and Office 2019 have reached end of support ∗∗∗ --------------------------------------------- Microsoft reminded customers this week that Office 2016 and Office 2019 have reached the end of extended support on October 14, 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o… ∗∗∗ Hackers exploit Cisco SNMP flaw to deploy rootkit on switches ∗∗∗ --------------------------------------------- Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-cisco-snmp-f… ∗∗∗ Post-exploitation framework now also delivered via npm ∗∗∗ --------------------------------------------- The npm registry contains a malicious package that downloads the AdaptixC2 agent onto victims devices, Kaspersky experts have found. The threat targets Windows, Linux, and macOS. --------------------------------------------- https://securelist.com/adaptixc2-agent-found-in-an-npm-package/117784/ ∗∗∗ A Surprising Amount of Satellite Traffic Is Unencrypted ∗∗∗ --------------------------------------------- We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls .. --------------------------------------------- https://www.schneier.com/blog/archives/2025/10/a-surprising-amount-of-satel… ∗∗∗ Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign ∗∗∗ --------------------------------------------- Microsoft on Thursday disclosed that it revoked more than 200 certificates used by a threat actor it tracks as Vanilla Tempest to fraudulently sign malicious binaries in ransomware attacks.The certificates were "used in fake Teams setup files to .. --------------------------------------------- https://thehackernews.com/2025/10/microsoft-revokes-200-fraudulent.html ∗∗∗ Researchers Uncover WatchGuard VPN Bug That Could Let Attackers Take Over Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a recently patched critical security flaw in WatchGuard Fireware that could allow unauthenticated attackers to execute arbitrary code.The vulnerability, tracked as CVE-2025-9242 (CVSS score: 9.3), is .. --------------------------------------------- https://thehackernews.com/2025/10/researchers-uncover-watchguard-vpn-bug.ht… ∗∗∗ Why the F5 Hack Created an ‘Imminent Threat’ for Thousands of Networks ∗∗∗ --------------------------------------------- Networking software company F5 disclosed a long-term breach of its systems this week. The fallout could be severe. --------------------------------------------- https://www.wired.com/story/f5-hack-networking-software-big-ip/ ∗∗∗ Cyberkriminelle erbeuten Kundendaten von Modekonzern Mango ∗∗∗ --------------------------------------------- Kundendaten von Mango geklaut – jetzt warnt der Modekonzern vor gefälschten E-Mails und Anrufen. Was Betroffene jetzt wissen müssen. --------------------------------------------- https://www.heise.de/news/Cyberkriminelle-erbeuten-Kundendaten-von-Modekonz… ∗∗∗ IP-Telefonie: Cisco und Ubiquiti stellen Sicherheits-Updates bereit ∗∗∗ --------------------------------------------- Aktualisierungen für Ubiquitis UniFi Talk sowie für mehrere IP-Telefonserien von Cisco schließen Sicherheitslücken mit "High"-Einstufung. --------------------------------------------- https://www.heise.de/news/IP-Telefonie-Cisco-und-Ubiquiti-stellen-Sicherhei… ∗∗∗ Email Bombs Exploit Lax Authentication in Zendesk ∗∗∗ --------------------------------------------- Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. --------------------------------------------- https://krebsonsecurity.com/2025/10/email-bombs-exploit-lax-authentication-… ∗∗∗ Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities ∗∗∗ --------------------------------------------- A nation-state actor stole BIG-IP source code and information on undisclosed vulnerabilities from F5. We explain what sets this theft apart from others. --------------------------------------------- https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-sou… ∗∗∗ A review of the “Concluding report of the High-Level Group on access to data for effective law enforcement” ∗∗∗ --------------------------------------------- As I’ve written here, the EU unveiled a roadmap for addressing the encryption woes of law enforcement agencies in June 2025. As a preparation for this push, a “High-Level Group on access to data for effective .. --------------------------------------------- https://www.cert.at/en/blog/2025/10/hlg-paper-review ∗∗∗ European police bust network selling thousands of phone numbers to scammers ∗∗∗ --------------------------------------------- Authorities raided a "SIM farm" operation that used tens of thousands of cards to enable fraud in several European countries, including Latvia and Austria. --------------------------------------------- https://therecord.media/europe-sim-farms-raided-latvia-austria-estonia ∗∗∗ .NET Security Group: Partnerunternehmen erhalten frühzeitig Security-Patches ∗∗∗ --------------------------------------------- Unternehmen mit eigener .NET-Distribution können der bestehenden Sicherheitsgruppe beitreten und frühzeitig Patches für Sicherheitslücken einbinden. --------------------------------------------- https://heise.de/-10773932 ∗∗∗ How I Almost Got Hacked By A Job Interview ∗∗∗ --------------------------------------------- I was 30 seconds away from running malware on my machine. The attack vector? A fake coding interview from a "legitimate" blockchain company. Here's how a sophisticated scam operation almost got me, and why every developer needs to read this. --------------------------------------------- https://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and libssh), Debian (firefox-esr and pgpool2), Mageia (varnish & lighttpd), Red Hat (python3, python3.11, python3.12, python3.9, and python39:3.9), SUSE (expat, gstreamer-plugins-rs, kernel, openssl1, pgadmin4, python311-ldap, and squid), and Ubuntu (dotnet8, dotnet9, dotnet10 and mupdf). --------------------------------------------- https://lwn.net/Articles/1042452/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.10.2025
by Daily end-of-shift report 16 Oct '25

16 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-10-2025 18:00 − Donnerstag 16-10-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake LastPass, Bitwarden breach alerts lead to PC hijacks ∗∗∗ --------------------------------------------- An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies were hacked, urging them to download a supposedly more secure desktop version of the password manager. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-brea… ∗∗∗ LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets ∗∗∗ --------------------------------------------- An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure has led to the discovery of a new GNU/Linux rootkit dubbed LinkPro, according to findings from Synacktiv. --------------------------------------------- https://thehackernews.com/2025/10/linkpro-linux-rootkit-uses-ebpf-to-hide.h… ∗∗∗ Scammers are still sending us their fake Robinhood security alerts ∗∗∗ --------------------------------------------- A short while ago, our friends at Malwaretips wrote about a text scam impersonating Robinhood, a popular US-based investment app that lets people trade stocks and cryptocurrencies. The scam warns users about supposed “suspicious activity” on their accounts. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/10/scammers-are-still-sending-u… ∗∗∗ BeaverTail and OtterCookie evolve with a new Javascript module ∗∗∗ --------------------------------------------- Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea. --------------------------------------------- https://blog.talosintelligence.com/beavertail-and-ottercookie/ ∗∗∗ GreyNoise’s Recent Observations Around F5 ∗∗∗ --------------------------------------------- Amid the security incident involving F5 BIG-IP announced on 15 October 2025, GreyNoise is sharing recent insights into activity targeting BIG-IP to aid in defensive posturing. --------------------------------------------- https://www.greynoise.io/blog/recent-observations-around-f5 ∗∗∗ DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) has observed the North Korea (DPRK) threat actor UNC5342 using ‘EtherHiding’ to deliver malware and facilitate cryptocurrency theft, the first time GTIG has observed a nation-state actor adopting this method. This post is part of a two-part blog series on adversaries using EtherHiding, a technique that leverages transactions on public blockchains to store and retrieve malicious payloads—notable for its resilience against conventional takedown and blocklisting efforts. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/dprk-adopts-etherh… ∗∗∗ yIKEs (WatchGuard Fireware OS IKEv2 Out-of-Bounds Write CVE-2025-9242) ∗∗∗ --------------------------------------------- Today is the 8th of November 1996, and we’re thrilled to be exploring this new primitive we call Stack-based Buffer Overflows. It’s a great time to be alive, especially because we don’t have to deal with any of the pain of modern/not-so-modern mitigations. Oh no, wait, it’s 2025 and we are still seeing Stack-based Buffer Overflows in enterprise-grade appliances, and of course, lacking mainstream exploit mitigations. --------------------------------------------- https://labs.watchtowr.com/yikes-watchguard-fireware-os-ikev2-out-of-bounds… ∗∗∗ US-Forscher belauschen unverschlüsselte Satellitenkommunikation ∗∗∗ --------------------------------------------- US-Forscher haben mit handelsüblicher Ausrüstung den Datenverkehr über Satelliten untersucht. Viele, auch sicherheitsrelevante Daten waren unverschlüsselt. --------------------------------------------- https://heise.de/-10767623 ∗∗∗ Handy-Spionage mit SS7: Tausende Opfer wurden wohl ausgespäht ∗∗∗ --------------------------------------------- Ein österreichisch-indonesisches Unternehmen bietet die Überwachung von Mobilfunkkunden an. Malware ist dafür nicht nötig, aber weitreichender Netzzugriff. --------------------------------------------- https://heise.de/-10767347 ===================== = Vulnerabilities = ===================== ∗∗∗ Gladinet fixes actively exploited zero-day in file-sharing software ∗∗∗ --------------------------------------------- Gladinet has released security updates for its CentreStack business solution to address a local file inclusion vulnerability (CVE-2025-11371) that threat actors have leveraged as a zero-day since late September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gladinet-fixes-actively-expl… ∗∗∗ Chrome, Firefox und Thunderbird: Updates beseitigen potenzielle Einfallstore ∗∗∗ --------------------------------------------- Sowohl für Mozillas Firefox und Thunderbird als auch für Googles Chrome-Browser gibt es Aktualisierungen. Kritische Schwachstellen wurden nicht geschlossen – wohl aber einige Lücken mit "High"-Einstufung, die Cybergangster ausnutzen könnten. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-und-Thunderbird-Updates-beseitigen… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and libsoup3), Debian (chromium and firefox-esr), Fedora (httpd), Oracle (cups, ImageMagick, kernel, and vim), Red Hat (libssh), Slackware (samba), SUSE (alloy, exim, firefox-esr, ImageMagick, kernel, libcryptopp-devel, libQt6Svg6, libsoup-3_0-0, libtiff-devel-32bit, lsd, python3-gi-docgen, python311-Authlib, qt6-base, samba, and squid), and Ubuntu (ffmpeg, linux-oracle-6.8, redict, redis, samba, and subversion). --------------------------------------------- https://lwn.net/Articles/1042330/ ∗∗∗ CVE-2025-55315: Microsoft kills 9.9-rated ASP.NET Core bug – our highest ever score ∗∗∗ --------------------------------------------- Microsoft has patched an ASP.NET Core vulnerability with a CVSS score of 9.9, which security program manager Barry Dorrans said was "our highest ever." The flaw is in the Kestrel web server component and enables security bypass. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/16/microsoft_as… ∗∗∗ Samba bei bestimmter Konfiguration über kritische Lücke angreifbar ∗∗∗ --------------------------------------------- Bei aktiviertem WINS-Support können Angreifer unter bestimmten Voraussetzungen Befehle aus der Ferne ausführen. Es gibt wichtige Patches und einen Workaround. --------------------------------------------- https://heise.de/-10773288 ∗∗∗ Open PLC and Planet vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router. --------------------------------------------- https://blog.talosintelligence.com/open-plc-and-planet-vulnerabilities/ ∗∗∗ Phoenix Contact CHARX SEC-3xxx vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42282226/ ∗∗∗ Cisco Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 with SIP Software Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple Cisco Products Snort 3 MIME Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Secure Boot Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ K000156944: Intel vulnerability CVE-2025-20093 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000156944 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.10.2025
by Daily end-of-shift report 15 Oct '25

15 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-10-2025 18:00 − Mittwoch 15-10-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ F5 says hackers stole undisclosed BIG-IP flaws, source code ∗∗∗ --------------------------------------------- U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-f5-to-steal-u… ∗∗∗ Exploit-as-a-Service Resurgence in 2025 – Broker Models, Bundles & Subscription Access ∗∗∗ --------------------------------------------- Exploit-as-a-Service in 2025: how exploit brokerages, subscription bundles, and underground access models are reshaping cyber crime economics. --------------------------------------------- https://www.darknet.org.uk/2025/10/exploit-as-a-service-resurgence-in-2025-… ∗∗∗ Microsoft: Exchange 2016 and 2019 have reached end of support ∗∗∗ --------------------------------------------- Microsoft has reminded that Exchange Server 2016 and 2019 reached the end of support and advised IT administrators to upgrade servers to Exchange Server SE or migrate to Exchange Online. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Microsoft signalisiert Windows 10 21H2 Enterprise LTSC als EOL ∗∗∗ --------------------------------------------- Kurze Information an Besitzer bzw. Administratoren von Windows 10 21H2 Enterprise LTSC (und natürlich der IoT-Version). Administratoren dieser Maschinen erhalten (fälschlich) die Information angezeigt, dass der Support für diese Version nun ende. --------------------------------------------- https://www.borncity.com/blog/2025/10/15/mega-pleite-microsoft-signalisiert… ∗∗∗ Oops! Its a kernel stack use-after-free: Exploiting NVIDIAs GPU Linux drivers ∗∗∗ --------------------------------------------- This article details two bugs discovered in the NVIDIA Linux Open GPU Kernel Modules and demonstrates how they can be exploited. [..] They were reported to NVIDIA and the vendor issued fixes in their NVIDIA GPU Display Drivers update of October 2025. --------------------------------------------- http://blog.quarkslab.com/nvidia_gpu_kernel_vmalloc_exploit.html ∗∗∗ Credential Attacks Detected on SonicWall SSLVPN Devices ∗∗∗ --------------------------------------------- A managed security services provider has detected credential attacks on SonicWall SSLVPN devices. The attacks, reported by Huntress, involve “widespread compromise” of SonicWall SSLVPN devices. [..] The report follows a SonicWall advisory that an unauthorized party had accessed firewall configuration backup files for all SonicWall customers who have used the company’s cloud backup service. --------------------------------------------- https://thecyberexpress.com/credential-attacks-on-sonicwall-sslvpn-devices/ ∗∗∗ Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces ∗∗∗ --------------------------------------------- Wiz Research identified a pattern of secret leakage by publishers of VSCode IDE Extensions. This occurred across both the VSCode and Open VSX marketplaces, the latter of which is used by AI-powered VSCode forks like Cursor and Windsurf. Critically, in over a hundred cases this included leakage of access tokens granting the ability to update the extension itself. [..] An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base. --------------------------------------------- https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces ∗∗∗ LinkPro: eBPF rootkit analysis ∗∗∗ --------------------------------------------- eBPF (extended Berkeley Packet Filter) is a technology adopted in Linux for its numerous use cases (observability, security, networking, etc.) and its ability to run in the kernel context while being orchestrated from user space. Threat actors are increasingly abusing it to create sophisticated backdoors and evade traditional system monitoring tools. --------------------------------------------- https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis.html ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday XXL: Microsoft schließt teils aktiv attackierte Schwachstellen ∗∗∗ --------------------------------------------- Mit mehr als 170 geschlossenen Sicherheitslücken ist Microsofts Patchday diesen Monat überdurchschnittlich umfangreich ausgefallen. Gleich 17 Fixes für kritische Lücken stehen unter anderem für Azure, Copilot, Office sowie den Windows Server Update Service (WSUS) bereit. Überdies machen drei aktiv angegriffene Schwachstellen mit "Important"-Einstufung das (bestenfalls automatische) Einspielen der verfügbaren Updates besonders dringlich. --------------------------------------------- https://heise.de/-10764876 ∗∗∗ Patchday: Adobe schließt kritische Lücken in mehreren Produkten ∗∗∗ --------------------------------------------- Gefährliche Lücken stecken unter anderem in Substance 3D Stager, Connect, Dimension und Illustrator. Aktuelle Security-Fixes schließen sie. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-schliesst-kritische-Luecken-in-meh… ∗∗∗ Fortinet aktualisiert unter anderem FortiOS, FortiPAM und FortiSwitch Manager ∗∗∗ --------------------------------------------- Mit dem Schweregrad "High" bewertet wurden Schwachstellen in FortiOS, FortiPAM, FortiSwitch Manager, FortiDLP, Fortilsolator sowie im FortiClient Mac. [..] Zur unbefugten Ausführung von Systembefehlen per Kommandozeile könnten lokale, authentifizierte Angreifer die Schwachstelle CVE-2025-58325 ("Restricted CLI command bypass"; CVSS-Score 7.8) missbrauchen. --------------------------------------------- https://www.heise.de/news/Fortinet-aktualisiert-unter-anderem-FortiOS-Forti… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, vim, and webkit2gtk3), Debian (distro-info-data, https-everywhere, and php-horde-css-parser), Fedora (inih, mingw-exiv2, mirrorlist-server, rust-maxminddb, rust-monitord-exporter, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, and rust-protobuf-support), Mageia (fetchmail), Oracle (gnutls, kernel, vim, and webkit2gtk3), Red Hat (kernel, kernel-rt, and webkit2gtk3), Slackware (mozilla), SUSE (curl, libxslt, and net-tools), and Ubuntu (linux-azure-5.15, linux-azure-6.8, linux-azure-fips, linux-oracle, linux-oracle-6.14, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/1042076/ ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desk… ∗∗∗ Rockwell Automation 1715 EtherNet/IP Comms Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-287-01 ∗∗∗ F5: K000156572: Quarterly Security Notification (October 2025) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000156572 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.10.2025
by Daily end-of-shift report 14 Oct '25

14 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 13-10-2025 18:00 − Dienstag 14-10-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers can steal 2FA codes and private messages from Android phones ∗∗∗ --------------------------------------------- Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds. --------------------------------------------- https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-ha… ∗∗∗ Chinese hackers abuse geo-mapping tool for year-long persistence ∗∗∗ --------------------------------------------- Chinese state hackers remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-geo-ma… ∗∗∗ Secure Boot bypass risk on nearly 200,000 Linux Framework sytems ∗∗∗ --------------------------------------------- Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. An attacker could take advantage to load bootkits (e.g. BlackLotus, HybridPetya, and Bootkitty) that can evade OS-level security controls and persist across OS re-installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-n… ∗∗∗ Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns. --------------------------------------------- https://thehackernews.com/2025/10/researchers-expose-ta585s-monsterv2.html ∗∗∗ npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks. --------------------------------------------- https://thehackernews.com/2025/10/npm-pypi-and-rubygems-packages-found.html ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Weiterer Notfall-Patch für Oracle E-Business Suite ∗∗∗ --------------------------------------------- Oracle hat ein weiteres außerplanmäßiges Update für die E-Business Suite veröffentlicht. Einer Sicherheitswarnung zufolge lässt sich eine Sicherheitslücke mit der Kennung CVE-2025-61884(öffnet im neuen Fenster) aus der Ferne und ohne Authentifizierung ausnutzen. Angreifer erhalten unter Umständen Zugriff auf vertrauliche Ressourcen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-weiterer-notfall-patch-fuer-ora… ∗∗∗ SAP-Patchday im Oktober behebt mehrere kritische Schwachstellen ∗∗∗ --------------------------------------------- Jetzt updaten: Unter anderem stehen wichtige Sicherheitsupdates und -hinweise für NetWeaver, Print Service und Supplier Relationship Management bereit. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-im-Oktober-behebt-mehrere-kritische-… ∗∗∗ Jetzt patchen: Veeam Backup & Replication anfällig für Remote Code Execution ∗∗∗ --------------------------------------------- Ein frisch veröffentlichter Patch schützt Veeams Backup-Lösung gleich zweimal vor Codeausführung aus der Ferne. Auch der Agent für Windows wurde abgesichert. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Veeam-Backup-Replication-anfaellig-… ∗∗∗ Totgeglaubter Internet Explorer wird zur Sicherheitslücke: Microsoft reagiert ∗∗∗ --------------------------------------------- Nach aktiven Angriffen hat Microsoft den Internet-Explorer-Modus in Edge drastisch eingeschränkt. Angreifer nutzten sogar Zero-Days für Systemübernahmen. --------------------------------------------- https://www.heise.de/news/Gefahr-aus-dem-Grab-Microsoft-verbuddelt-IE-noch-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and libfcgi), Fedora (qt5-qtsvg), Red Hat (kernel, perl-FCGI, perl-FCGI:0.78, and vim), SUSE (bluez, curl, podman, postgresql14, python-xmltodict, and udisks2), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-fips, linux-oracle, and subversion). --------------------------------------------- https://lwn.net/Articles/1041886/ ∗∗∗ Ivanti: October 2025 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2025-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.10.2025
by Daily end-of-shift report 13 Oct '25

13 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-10-2025 18:01 − Montag 13-10-2025 18:00 Handler: Felician Fuchs Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle releases emergency patch for new E-Business Suite flaw ∗∗∗ --------------------------------------------- Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-releases-emergency-pa… ∗∗∗ Windows 11 23H2 Home and Pro reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded customers again today that systems running Home and Pro editions of Windows 11 23H2 will stop receiving security updates next month. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-23h2-home-and-pr… ∗∗∗ Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks ∗∗∗ --------------------------------------------- In a new wrinkle for adversary tactics, the Storm-2603 threat group is abusing the digital forensics and incident response (DFIR) tool to gain persistent access to victim networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/chinese-hackers-veloci… ∗∗∗ New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims PCs ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. --------------------------------------------- https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.h… ∗∗∗ Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns. --------------------------------------------- https://thehackernews.com/2025/10/astaroth-banking-trojan-abuses-github.html ∗∗∗ Microsoft Locks Down IE Mode After Hackers Turned Legacy Feature Into Backdoor ∗∗∗ --------------------------------------------- Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving "credible reports" in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users devices. --------------------------------------------- https://thehackernews.com/2025/10/microsoft-locks-down-ie-mode-after.html ∗∗∗ Invoicely Database Leak Exposes 180,000 Sensitive Records ∗∗∗ --------------------------------------------- Cybersecurity researcher Jeremiah Fowler discovered nearly 180,000 files, including PII and banking details, left exposed on an unprotected database linked to the Invoicely platform. Read about the identity theft and financial fraud risks for over 250,000 businesses worldwide. --------------------------------------------- https://hackread.com/invoicely-database-leak-expose-sensitive-records/ ∗∗∗ 100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure ∗∗∗ --------------------------------------------- Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. --------------------------------------------- https://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-wave ∗∗∗ Kundendaten von Qantas im Netz – auch die von Troy Hunt ∗∗∗ --------------------------------------------- Im Juli erbeuteten Angreifer wichtige Daten bei der australischen Airline. Noch ist nicht klar, was davon jetzt im Netz kursiert. --------------------------------------------- https://heise.de/-10750869 ∗∗∗ Critical GitHub Copilot Vulnerability Leaks Private Source Code ∗∗∗ --------------------------------------------- In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links. --------------------------------------------- https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnera… ∗∗∗ North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads ∗∗∗ --------------------------------------------- The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Since our July 14, 2025 update, we have identified and analyzed more than 338 malicious packages with over 50,000 cumulative downloads. --------------------------------------------- https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malic… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#538470: Clevo UEFI firmware embedded BootGuard keys compromising Clevos implementation of BootGuard ∗∗∗ --------------------------------------------- Clevo’s UEFI firmware update packages included sensitive private keys used in their Intel Boot Guard implementation. This accidental exposure of the keys could be abused by an attacker to sign malicious firmware using Clevo’s Boot Guard trust chain, potentially compromising the pre-boot UEFI environment on systems where Clevo’s implementation has been adopted. --------------------------------------------- https://kb.cert.org/vuls/id/538470 ∗∗∗ Oracle Security Alert for CVE-2025-61884 - 11 October 2025 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2025-61884.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (compat-libtiff3, iputils, kernel, open-vm-tools, and vim), Debian (asterisk, ghostscript, kernel, linux-6.1, and tiff), Fedora (cef, chromium, cri-o1.31, cri-o1.32, cri-o1.33, cri-o1.34, docker-buildx, log4cxx, mingw-poppler, openssl, podman-tui, prometheus-podman-exporter, python-socketio, python3.10, python3.11, python3.12, python3.9, skopeo, and valkey), Mageia (open-vm-tools), Red Hat (compat-libtiff3, kernel, kernel-rt, vim, and webkit2gtk3), and SUSE (distrobuilder, docker-stable, expat, forgejo, forgejo-longterm, gitea-tea, go1.25, haproxy, headscale, open-vm-tools, openssl-3, podman, podofo, ruby3.4-rubygem-rack, and weblate). --------------------------------------------- https://lwn.net/Articles/1041779/ ∗∗∗ Two High Checkmk advisories released ∗∗∗ --------------------------------------------- SBAResearch published the following advisories for checkmk: SBA-ADV-20250724-01: Checkmk Agent Privilege Escalation via Insecure Temporary Files, SBA-ADV-20250730-01: Checkmk Path Traversal. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/e84ca741ae34d372b4f7b294ad… ∗∗∗ Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit ∗∗∗ --------------------------------------------- An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately. --------------------------------------------- https://hackread.com/auth-bypass-service-finder-wordpress-plugin-exploit/ ∗∗∗ BigBlueButton: Update fürs Webkonferenz-System fixt Denial-of-Service-Lücken ∗∗∗ --------------------------------------------- Die Entwickler des quelloffenen Webkonferenz-Systems BigBlueButton (BBB) für Windows- und Linux-Server haben mit einem Update auf Version 3.0.13 mehrere Angriffsmöglichkeiten beseitigt. --------------------------------------------- https://heise.de/-10751398 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.10.2025
by Daily end-of-shift report 10 Oct '25

10 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-10-2025 18:01 − Freitag 10-10-2025 18:01 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Discord says hackers stole government IDs of 70,000 users ∗∗∗ --------------------------------------------- Discord says that hackers made off with images of 70,000 users’ government IDs that they were required to provide in order to use the site. --------------------------------------------- https://arstechnica.com/security/2025/10/discord-says-hackers-stole-governm… ∗∗∗ RondoDox botnet targets 56 n-day flaws in worldwide attacks ∗∗∗ --------------------------------------------- A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions. The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n… ∗∗∗ GitHub Copilot CamoLeak AI Attack Exfiltrates Data ∗∗∗ --------------------------------------------- Every week or two nowadays, researchers come up with new ways of exploiting agentic AI tools built crudely into software platforms. Since companies are far more concerned with providing AI functionality than they are securing that functionality, there's been ample opportunity for mischief. --------------------------------------------- https://www.darkreading.com/application-security/github-copilot-camoleak-ai… ∗∗∗ From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability ∗∗∗ --------------------------------------------- Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560. --------------------------------------------- https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html ∗∗∗ 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. --------------------------------------------- https://thehackernews.com/2025/10/175-malicious-npm-packages-with-26000.html ∗∗∗ Cops nuke BreachForums (again) amid cybercrime supergroup extortion blitz ∗∗∗ --------------------------------------------- US authorities have seized the latest incarnation of BreachForums, the cybercriminal bazaar recently reborn under the stewardship of the so-called Scattered Lapsus$ Hunters, with help from French cyber cops and the Paris prosecutor's office. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/10/cops_seize_b… ∗∗∗ Pro-Russian hackers caught bragging about attack on fake water utility ∗∗∗ --------------------------------------------- A pro-Russian hacker group has been caught boasting about a cyberattack that unfolded entirely inside a decoy system set up by researchers. --------------------------------------------- https://therecord.media/fake-water-utility-honeypot-hacked-pro-russian-group ∗∗∗ More Than DoS (Progress Telerik UI for ASP.NET AJAX Unsafe Reflection CVE-2025-3600) ∗∗∗ --------------------------------------------- Welcome back. We’re excited to yet again publish memes under the guise of research and inevitably receive hate mail. But today, we’ll be doing something slightly different to normal. Today, instead of pulling apart “just one” enterprise-grade solution, we have inadvertently ripped apart a widely used ASP.NET library. --------------------------------------------- https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-aj… ∗∗∗ New Stealit Campaign Abuses Node.js Single Executable Application ∗∗∗ --------------------------------------------- FortiGuard Labs has encountered a new and active Stealit malware campaign that leverages Node.js’ Single Executable Application (SEA) feature to distribute its payloads. This campaign was uncovered following a spike in detections of a particular Visual Basic script, which was later determined to be a component for persistence. --------------------------------------------- https://feeds.fortinet.com/~/926060729/0/fortinet/blogs~New-Stealit-Campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Claroty Product Security Advisory: OIDC Configurations in Claroty Secure Access ∗∗∗ --------------------------------------------- This advisory provides important information regarding a security vulnerability affecting on-premise Claroty Secure Access (formerly known as Claroty Secure Remote Access or SRA) when configured with OpenID Connect (OIDC) authentication, either currently or previously. Fixes for affected products are available in the customer portal. There are no known public exploits or a public proof of concept (POC) of this vulnerability. --------------------------------------------- https://claroty.com/product-security/oidc-configurations-in-claroty-secure-… ∗∗∗ Monitoring-Software Checkmk: Rechteausweitungslücke in Windows-Version ∗∗∗ --------------------------------------------- Checkmk warnt vor Sicherheitslücken in der gleichnamigen Netzwerk-Überwachungssoftware. Eine betrifft den Windows-Agent und verpasst eine Einordnung als kritisches Sicherheitsrisiko nur knapp, eines der weiteren Lecks dürfte Admins hingegen keinen Schlaf rauben. --------------------------------------------- https://www.heise.de/news/Monitoring-Software-Checkmk-Rechteausweitungsluec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, vim, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1041564/ ∗∗∗ Ivanti Endpoint Manager: Zero Day Initiative veröffentlicht 13 Zero-Days ∗∗∗ --------------------------------------------- In Ivantis Endpoint Manager (EPM) steckten schwere Sicherheitslücken, die das Unternehmen seit Monaten kennt – und dennoch erst in einem halben Jahr beheben wollte. Das war Trend Micros Zero Day Initiative (ZDI) zu lang – sie veröffentlicht die Lücken nun als "Zero Days". Im Fehlerkatalog tummeln sich elf SQL Injections, eine Pfadlücke und einmal Deserialisierung nicht vertrauenswürdiger Daten. --------------------------------------------- https://heise.de/-10749054 ∗∗∗ Schadcode-Lücken in Nvidia-GPU-Treiber geschlossen ∗∗∗ --------------------------------------------- Nvidias Entwickler haben mehrere Sicherheitslücken in verschiedenen Grafikkartentreibern geschlossen. Im schlimmsten Fall kann Schadcode Systeme vollständig kompromittieren. Davon sind Linux- und Windows-Computer bedroht. --------------------------------------------- https://heise.de/-10749431 ∗∗∗ 7-Zip: Infos zu geschlossenen Sicherheitslücken verfügbar ∗∗∗ --------------------------------------------- Mit der Version 25.00 von 7-Zip hat der Entwickler im Juli einige Sicherheitslücken geschlossen. Bislang war jedoch unklar, welche. Die Zero-Day-Initiative (ZDI) von Trend Micro hat nun Informationen zu einigen der darin gestopften Sicherheitslecks veröffentlicht. --------------------------------------------- https://heise.de/-10749900 ∗∗∗ Juniper Security Director: Angreifer können Sicherheitsmechanismus umgehen ∗∗∗ --------------------------------------------- Mehrere Produkte des Netzwerkausrüsters Juniper sind verwundbar. Sind Attacken erfolgreich, können Angreifer etwa manipulierte Images installieren oder Hintertüren in Switches verankern. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-10750030 ∗∗∗ DSA-6022-1 valkey - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00188.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog: CVE-2021-43798 Grafana Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-adds-one-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.10.2025
by Daily end-of-shift report 09 Oct '25

09 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-10-2025 18:00 − Donnerstag 09-10-2025 18:01 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Crimson Collective hackers target AWS cloud instances for data theft ∗∗∗ --------------------------------------------- The Crimson Collective threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crimson-collective-hackers-t… ∗∗∗ New FileFix attack uses cache smuggling to evade security software ∗∗∗ --------------------------------------------- A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victims system and bypassing security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-cach… ∗∗∗ Hacktivists target critical infrastructure, hit decoy plant ∗∗∗ --------------------------------------------- A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-… ∗∗∗ SonicWall: Firewall configs stolen for all cloud backup customers ∗∗∗ --------------------------------------------- SonicWall has confirmed that all customers that used the companys cloud backup service are affected by last months security breach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-s… ∗∗∗ Sicherheitsleck: Millionen Gästedaten in Hotelsoftware öffentlich einsehbar ∗∗∗ --------------------------------------------- In der Hotelsoftware Sihot ließen sich Millionen Gästedaten einsehen. Die Sicherheitslücken sind laut Hersteller aber bereits geschlossen. --------------------------------------------- https://www.golem.de/news/sicherheitsleck-millionen-gaestedaten-in-hotelsof… ∗∗∗ Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-wordpress-themes-to.html ∗∗∗ localmind.ai: KI-Sicherheitsvorfall, es ist noch nicht vorbei – Teil 3 ∗∗∗ --------------------------------------------- Der Sicherheitsvorfall beim KI-Anbieter localmind.ai scheint noch nicht ausgestanden. Der Anbieter schreibt zwar, dass die Kernsysteme der Localmind-Plattform selbst nicht kompromittiert wurden, und man glaubt, die Infrastruktur gesichert zu haben. Es hat aber den Anschein, dass dies nicht ganz zutreffend ist. --------------------------------------------- https://www.borncity.com/blog/2025/10/09/localmind-ai-ki-sicherheitsvorfall… ∗∗∗ Velociraptor leveraged in ransomware attacks ∗∗∗ --------------------------------------------- Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents. --------------------------------------------- https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-att… ∗∗∗ Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick) ∗∗∗ --------------------------------------------- Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat. --------------------------------------------- https://hackread.com/fake-teams-installers-oyster-backdoor-broomstick/ ∗∗∗ New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto ∗∗∗ --------------------------------------------- FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency. --------------------------------------------- https://hackread.com/chaos-c-ransomware-windows-data-crypto/ ∗∗∗ Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims Oracle E-Business Suite (EBS) environments. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-s… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments. --------------------------------------------- https://feeds.fortinet.com/~/925395818/0/fortinet/blogs~SVG-Phishing-hits-U… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands. --------------------------------------------- https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html ∗∗∗ Update: Schadcode-Lücke bedroht IBM Data Replication VSAM ∗∗∗ --------------------------------------------- Angreifer können IBM Data Replication VSAM for z/OS Remote Source attackieren. Nun wurde die Lücke geschlossen. --------------------------------------------- https://www.heise.de/news/Update-Schadcode-Luecke-bedroht-IBM-Data-Replicat… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, kernel, kernel-rt, and open-vm-tools), Debian (chromium, python-django, and redis), Fedora (chromium, insight, mirrorlist-server, oci-seccomp-bpf-hook, rust-maxminddb, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, rust-protobuf-support, turbo-attack, and yarnpkg), Oracle (iputils, kernel, open-vm-tools, redis, and valkey), Red Hat (perl-File-Find-Rule and perl-File-Find-Rule-Perl), SUSE (expat, ImageMagick, matrix-synapse, python-xmltodict, redis, redis7, and valkey), and Ubuntu (fort-validator and imagemagick). --------------------------------------------- https://lwn.net/Articles/1041404/ ∗∗∗ A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk ∗∗∗ --------------------------------------------- We discovered Azure Storage Account credentials exposed in Axis Communications’ Autodesk Revit plugin, allowing unauthorized modification of cloud-hosted files. This exposure, combined with vulnerabilities in Autodesk Revit, could enable supply-chain attacks targeting end users. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-re… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025. ICSA-25-282-01 Hitachi Energy Asset Suite, ICSA-25-282-02 Rockwell Automation Lifecycle Services with Cisco, ICSA-25-282-03 Rockwell Automation Stratix and ICSA-25-128-03 Mitsubishi Electric Multiple FA Products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-releases-four-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.10.2025
by Daily end-of-shift report 08 Oct '25

08 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-10-2025 18:00 − Mittwoch 08-10-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Severe Figma MCP Vulnerability Lets Hackers Execute Code Remotely — Patch Now ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug [..] The vulnerability has been addressed in version 0.6.3 of figma-developer-mcp, which was released on September 29, 2025. --------------------------------------------- https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html ∗∗∗ LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem ∗∗∗ --------------------------------------------- Three prominent ransomware groups DragonForce, LockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape. --------------------------------------------- https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html ∗∗∗ Employees regularly paste company secrets into ChatGPT ∗∗∗ --------------------------------------------- Employees could be opening up to OpenAI in ways that put sensitive data at risk. According to a study by security biz LayerX, a large number of corporate users paste Personally Identifiable Information (PII) or Payment Card Industry (PCI) numbers right into ChatGPT, even if theyre using the bot without permission. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/07/gen_ai_shado… ∗∗∗ “Can you test my game?” Fake itch.io pages spread hidden malware to gamers ∗∗∗ --------------------------------------------- A convincing itch-style page can drop a stealthy stager instead of a game. Here’s how to spot it and what to do if you clicked. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2025/10/can-you-test-my-game… ∗∗∗ Is your computer mouse eavesdropping on you? ∗∗∗ --------------------------------------------- Researchers have found a method they called Mic-E-Mouse, which turns your computer mouse into a spy that can listen in on your conversations. [..] The method uses high-performance optical sensors in optical mice, combined with artificial intelligence, to filter out background noise and: “achieve intelligible reconstruction of user speech.” --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/10/is-your-computer-mouse-eaves… ∗∗∗ Der Klimabonus ist wieder da?! Nein, nur ein neuer Phishing-Versuch! ∗∗∗ --------------------------------------------- Betrügerische SMS-Nachrichten versuchen den Eindruck einer Rückkehr des Klimabonus zu erwecken. Eine frühzeitige Registrierung bringe Informationsvorteile und bessere Chancen für eine Auszahlung. Nichts davon ist wahr. Wir haben es vielmehr mit klassischem Phishing zu tun. --------------------------------------------- https://www.watchlist-internet.at/news/klimabonus-neuer-phishing-versuch/ ∗∗∗ Salesforce data breach: what you need to know ∗∗∗ --------------------------------------------- The Scattered LAPSUS$ Hunters hacking group claims to have accessed data from around 40 customers of Salesforce, the cloud-based customer relationship management service, stealing almost one billion records. [..] The hacker are demanding payment by this Friday, 10 October 2025. [..] Allen Tsai, a Salesforce spokesperson, said the company won’t engage, negotiate with or pay any extortion demand. --------------------------------------------- https://www.fortra.com/blog/salesforce-data-breach-what-need-know ∗∗∗ The ClickFix Factory: First Exposure of IUAM ClickFix Generator ∗∗∗ --------------------------------------------- Unit 42 discovers ClickFix phishing kits, commoditizing social engineering. This kit presents a lowered barrier for inexperienced cybercriminals. --------------------------------------------- https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/ ∗∗∗ Crafting a Full Exploit RCE from a Crash in Autodesk Revit RFA File Parsing ∗∗∗ --------------------------------------------- This article will be devoted to explaining how I reached arbitrary code execution from the crash point shown above. Of particular interest is the technique I used to achieve ROP execution. --------------------------------------------- https://www.thezdi.com/blog/2025/10/6/crafting-a-full-exploit-rce-from-a-cr… ∗∗∗ Windows 11-Setup: Microsoft blockiert künftig das Anlegen lokaler Konten ∗∗∗ --------------------------------------------- Es deutet sich an, dass lokale Benutzerkonten in Windows 11 zukünftig nicht, oder nur noch mit großen Tricks beim Setup eingerichtet werden können. In der neuesten Insider Preview Build 26220.6772 (KB5065797) vom 06. Oktober 2025 gab Microsoft bekannt, dass die Befehle, um beim Setup doch noch lokale Benutzerkonten einzurichten, gestrichen werden. --------------------------------------------- https://www.borncity.com/blog/2025/10/08/windows-11-setup-microsoft-blockie… ∗∗∗ Introducing HoneyBee: How We Automate Honeypot Deployment for Threat Research ∗∗∗ --------------------------------------------- HoneyBee takes popular cloud-deployed applications such as databases, storage services, and web apps, and automatically generates intentionally insecure Dockerfiles and Docker Compose manifests. [..] We know we aren't the only ones working on these challenges, which is why we’re open-sourcing HoneyBee with the hope that it can be just as useful to others in the security community. --------------------------------------------- https://www.wiz.io/blog/honeybee-threat-research ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti Endpoint Manager Multible 0Day Vulnerabilities ∗∗∗ --------------------------------------------- (ZDI-25-934 - ZDI-25-947) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (apptainer, civetweb, mod_http2, openssl, pandoc, and pandoc-cli), Oracle (kernel), Red Hat (gstreamer1-plugins-bad-free, iputils, kernel, open-vm-tools, and podman), SUSE (cairo, firefox, ghostscript, gimp, gstreamer-plugins-rs, libxslt, logback, openssl-1_0_0, openssl-1_1, python-xmltodict, and rubygem-puma), and Ubuntu (gst-plugins-base1.0, linux-aws-6.8, linux-aws-fips, linux-azure, linux-azure-nvidia, linux-gke, linux-nvidia-tegra-igx, and --------------------------------------------- https://lwn.net/Articles/1041243/ ∗∗∗ Windows und Android: Google schließt schwerwiegende Lücken in Chrome ∗∗∗ --------------------------------------------- https://www.golem.de/news/windows-und-android-google-schliesst-schwerwiegen… ∗∗∗ ZDI-25-895: (0Day) Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ B&R Automation Runtime DoS Vulnerability in System Diagnostics Manager (SDM) CVE ID: CVE-2025-3450 ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA25P002-f6a69e61.pdf ∗∗∗ B&R Automation Runtime Vulnerabilities in System Diagnostic Manager (SDM) CVE ID: CVE-2025-3449, CVE-2025-3448 ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA25P003-178b6a20.pdf ∗∗∗ ABB: LVS MConfig Insecure memory handling CVE ID: CVE-2025-9970 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=4TZ00000006008&Lang… ∗∗∗ Tenable: [R1] Security Center Version 6.7.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.10.2025
by Daily end-of-shift report 07 Oct '25

07 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 06-10-2025 18:00 − Dienstag 07-10-2025 18:30 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Kritische Redis Sicherheitslücke (CVE-2025-49844) erlaubt Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- Die kritische Redis Sicherheitslücke erlaubt Remote Code Execution, wenn LUA-Scripting aktiviert ist und ein speziell präpariertes Script im Kontext eines authentifiziertem Benutzer ausgeführt wird. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/10/kritische-redis-sicherheitslucke-c… ∗∗∗ Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detail ∗∗∗ --------------------------------------------- Last week, a little known extortion group called Crimson Collective caught my attention. At the time they only had 22 followers on Telegram. Red Hat confirmed the breach later that day, and started notifying impacted customers. Red Hat Consulting are consultants who come in to large enterprises to deal with complex technology problems. It is pretty clear their documentation and source code around customers has been stolen. --------------------------------------------- https://doublepulsar.com/red-hat-consulting-breach-puts-over-5000-high-prof… ∗∗∗ Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware ∗∗∗ --------------------------------------------- Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware. --------------------------------------------- https://thehackernews.com/2025/10/microsoft-links-storm-1175-to.html ∗∗∗ Das passiert, wenn der KI-Betreiber die Sicherheit vernachlässigt ∗∗∗ --------------------------------------------- Verträge, Rechnungen und weitere sensible Daten erreichten uns via E-Mail. Die Quelle: eine österreichische KI-Firma, die demnach bei der Sicherheit schlampte. --------------------------------------------- https://www.heise.de/news/Sensible-Unternehmensdaten-ueber-Sicherheitsprobl… ∗∗∗ Phishers target 1Password users with convincing fake breach alert ∗∗∗ --------------------------------------------- Attackers are using realistic-looking 1Password emails to trick users into handing over their vault logins. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-us… ∗∗∗ Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882) ∗∗∗ --------------------------------------------- We bet you thought you’d be allowed to sit there, breathe, and savour the few moments of peace you’d earned after a painful week in cyber security. Obviously, you were horribly wrong, and you need to wake up now. --------------------------------------------- https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), Red Hat (kernel, open-vm-tools, and postgresql), SUSE (chromedriver and chromium), and Ubuntu (haproxy and pam-u2f). --------------------------------------------- https://lwn.net/Articles/1041069/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. ICSA-25-280-01 Delta Electronics DIAScreen and ICSA-25-226-31 Rockwell Automation 1756-EN4TR, 1756-EN4TRXT. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/07/cisa-releases-two-indust… ∗∗∗ Critical CVE-2025-27237 Vulnerability in Zabbix Agent for Windows Enables Privilege Escalation via OpenSSL Misconfiguration ∗∗∗ --------------------------------------------- A security vulnerability has been identified in Zabbix Agent and Agent2 for Windows, potentially allowing local users to escalate their privileges to the SYSTEM level. Tracked as CVE-2025-27237, the flaw originates from the way these agents handle the OpenSSL configuration file on Windows systems. --------------------------------------------- https://thecyberexpress.com/zabbix-agent-cve-2025-27237/ ∗∗∗ Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin ∗∗∗ --------------------------------------------- On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role. --------------------------------------------- https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critic… ∗∗∗ ABB Security Advisory: EIBPORT Reflected XSS (CVE-2021-22291) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7808&Lan… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.10.2025
by Daily end-of-shift report 06 Oct '25

06 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-10-2025 18:00 − Montag 06-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Oracle E-Business Suite - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Oracle hat einen Security Alert zu einer schwerwiegenden Schwachstelle, CVE-2025-61882, in Oracle E-Business Suite veröffentlicht. Die Sicherheitslücke erlaubt es Angreifer:innen auf betroffenen Systemen ohne jedwede Authentifizierung Code auszuführen. Laut Oracle wird die Lücke bereits aktiv durch Bedrohungsakteure missbraucht. --------------------------------------------- https://www.cert.at/de/warnungen/2025/10/schwerwiegende-sicherheitslucke-in… ∗∗∗ Hackers exploited Zimbra flaw as zero-day using iCalendar files ∗∗∗ --------------------------------------------- Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-fla… ∗∗∗ XWorm malware resurfaces with ransomware module, over 35 plugins ∗∗∗ --------------------------------------------- New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xworm-malware-resurfaces-wit… ∗∗∗ Scattered Lapsus$ Hunters Returns With Salesforce Leak Site ∗∗∗ --------------------------------------------- After claiming it would shut down, the cybercriminal collective reemerged and threatened to publish the stolen data of Salesforce customers by Oct. 10 if its demands are not met. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/scattered-lapsus-hun… ∗∗∗ Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads ∗∗∗ --------------------------------------------- The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others. --------------------------------------------- https://thehackernews.com/2025/10/rhadamanthys-stealer-evolves-adds.html ∗∗∗ Angreifer kopierten Kundendaten von Red-Hat-GitLab-Instanz ∗∗∗ --------------------------------------------- Beim Softwarehersteller Red Hat kam es zu einem IT-Sicherheitsvorfall. Die Angreifer geben an, 570 GB an Daten kopiert zu haben. --------------------------------------------- https://www.heise.de/news/Angreifer-kopierten-Kundendaten-von-Red-Hat-GitLa… ∗∗∗ Datenleck bei Discord: Support-Dienstleister erfolgreich attackiert ∗∗∗ --------------------------------------------- Kriminelle konnten persönliche Daten von bestimmten Discord-Nutzern erbeuten. Diese könnten für Phishing-Attacken missbraucht werden. --------------------------------------------- https://www.heise.de/news/Datenleck-bei-Discord-Support-Dienstleister-erfol… ∗∗∗ Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High ∗∗∗ --------------------------------------------- On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters. --------------------------------------------- https://www.greynoise.io/blog/palo-alto-scanning-surges ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Security Alert for CVE-2025-61882 - 4 October 2025 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2025-61882.html ∗∗∗ Redis warns of critical flaw impacting thousands of instances ∗∗∗ --------------------------------------------- The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-… ∗∗∗ ZDI-25-932: MLflow Weak Password Requirements Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2025-11200. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-932/ ∗∗∗ ZDI-25-930: win-cli-mcp-server resolveCommandPath Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of win-cli-mcp-server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-11202. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-930/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, git, log4cxx, and openssl), Fedora (containernetworking-plugins, firebird, firefox, jupyterlab, mupdf, and thunderbird), Oracle (ipa), Red Hat (container-tools:rhel8, firefox, gnutls, kernel, kernel-rt, multiple packages, mysql, mysql:8.0, nginx, podman, and thunderbird), Slackware (fetchmail), SUSE (afterburn, chromium, firefox, haproxy, libvmtools-devel, logback, python311-Django, python311-Django4, and redis), and Ubuntu (linux-gcp, linux-gcp-6.14, linux-oem-6.14, linux-nvidia-tegra-igx, linux-oracle, mysql-8.0, poppler, and squid). --------------------------------------------- https://lwn.net/Articles/1040991/ ∗∗∗ Unzählige Sicherheitslücken in Dell PowerProtect Data Domain geschlossen ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Angreifer Dell PowerProtect Data Domain attackieren und Systeme als Root kompromittieren. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-10712169 ∗∗∗ Spiele-Engine Unity: Lücke bedroht Android, Linux, macOS und Windows ∗∗∗ --------------------------------------------- Die Laufzeitumgebung für die Spiele-Engine Unity steckt in diversen populären Spielen. Microsoft meldet nun eine schwerwiegende Sicherheitslücke darin, die Angreifern das Ausführen von Schadcode erlaubt. Bis zur Verfügbarkeit von Updates sollen Nutzerinnen und Nutzer betroffene Software deinstallieren, rät der Hersteller. --------------------------------------------- https://heise.de/-10713427 ∗∗∗ Multiple Vulnerabilities in Qsync Central ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-35 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.10.2025
by Daily end-of-shift report 03 Oct '25

03 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-10-2025 18:00 − Freitag 03-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle links Clop extortion attacks to July 2025 vulnerabilities ∗∗∗ --------------------------------------------- Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-… ∗∗∗ CommetJacking attack tricks Comet browser into stealing emails ∗∗∗ --------------------------------------------- A new attack called CometJacking exploits URL parameters to pass to Perplexitys Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. --------------------------------------------- https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-… ∗∗∗ Sicherheitslücke in Zahnarztpraxen-System ∗∗∗ --------------------------------------------- Bei einem von einigen Zahnarztpraxen eingesetzten Praxisverwaltungssystem hat es gravierende Schwachstellen gegeben - dadurch hätten Patientendaten gelesen und verändert werden können. --------------------------------------------- https://www.golem.de/news/security-sicherheitsluecke-in-zahnarztpraxen-syst… ∗∗∗ Coordinated Grafana Exploitation Attempts on 28 September ∗∗∗ --------------------------------------------- GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified as malicious. --------------------------------------------- https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts ∗∗∗ Its Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604) ∗∗∗ --------------------------------------------- Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. --------------------------------------------- https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-a… ===================== = Vulnerabilities = ===================== ∗∗∗ DrayTek warns of remote code execution bug in Vigor routers ∗∗∗ --------------------------------------------- Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1040729/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025: ICSA-25-275-01 Raise3D Pro2 Series 3D Printers and ICSA-25-275-02 Hitachi Energy MSM Product. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-releases-two-indust… ∗∗∗ Critical Splunk Vulnerabilities Expose Platforms to Remote JavaScript Injection and More ∗∗∗ --------------------------------------------- Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely, access sensitive information, and perform server-side request forgery (SSRF) attacks. --------------------------------------------- https://thecyberexpress.com/critical-splunk-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.10.2025
by Daily end-of-shift report 02 Oct '25

02 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-10-2025 18:00 − Donnerstag 02-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ That annoying SMS phish you just got may have come from a box like this ∗∗∗ --------------------------------------------- Smishers looking for new infrastructure are getting creative. --------------------------------------------- https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-g… ∗∗∗ Adobe Analytics bug leaked customer tracking data to other tenants ∗∗∗ --------------------------------------------- Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-c… ∗∗∗ Clop extortion emails claim theft of Oracle E-Business Suite data ∗∗∗ --------------------------------------------- Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-… ∗∗∗ Android spyware campaigns impersonate Signal and ToTok messengers ∗∗∗ --------------------------------------------- Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-im… ∗∗∗ Shutdown Threatens US Intel Sharing, Cyber Defense ∗∗∗ --------------------------------------------- Lapse of critical information sharing and mass furloughs at CISA are just some of the concerns. --------------------------------------------- https://www.darkreading.com/cyber-risk/shutdown-us-intel-sharing-cyber-defe… ∗∗∗ Datenleck: Schufa-Tochter Bonify bestätigt Sicherheitsvorfall ∗∗∗ --------------------------------------------- Unbekannte erbeuten Identifizierungsdaten von Bonify-Nutzern. Darunter sind auch Ausweisdaten und Fotos. --------------------------------------------- https://www.golem.de/news/datenleck-schufa-tochter-bonify-bestaetigt-sicher… ∗∗∗ 570 GByte Github-Daten: Red Hat meldet Sicherheitsvorfall ∗∗∗ --------------------------------------------- Die Erpressergruppe Crimson Collective ist angeblich im Besitz vertraulicher Kundendaten von Red Hat - und verlangt ein Lösegeld. --------------------------------------------- https://www.golem.de/news/570-gbyte-github-daten-red-hat-meldet-sicherheits… ∗∗∗ New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer ∗∗∗ --------------------------------------------- In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intels Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. --------------------------------------------- https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html ∗∗∗ Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. --------------------------------------------- https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.ht… ∗∗∗ EU funds are flowing into spyware companies, and politicians are demanding answers ∗∗∗ --------------------------------------------- Experts say Commission is ‘fanning the flames’ of the continent’s own Watergate. An arsenal of angry European Parliament members (MEPs) is demanding answers from senior commissioners about why EU subsidies are ending up in the pockets of spyware companies. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/02/eu_spyware_f… ∗∗∗ ENISA Threat Landscape 2025 ∗∗∗ --------------------------------------------- Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 ∗∗∗ Meet SpamGPT and MatrixPDF, AI Toolkits Driving Malware Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers at Varonis have discovered two new plug-and-play cybercrime toolkits, MatrixPDF and SpamGPT. Learn how these AI-powered tools make mass phishing and PDF malware accessible to anyone, redefining online security risks. --------------------------------------------- https://hackread.com/spamgpt-matrixpdf-ai-toolkits-malware-attacks/ ∗∗∗ Malicious ZIP Files Use Windows Shortcuts to Drop Malware ∗∗∗ --------------------------------------------- Cybersecurity firm Blackpoint Cyber reveals a new spear phishing campaign targeting executives. Learn how attackers use fraudulent document ZIPs containing malicious shortcut files, leveraging living off the land tactics, and a unique Anti-Virus check to deliver a custom payload. --------------------------------------------- https://hackread.com/malicious-zip-files-windows-shortcuts-malware/ ∗∗∗ $20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk ∗∗∗ --------------------------------------------- Four critical zero-day flaws found in the $20 YoLink Smart Hub allow remote physical access, threatening your home security. See the urgent steps you must take now. --------------------------------------------- https://hackread.com/20-yolink-iot-gateway-vulnerabilities-home-security/ ∗∗∗ Confucius Espionage: From Stealer to Backdoor ∗∗∗ --------------------------------------------- The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. --------------------------------------------- https://feeds.fortinet.com/~/925674278/0/fortinet/blogs~Confucius-Espionage… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome 141: Google schließt schwerwiegende Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat seinen Browser Chrome auf die Version 141 aktualisiert. Das Update beinhaltet den Versionshinweisen zufolge Patches für 21 Sicherheitslücken. Von mindestens zwei Anfälligkeiten geht demnach ein hohes Risiko aus. Sie erlauben unter Umständen das Einschleusen und Ausführen von Schadcode aus der Ferne und innerhalb der Sandbox des Browsers. --------------------------------------------- https://www.golem.de/news/chrome-141-google-schliesst-schwerwiegende-sicher… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-hwe-6.14, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux, linux-kvm, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-hwe-6.8, linux-kvm, linux-oracle-5.15, linux-oracle-6.14, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux-realtime-6.14, and python-django). --------------------------------------------- https://lwn.net/Articles/1040591/ ∗∗∗ Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0 ∗∗∗ --------------------------------------------- Tenable has released Security Center Patch SC-202509.2.1 to address these issues. --------------------------------------------- https://www.tenable.com/security/tns-2025-20 ∗∗∗ Sicherheitspatches: OpenSSL für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktuellen OpenSSL-Versionen haben die Entwickler drei Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/OpenSSL-Angreifer-koennen-auf-ARM-Systemen-privat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.10.2025
by Daily end-of-shift report 01 Oct '25

01 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-09-2025 18:00 − Mittwoch 01-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ China Imposes One-Hour Reporting Rule for Major Cyber Incidents ∗∗∗ --------------------------------------------- The sweeping new regulations show that Chinas serious about hardening its own networks after launching widespread attacks on global networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/china-one-hour-reporti… ∗∗∗ MatrixPDF: Neues Hacker-Tool macht PDF-Dateien zu Phishing-Ködern ∗∗∗ --------------------------------------------- Schädliche PDF-Dateien lassen sich damit so gestalten, dass sie den Phishing-Filter von Gmail umgehen. --------------------------------------------- https://www.golem.de/news/matrixpdf-neues-hacker-tool-macht-pdf-dateien-zu-… ∗∗∗ New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.Italian fraud prevention firm Cleafy, which discovered the sophisticated malware .. --------------------------------------------- https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html ∗∗∗ Hackers Exploit Milesight Routers to Send Phishing SMS to European Users ∗∗∗ --------------------------------------------- Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.French cybersecurity company SEKOIA said the attackers are exploiting .. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-milesight-routers-to.html ∗∗∗ Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover ∗∗∗ --------------------------------------------- A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.OpenShift AI is a platform for managing the lifecycle .. --------------------------------------------- https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html ∗∗∗ OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain .. --------------------------------------------- https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.h… ∗∗∗ Neue Phishing-Wellen im Namen der WKO ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell über zwei Maschen im Namen der Wirtschaftskammer Österreich für Schaden zu sorgen. Dabei geht es um die Aktualisierung von Unternehmensdaten und Zahlungsinformationen zum Mitgliedsbeitrag. Besonders gefährlich: Für .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wellen-wko/ ∗∗∗ TOTOLINK X6000R: Three New Vulnerabilities Uncovered ∗∗∗ --------------------------------------------- Researchers identified vulnerabilities in TOTOLINK X6000R routers: CVE-2025-52905, CVE-2025-52906 and CVE-2025-52907. We discuss root cause and impact. --------------------------------------------- https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/ ∗∗∗ North Korea IT worker scheme expanding to more industries, countries outside of US tech sector ∗∗∗ --------------------------------------------- Okta said their new research into the scheme revealed that North Korea has honed its skills on U.S.-based companies and has expanded into dozens of different countries and industries. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech ∗∗∗ Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer ∗∗∗ --------------------------------------------- Infoblox reveals how the Detour Dog group used server-side DNS to compromise 30,000+ sites across 89 countries, installing the stealthy Strela Stealer malware. --------------------------------------------- https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/ ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht NAS-Modelle von Western Digital ∗∗∗ --------------------------------------------- Angreifer können bestimmte Netzwerkspeicher von Western Digital mit My Cloud OS attackieren. --------------------------------------------- https://heise.de/-10696726 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, mysql:8.0, and openssh), Debian (libcommons-lang-java, libcommons-lang3-java, libcpanel-json-xs-perl, libjson-xs-perl, libxml2, open-vm-tools, and u-boot), Fedora (bird, dnsdist, mapserver, ntpd-rs, python-nh3, and rust-ammonia), Oracle (kernel and mysql:8.0), Red Hat (cups, postgresql:12, and postgresql:13), SUSE (cJSON-devel, gimp, kernel-devel, kubecolor, open-vm-tools, openssl-1_1, openssl-3, and ruby3.4-rubygem-rack), .. --------------------------------------------- https://lwn.net/Articles/1040375/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-273-01 MegaSys Enterprises Telenium Online Web ApplicationICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-QICSA-25-273-03 Festo CPX-CEC-C1 and .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/30/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.09.2025
by Daily end-of-shift report 30 Sep '25

30 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 29-09-2025 18:00 − Dienstag 30-09-2025 18:00 Handler: n/a Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ransomware gang sought BBC reporter’s help in hacking media giant ∗∗∗ --------------------------------------------- Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-sought-bbc-r… ∗∗∗ AI-Powered Voice Cloning Raises Vishing Risks ∗∗∗ --------------------------------------------- A researcher-developed framework could enable attackers to conduct real-time conversations using simulated audio to compromise organizations and extract sensitive information. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/ai-voice-cloning-vis… ∗∗∗ Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Googles Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. --------------------------------------------- https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai.html ∗∗∗ Google’s Latest AI Ransomware Defense Only Goes So Far ∗∗∗ --------------------------------------------- Google has launched a new AI-based protection in Drive for desktop that can shut down an attack before it spreads—but its benefits have their limits. --------------------------------------------- https://www.wired.com/story/googles-latest-ai-ransomware-defense-only-goes-… ∗∗∗ Auf GitHub: Zahlreiche Fakes bekannter Mac-Apps kursieren ∗∗∗ --------------------------------------------- In einer offenbar konzertierten Aktion versuchen Scammer, gefälschte Apps für Mac-Nutzer zu verbreiten. Unklar ist, was das bezwecken soll. --------------------------------------------- https://www.heise.de/news/Auf-GitHub-Zahlreiche-Fakes-bekannter-Mac-Apps-ku… ∗∗∗ Vorsicht vor Festnetz-Spoofing: Kriminelle nutzen (teilweise) reale Telefonnummern! ∗∗∗ --------------------------------------------- Wer aktuell Anrufe von vermeintlichen Bank-Berater:innen bekommt, sollte besonders misstrauisch und vorsichtig sein! Kriminellen gelingt es immer öfter, real existierende Service-Festnetznummern als Deckmantel für ihre Betrugsmaschen zu nutzen. Ziel des „Spoofings“ ist der Zugriff auf das Konto des Opfers. --------------------------------------------- https://www.watchlist-internet.at/news/vorsich-festnetz-spoofing/ ∗∗∗ Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite ∗∗∗ --------------------------------------------- Phantom Taurus is a previously undocumented Chinese threat group. Explore how this groups distinctive toolset lead to uncovering their existence.The post Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/phantom-taurus/ ∗∗∗ XiebroC2 Identified in MS-SQL Server Attack Cases ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike. --------------------------------------------- https://asec.ahnlab.com/en/90369/ ∗∗∗ Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations ∗∗∗ --------------------------------------------- Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-… ∗∗∗ When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise ∗∗∗ --------------------------------------------- In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn’t expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights. --------------------------------------------- https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth… ===================== = Vulnerabilities = ===================== ∗∗∗ Broadcom fixes high-severity VMware NSX bugs reported by NSA ∗∗∗ --------------------------------------------- Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). --------------------------------------------- https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity… ∗∗∗ IBM App Connect Enterprise Toolkit kann Daten leaken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für IBM App Connect Enterprise Toolkit, InfoSphere und WebSphere erschienen. --------------------------------------------- https://www.heise.de/news/IBM-App-Connect-Enterprise-Toolkit-kann-Daten-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff). --------------------------------------------- https://lwn.net/Articles/1040152/ ∗∗∗ Security Vulnerabilities fixed in Firefox 143.0.3 ∗∗∗ --------------------------------------------- Mozilla has fixed three vulnerabilities labeled as high. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-80/ ∗∗∗ Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT ∗∗∗ --------------------------------------------- A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerability-alert-cve-2025-10035-g… ∗∗∗ Apple Security Update Addresses Critical Font Parser Vulnerability Across Multiple Platforms ∗∗∗ --------------------------------------------- Apple has rolled out a series of important security updates across multiple platforms, addressing a vulnerability affecting the system font parser. These Apple security updates cover iOS, iPadOS, macOS, visionOS, watchOS, and tvOS. --------------------------------------------- https://thecyberexpress.com/apple-security-updates/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.09.2025
by Daily end-of-shift report 29 Sep '25

29 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-09-2025 18:00 − Montag 29-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ First Malicious MCP in the Wild: The Postmark Backdoor Thats Stealing Your Emails ∗∗∗ --------------------------------------------- This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface. --------------------------------------------- https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-the… ∗∗∗ Akira ransomware breaching MFA-protected SonicWall VPN accounts ∗∗∗ --------------------------------------------- Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-m… ∗∗∗ Pointer leaks through pointer-keyed data structures ∗∗∗ --------------------------------------------- Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointe… ∗∗∗ Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security ∗∗∗ --------------------------------------------- Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2025/09/microsoft-flags-ai-driven-phishing-llm.ht… ∗∗∗ Cyber threat-sharing law set to shut down, along with US government ∗∗∗ --------------------------------------------- Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/26/government_s… ∗∗∗ Sex offenders, terrorists, drug dealers, exposed in spyware breach ∗∗∗ --------------------------------------------- RemoteCOMs monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-dru… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This Javascipt file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M ∗∗∗ --------------------------------------------- Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings. --------------------------------------------- https://hackread.com/medusa-ransomware-comcast-data-breach/ ∗∗∗ CISA and UK NCSC Release Joint Guidance for Securing OT Systems ∗∗∗ --------------------------------------------- CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: [Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture]. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release… ∗∗∗ Supply chain security for the 0.001% (and why it won’t catch on) ∗∗∗ --------------------------------------------- After yet another supply chain issue (npm this time, but it doesn’t really matter that much), Shai-hulud, 500 packages affected and millions of downloads later, I finally wrapped up the protection system for my dev environment. I really don’t want to be the next one exploited. --------------------------------------------- https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1040058/ ∗∗∗ REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilities ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/redcap-mult… ∗∗∗ DataSpider Servista improper restriction of XML external entity references ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23423519/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.09.2025
by Daily end-of-shift report 26 Sep '25

26 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-09-2025 18:00 − Freitag 26-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen. --------------------------------------------- https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in… ∗∗∗ Unofficial Postmark MCP npm silently stole users emails ∗∗∗ --------------------------------------------- A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-… ∗∗∗ Salesforce AI Agents Forced to Leak Sensitive Data ∗∗∗ --------------------------------------------- Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls — but this time the risk involves PII, corporate secrets, physical location data, and so much more. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-le… ∗∗∗ HeartCrypt’s wholesale impersonation effort ∗∗∗ --------------------------------------------- How the notorious Packer-as-a-Service operation built itself into a hydra. --------------------------------------------- https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonatio… ∗∗∗ New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks ∗∗∗ --------------------------------------------- The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. --------------------------------------------- https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.h… ∗∗∗ North Koreas Lazarus Group shares its malware with IT work scammers ∗∗∗ --------------------------------------------- North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys. --------------------------------------------- https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_sca… ∗∗∗ LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi ∗∗∗ --------------------------------------------- Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments. --------------------------------------------- https://theregister.com/2025/09/26/lockbits_new_variant_is_most/ ∗∗∗ Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer ∗∗∗ --------------------------------------------- New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam. --------------------------------------------- https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-ste… ∗∗∗ It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2 ∗∗∗ --------------------------------------------- We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035. --------------------------------------------- https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- Phishing emails disguised as official notices from Ukraine’s police deliver Amatera Stealer and PureMiner in a fileless attack chain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-wit… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2). --------------------------------------------- https://lwn.net/Articles/1039749/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 ∗∗∗ --------------------------------------------- Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider. --------------------------------------------- https://www.tenable.com/security/tns-2025-18 ∗∗∗ Security Update Dingtian DT-R002 ∗∗∗ --------------------------------------------- All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.09.2025
by Daily end-of-shift report 25 Sep '25

25 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-09-2025 18:00 − Donnerstag 25-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft will offer free Windows 10 security updates in Europe ∗∗∗ --------------------------------------------- Microsoft will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-offer-free-w… ∗∗∗ Malicious Rust packages on Crates.io steal crypto wallet keys ∗∗∗ --------------------------------------------- Two malicious packages with nearly 8,500 downloads in Rusts official crate repository scanned developers systems to steal cryptocurrency private keys and other secrets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-c… ∗∗∗ Supermicro: Unzählige Server-Mainboards anfällig für Firmware-Backdoors ∗∗∗ --------------------------------------------- Angreifer können in die BMC-Firmware zahlreicher Mainboards von Supermicro Malware einschleusen und damit dauerhaft die Kontrolle übernehmen. --------------------------------------------- https://www.golem.de/news/supermicro-unzaehlige-server-mainboards-anfaellig… ∗∗∗ XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-aga… ∗∗∗ OnePlus leaves researchers on read over Android bug that exposes texts ∗∗∗ --------------------------------------------- Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor wont pick up Updated Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and .. --------------------------------------------- https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/ ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco-Netzwerkgeräte möglich ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco warnt vor Angriffen unter anderem auf Router und Switches. Admins sollten die aktuellen Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Netzwerkgerae… ∗∗∗ Zu unsicher: IT-Dienstleister NTT Data trennt sich wohl von Ivanti-Produkten ∗∗∗ --------------------------------------------- Nicht nur das interne Netz, sondern auch der Weiterverkauf an Kunden ist betroffen. Die Sicherheit der Produkte sei ein unvertretbares Risiko. --------------------------------------------- https://www.heise.de/news/Zu-unsicher-IT-Dienstleister-NTT-Data-trennt-sich… ∗∗∗ Kriminelle kündigen Bankanruf per SMS oder WhatsApp an ∗∗∗ --------------------------------------------- Dass Kriminelle sich am Telefon als Bankmitarbeiter:innen ausgeben, ist seit Langem bekannt. Neu ist jedoch eine besonders raffinierte Variante, die derzeit im Umlauf ist. Dabei bauen die Kriminellen gezielt Vertrauen auf, indem sie den Anruf vorab per SMS oder WhatsApp-Nachricht ankündigen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kuendigen-bankanruf-per-s… ∗∗∗ International anti-fraud crackdown recovers more than $400 million, Interpol says ∗∗∗ --------------------------------------------- Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said. --------------------------------------------- https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-mil… ∗∗∗ Securing Microsoft Entra ID: Lessons from the Field – Part 1 ∗∗∗ --------------------------------------------- This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can .. --------------------------------------------- https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-t… ∗∗∗ This Is How Your LLM Gets Compromised ∗∗∗ --------------------------------------------- Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ 180,000 ICS/OT Devices and Counting: The Unforgivable Exposure ∗∗∗ --------------------------------------------- A new Bitsight TRACE threat research report shows that Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again. --------------------------------------------- https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices ∗∗∗ Yet Another Random Story: VBScripts Randomize Internals ∗∗∗ --------------------------------------------- In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed a security test on a target which had a dependency written in VBScript. This blog post focuses .. --------------------------------------------- https://blog.doyensec.com/2025/09/25/yet-another-random-story.html ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in iMonitorSoft EAM ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.09.2025
by Daily end-of-shift report 24 Sep '25

24 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗ --------------------------------------------- One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products. --------------------------------------------- https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can… ∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗ --------------------------------------------- The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cr… ∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. --------------------------------------------- https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-fami… ∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗ --------------------------------------------- Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-a… ∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗ --------------------------------------------- Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren --------------------------------------------- https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inv… ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗ --------------------------------------------- On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual. --------------------------------------------- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-1… ∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗ --------------------------------------------- Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich. --------------------------------------------- https://heise.de/-10668021 ∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗ --------------------------------------------- Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen. --------------------------------------------- https://heise.de/-10669658 ∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗ --------------------------------------------- During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers. --------------------------------------------- https://verialabs.com/blog/from-mcp-to-shell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗ --------------------------------------------- A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-ph… ∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644 --------------------------------------------- https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/1039311/ ∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗ --------------------------------------------- https://docs.libraesva.com/knowledgebase/security-advisory-command-injectio… ∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-907/ ∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.h… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… ∗∗∗ AutomationDirect CLICK PLUS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02 ∗∗∗ Viessmann Vitogate 300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.09.2025
by Daily end-of-shift report 23 Sep '25

23 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 22-09-2025 18:00 − Dienstag 23-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SonicWall releases SMA100 firmware update to wipe rootkit malware ∗∗∗ --------------------------------------------- SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-fi… ∗∗∗ GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security ∗∗∗ --------------------------------------------- GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC). --------------------------------------------- https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html ∗∗∗ Vier Jahre langes Hin und Her zwischen Sicherheitsforscher und Vasion Print ∗∗∗ --------------------------------------------- Vasion Print war oder ist sogar noch verwundbar. Ob bereits alle Schwachstellen geschlossen sind, ist auf den ersten Blick nicht erkennbar. --------------------------------------------- https://www.heise.de/news/Vier-Jahre-langes-Hin-und-Her-zwischen-Sicherheit… ∗∗∗ [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd) ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are a type of cyber-attack where the threat actor attempts to disrupt a service by flooding the target with a ton of requests to overload system resources and prevent legitimate traffic from reaching it. [..] We can draw a few conclusions from analyzing each wave of this attack. --------------------------------------------- https://isc.sans.edu/diary/rss/32308 ∗∗∗ Technical Analysis of Zloader Updates ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-… ∗∗∗ CISA Shares Lessons Learned from an Incident Response Engagement ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds releases third patch to fix Web Help Desk RCE bug ∗∗∗ --------------------------------------------- SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-pa… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam). --------------------------------------------- https://lwn.net/Articles/1039124/ ∗∗∗ Fehlende Validierung von Zertifikaten führt zu RCE in CleverControl Überwachungssoftware für Mitarbeitende ∗∗∗ --------------------------------------------- Eine fehlende Validierung des TLS Serverzertifikats in dem Installer der "CleverControl" Überwachungssoftware für Mitarbeitende erlaubt es Angreifern, die sich in die Netzwerkverbindung zwischen Client und Server platzieren können, beliebigen Code mit Administratorrechten auszuführen. CVE-2025-10548 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/fehlende-validierung-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0006.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.09.2025
by Daily end-of-shift report 22 Sep '25

22 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-09-2025 18:00 − Montag 22-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Cyberattacke auf Dienstleister behindert Flughäfen in Europa ∗∗∗ --------------------------------------------- Ein Dienstleister für die Systeme zur Passagierabfertigung ist am Freitagabend angegriffen worden, wie der Berliner Flughafen mitteilte. [..] Der Systemanbieter wird europaweit an Flughäfen eingesetzt. [..] Passagiere müssen nun mit längeren Wartezeiten beim Check-in und Boarding und mit Verspätungen rechnen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-behindert-europaeische-Flughaefen-au… ∗∗∗ LastPass: Fake password managers infect Mac users with malware ∗∗∗ --------------------------------------------- LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [..] The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lastpass-fake-password-manag… ∗∗∗ BlockBlasters: Infected Steam game downloads malware disguised as patch ∗∗∗ --------------------------------------------- A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected. --------------------------------------------- https://feeds.feedblitz.com/~/925181471/0/gdatasecurityblog-en~BlockBlaster… ∗∗∗ Understanding Spamhaus and Its Role in Email Security ∗∗∗ --------------------------------------------- One of the often “behind‐the‐scenes” organizations helping to defend email systems is Spamhaus. In this post, we’ll explain what Spamhaus is, how it works, why it matters, and what best practices companies should follow to stay out of blacklists and protect deliverability. --------------------------------------------- https://blog.sucuri.net/2025/09/understanding-spamhaus-and-its-role-in-emai… ∗∗∗ Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities.The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team. --------------------------------------------- https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html ∗∗∗ Achtung vor WKO Phishing-Mails zu angeblichen Abgabenrückständen! ∗∗∗ --------------------------------------------- Derzeit erhalten viele Unternehmen eine gefälschte E-Mail, die angeblich von der Wirtschaftskammer Österreich (WKO) stammt. Darin wird behauptet, es gebe offene Abgaben von 482,00 Euro, die über einen Link bezahlt werden sollen. Achtung: Zahlen Sie nicht, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-wko-phishing-mails-zu-an… ∗∗∗ Fake-Shops: Kriminelle nutzen die finnische Kultmarke „Marimekko“ als Deckmantel ∗∗∗ --------------------------------------------- Derzeit tauchen auf Social-Media-Plattformen vermehrt Werbeanzeigen auf, die ungewöhnlich hohe Rabatte in Marimekko-Onlineshops versprechen. Natürlich stimmt daran nichts. Die Spezialpreise sollen die Fans der finnischen Design-Marke zu Impulskäufen verleiten. Geliefert werden die bestellten Produkte nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-marimekko/ ∗∗∗ Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures ∗∗∗ --------------------------------------------- In this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting portals for malware delivery, victimology across the Middle East and Western Europe, and the broader implications for defense, telecom, and aviation sectors. --------------------------------------------- https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-… ∗∗∗ Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams ∗∗∗ --------------------------------------------- For the past few months, I have been trialing various AI-native security scanners, with a main focus on finding a product on the market today that is able to analyze the source code of a project in order to find vulnerabilities. This post will detail that journey, the successes and failures I’ve come across, my thoughts, and offer a general review of new on-the-market products that fit the category. --------------------------------------------- https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters ∗∗∗ Kernel Security in the Wild: Side-Channel-Assisted Exploit Techniques, Kernel-Level Defenses, and Real-World Analysis ∗∗∗ --------------------------------------------- In this thesis, we address all three challenges to advance the state of kernel security. [..] We introduce three novel side channels: SLUBStick, a timing side channel on the kernel’s memory allocator to infer heap memory reuse; KernelSnitch, a software- induced side channel that leaks the location of kernel heap objects via data structure access timing; and a hardware-induced TLB side channel that leaks fine-grained memory layout information. --------------------------------------------- https://tugraz.elsevierpure.com/ws/portalfiles/portal/98775241/main.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ VU#780141: Cross-site scripting vulnerability in Lectora course navigation ∗∗∗ --------------------------------------------- Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. CVE-2025-9125 --------------------------------------------- https://kb.cert.org/vuls/id/780141 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2). --------------------------------------------- https://lwn.net/Articles/1039053/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.09.2025
by Daily end-of-shift report 19 Sep '25

19 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-09-2025 18:00 − Freitag 19-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backup-Diebstahl: Angreifer stahlen bei Sonicwall Firewallkonfigurationen ∗∗∗ --------------------------------------------- Der Firewallhersteller Sonicwall meldet einen Einbruch in Cloud-Konten seiner Kunden. Dabei haben Unbekannte Sicherungskopien von Firewallkonfigurationsdateien unerlaubt vervielfältigt und exfiltriert. Es handelt sich jedoch nicht um einen Cyberangriff auf Sonicwall, sondern offenbar um massenhaftes Durchprobieren von Zugangsdaten. [..] Die entwendeten Konfigurationsdateien können sensible Informationen enthalten und Angriffe erleichtern. Offenbar sind nur wenige Kunden betroffen. --------------------------------------------- https://heise.de/-10662565 ∗∗∗ CISA exposes malware kits deployed in Ivanti EPMM attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-de… ∗∗∗ New attack on ChatGPT research agent pilfers secrets from Gmail inboxes ∗∗∗ --------------------------------------------- Today’s installment hits OpenAI’s Deep Research agent. Researchers recently devised an attack that plucked confidential information out of a user’s Gmail inbox and sent it to an attacker-controlled web server, with no interaction required on the part of the victim and no sign of exfiltration. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgp… ∗∗∗ Threat landscape for industrial automation systems in Q2 2025 ∗∗∗ --------------------------------------------- Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025. --------------------------------------------- https://securelist.com/industrial-threat-report-q2-2025/117532/ ∗∗∗ How AI-Native Development Platforms Enable Fake Captcha Pages ∗∗∗ --------------------------------------------- Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/ai-development-platforms-ena… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability ∗∗∗ --------------------------------------------- Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday. --------------------------------------------- https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/1038802/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-261-01 Westermo Network Technologies WeOS 5, ICSA-25-261-02 Westermo Network Technologies WeOS 5, ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit, ICSA-25-261-04 Hitachi Energy Asset Suite, ICSA-25-261-05 Hitachi Energy Service Suite, ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware, ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-nine-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.09.2025
by Daily end-of-shift report 18 Sep '25

18 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗ --------------------------------------------- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi… ∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗ --------------------------------------------- The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec… ∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte. --------------------------------------------- https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-… ∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. --------------------------------------------- https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html ∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. --------------------------------------------- https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h… ∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti… ∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗ --------------------------------------------- On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html ∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗ --------------------------------------------- New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users. --------------------------------------------- https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/ ∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗ --------------------------------------------- Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date. --------------------------------------------- https://hackread.com/vane-viper-malvertising-adtech-global-scams/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗ --------------------------------------------- Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux. --------------------------------------------- https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa… ∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗ --------------------------------------------- Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren. --------------------------------------------- https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14). --------------------------------------------- https://lwn.net/Articles/1038638/ ∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability. --------------------------------------------- https://thecyberexpress.com/greenshot-vulnerability/ ∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗ --------------------------------------------- ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers. --------------------------------------------- https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-… ∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗ --------------------------------------------- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2025-09-17 ∗∗∗ Daikin Security Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.09.2025
by Daily end-of-shift report 17 Sep '25

17 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗ --------------------------------------------- ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer… ∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗ --------------------------------------------- "Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters. --------------------------------------------- https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak… ∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗ --------------------------------------------- Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. --------------------------------------------- https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join… ∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗ --------------------------------------------- Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. --------------------------------------------- https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html ∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗ --------------------------------------------- Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w… ∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗ --------------------------------------------- ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe… ∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗ --------------------------------------------- Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers. --------------------------------------------- https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber… ∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗ --------------------------------------------- Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat. --------------------------------------------- https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i… ∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗ --------------------------------------------- I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers. --------------------------------------------- https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/ ∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗ --------------------------------------------- Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages. --------------------------------------------- https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm… ∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗ --------------------------------------------- Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict). --------------------------------------------- https://lwn.net/Articles/1038453/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu… ∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/134063 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.09.2025
by Daily end-of-shift report 16 Sep '25

16 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-09-2025 18:00 − Dienstag 16-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neuer NPM-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete ∗∗∗ --------------------------------------------- Verschiedene IT-Sicherheitsunternehmen warnen vor neuen Angriffen auf das npm-Ökosystem rund um node.js. Mehrere Dutzend Pakete (mindestens 40, in einem Bericht gar an die 150) sind mit einer Malware infiziert, die geheime Daten stiehlt und über einen Webhook ausleitet. Zudem repliziert sich die Schadsoftware selbsttätig – und ist somit ein Wurm. [..] Unklar ist noch, wo der Angriff begann – einen klaren "Patient Null" nennen die drei analysierenden Unternehmen nicht. [..] JavaScript-Entwickler und insbesondere die Verwalter von auf npm gehosteten Paketen sollten größte Vorsicht walten lassen und die umfangreiche Liste infizierter Pakete konsultieren. --------------------------------------------- https://heise.de/-10651111 ∗∗∗ Apple backports zero-day patches to older iPhones and iPads ∗∗∗ --------------------------------------------- Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-pat… ∗∗∗ Patchstatus unklar: Angreifer attackieren Fertigungsmanagementtool DELMIA Apriso ∗∗∗ --------------------------------------------- DELMIA Apriso ist eine Manufacturing-Operations-Management-Software (MOM) und ein Manufacturing Execution System (MES) [..] Der Anbieter der Software, Dassault Systèmes, erwähnte die Sicherheitslücke (CVE-2025-5086 "kritisch") bereits im Juni dieses Jahres in einer äußerst knapp formulierten Warnmeldung. [..] Anfang September warnte nun ein Sicherheitsforscher des SANS-Institut Internet Strom Center in einem Beitrag vor Exploitversuchen. [..] Unklar bleibt auch, ob es einen Sicherheitspatch gibt. --------------------------------------------- https://www.heise.de/news/Patchstatus-unklar-Attacken-auf-Fertigungsmanagem… ∗∗∗ IServ: Schullösung mit Schwäche inbegriffen? ∗∗∗ --------------------------------------------- Am 8. September 2025 ist jemandem aufgefallen, dass das Web-Frontend des IServ-Schul-Servers der IServ GmbH eine "Benutzeraufzählung" im weitesten Sinne ermöglicht. Gibt jemand den Namen einer Person an der IServ-Anmeldeseite einer Schule ein, und versucht er eine Anmeldung, ohne das Passwort zu kennen, schlägt diese Anmeldung natürlich fehl. Noch ist also alles im grünen Bereich, da dieser Anmeldeversuch abgewiesen wird. Das Problem liegt darin, dass sich die Antworten dieser fehlgeschlagenen Anmeldeversuche unterscheiden, nachdem, ob das Benutzerkonto existiert oder nicht und hängt angeblich noch von anderen Bedingungen ab. --------------------------------------------- https://www.borncity.com/blog/2025/09/16/iserve-schulloesung-mit-schwaeche-… ∗∗∗ Microsoft: Exchange 2016 and 2019 reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Phoenix: Neue Rowhammer-Variante verleiht Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Forscher von Google und der ETH Zürich haben eine neue Variante des Rowhammer-Angriffs vorgestellt. Sie betrifft auch moderne DDR5-RAM-Module, die eigentlich vor entsprechenden Attacken geschützt sein sollten. [..] Die Phoenix genannte Angriffstechnik greift laut Informationsseite der Entdecker(öffnet im neuen Fenster) auf eine Schwachstelle bei den Rowhammer-Abwehrmaßnahmen zurück, die bestimmte Refresh-Intervalle des Speichers nicht abdecken. --------------------------------------------- https://www.golem.de/news/phoenix-neue-rowhammer-variante-verleiht-angreife… ∗∗∗ RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT ∗∗∗ --------------------------------------------- Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actors new campaign, including AI-generated scripts, targeted phishing, and VenomRAT. --------------------------------------------- https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-la… ∗∗∗ New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html ∗∗∗ SmokeLoader Rises From the Ashes ∗∗∗ --------------------------------------------- Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. [..] In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. [..] ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. --------------------------------------------- https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim). --------------------------------------------- https://lwn.net/Articles/1038325/ ∗∗∗ Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 ∗∗∗ --------------------------------------------- https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixe… ∗∗∗ LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover ∗∗∗ --------------------------------------------- https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass… ∗∗∗ Mozilla Security Advisories September 16, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-013 ∗∗∗ TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-012 ∗∗∗ Synology-SA-25:11 Safe Access ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.09.2025
by Daily end-of-shift report 15 Sep '25

15 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-09-2025 18:00 − Montag 15-09-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft reminds of Windows 10 support ending in 30 days ∗∗∗ --------------------------------------------- On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-window… ∗∗∗ Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers ∗∗∗ --------------------------------------------- Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused. --------------------------------------------- https://securelist.com/model-context-protocol-for-ai-integration-abused-in-… ∗∗∗ A Cyberattack Victim Notification Framework ∗∗∗ --------------------------------------------- When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notific… ∗∗∗ Lawsuit About WhatsApp Security ∗∗∗ --------------------------------------------- Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-secur… ∗∗∗ FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said. --------------------------------------------- https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html ∗∗∗ All your vulns are belong to us! CISA wants to maintain gov control of CVE program ∗∗∗ --------------------------------------------- Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision… ∗∗∗ Docker Image Security – Teil 2: Minimale und sichere Docker Images ∗∗∗ --------------------------------------------- Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit. --------------------------------------------- https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-… ∗∗∗ Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr ∗∗∗ --------------------------------------------- Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still. --------------------------------------------- https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Absch… ∗∗∗ Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen ∗∗∗ --------------------------------------------- Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRada… ∗∗∗ Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain ∗∗∗ --------------------------------------------- Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation. --------------------------------------------- https://unit42.paloaltonetworks.com/third-party-supply-chain-token-manageme… ∗∗∗ npm-Hack: Angreifer schauen weitgehend in die Röhre ∗∗∗ --------------------------------------------- Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette – der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein – er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben. --------------------------------------------- https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgeh… ∗∗∗ New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts ∗∗∗ --------------------------------------------- Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts. --------------------------------------------- https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-goog… ∗∗∗ Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet ∗∗∗ --------------------------------------------- Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March. --------------------------------------------- https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/ ∗∗∗ 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet ∗∗∗ --------------------------------------------- Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report. --------------------------------------------- https://hackread.com/great-firewall-of-china-data-published-largest-leak/ ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration ∗∗∗ Phishing campaign targeting crates.io users ∗∗∗ --------------------------------------------- We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates. --------------------------------------------- https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ ∗∗∗ The Internet Coup ∗∗∗ --------------------------------------------- A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes. --------------------------------------------- https://interseclab.org/research/the-internet-coup/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und… ∗∗∗ Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-vo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen). --------------------------------------------- https://lwn.net/Articles/1038231/ ∗∗∗ CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints. --------------------------------------------- https://thecyberexpress.com/cve-2025-58434/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.09.2025
by Daily end-of-shift report 12 Sep '25

12 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-09-2025 18:00 − Freitag 12-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Panama Ministry of Economy discloses breach claimed by INC ransomware ∗∗∗ --------------------------------------------- Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-d… ∗∗∗ Vidar Infostealer Back with a Vengeance ∗∗∗ --------------------------------------------- The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments. --------------------------------------------- https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-v… ∗∗∗ Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence ∗∗∗ --------------------------------------------- U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. --------------------------------------------- https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html ∗∗∗ New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year. --------------------------------------------- https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html ∗∗∗ Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms ∗∗∗ --------------------------------------------- Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. --------------------------------------------- https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html ∗∗∗ Huntresss hilarious attacker surveillance splits infosec community ∗∗∗ --------------------------------------------- Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as "hilarious" – split opinion across the cybersecurity community. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/huntress_att… ∗∗∗ Bulletproof Host Stark Industries Evades EU Sanctions ∗∗∗ --------------------------------------------- In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers. --------------------------------------------- https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evade… ∗∗∗ Swiss government looks to undercut privacy tech, stoking fears of mass surveillance ∗∗∗ --------------------------------------------- The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. --------------------------------------------- https://therecord.media/switzerland-digital-privacy-law-proton-privacy-surv… ∗∗∗ Wurden Router-URLs sphairon.box und zyxel.box gekapert? ∗∗∗ --------------------------------------------- Ich stelle mal ein Thema hier in den Blog, das mir jetzt von zwei Lesern gemeldet wurde und mich an einen alten Vorfall bei AVM zur fritz.box-URL erinnert. Es sieht so aus, dass die von Routern (Zyxel, Sphairon) zum Zugriff auf die Router-Funktionen verwendeten URLs sphairon.box und zyxel.box durch registrierte Domains gekapert wurden. Die Zielseiten sind als "malicious" einzustufen. --------------------------------------------- https://www.borncity.com/blog/2025/09/12/wurden-router-urls-sphairon-box-un… ∗∗∗ EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks ∗∗∗ --------------------------------------------- Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/evilai.html ∗∗∗ Muck Stealer Malware Used Alongside Phishing in New Attack Waves ∗∗∗ --------------------------------------------- A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against. --------------------------------------------- https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/ ∗∗∗ Social Engineering & KI: Cyberkriminelle rekrutieren im Darknet ∗∗∗ --------------------------------------------- Cyberkriminelle suchen im Darknet verstärkt nach Experten für Social Engineering und KI. Ein Hinweis darauf, auf welche Bedrohungen Firmen achten sollten. --------------------------------------------- https://heise.de/-10642617 ∗∗∗ ChillyHell macOS Backdoor Resurfaces ∗∗∗ --------------------------------------------- In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell—a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple’s own notarization process. --------------------------------------------- https://thecyberthrone.in/2025/09/11/chillyhell-macos-backdoor-resurfaces/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samsung patches actively exploited zero-day reported by WhatsApp ∗∗∗ --------------------------------------------- Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exp… ∗∗∗ Jetzt patchen! Erneut Attacken auf SonicWall-Firewalls beobachtet ∗∗∗ --------------------------------------------- Die "kritische" Sicherheitslücke (CVE-2024-40766) ist seit August vergangenen Jahres bekannt. Wiederholt ist die Schwachstelle in bestimmten Firewalls von SonicWall im Visier von Angreifern. Sicherheitsupdates sind bereits seit rund einem Jahr verfügbar, aber offensichtlich weiterhin nicht flächendeckend installiert. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firew… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu). --------------------------------------------- https://lwn.net/Articles/1037919/ ∗∗∗ CISA Releases Eleven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-releases-eleven-ind… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.09.2025
by Daily end-of-shift report 11 Sep '25

11 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-09-2025 18:00 − Donnerstag 11-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New VMScape attack breaks guest-host isolation on AMD, Intel CPUs ∗∗∗ --------------------------------------------- A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-gu… ∗∗∗ K2 Think AI Model Jailbroken Mere Hours After Release ∗∗∗ --------------------------------------------- Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse. --------------------------------------------- https://www.darkreading.com/application-security/k2-think-llm-jailbroken ∗∗∗ Ordner öffnen reicht: Beliebter KI-Code-Editor führt automatisch Schadcode aus ∗∗∗ --------------------------------------------- Wer den KI-Code-Editor Cursor verwendet, sollte beim Öffnen fremder Repos vorsichtig sein. Es kann unbemerkt Malware ausgeführt werden. --------------------------------------------- https://www.golem.de/news/ordner-oeffnen-reicht-beliebter-ki-code-editor-fu… ∗∗∗ Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. --------------------------------------------- https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html ∗∗∗ Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks ∗∗∗ --------------------------------------------- Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/10/akira_ransom… ∗∗∗ Beijing went to EggStreme lengths to attack Philippines military, researchers say ∗∗∗ --------------------------------------------- ‘EggStreme’ framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it’s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a “military company” in the Philippines. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/11/eggstreme_ma… ∗∗∗ Technical Analysis of kkRAT ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat ∗∗∗ The Great NPM Heist – September 2025 ∗∗∗ --------------------------------------------- On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. --------------------------------------------- https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/ ∗∗∗ Global Cyber Threats August 2025: Agriculture in the Crosshairs ∗∗∗ --------------------------------------------- In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year. --------------------------------------------- https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agric… ∗∗∗ How the Infamous APT 1 Report Exposing China’s PLA Hackers Came to Be ∗∗∗ --------------------------------------------- This is the first in a series of pieces I’ll publish that take an in-depth look at significant events, people and cases in security and surveillance from the past. --------------------------------------------- https://www.zetter-zeroday.com/how-the-infamous-apt-1-report-exposing-china… ∗∗∗ CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic ∗∗∗ --------------------------------------------- The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat. --------------------------------------------- https://asec.ahnlab.com/en/90077/ ∗∗∗ Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis ∗∗∗ --------------------------------------------- BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt. --------------------------------------------- https://asec.ahnlab.com/en/90080/ ∗∗∗ New Fileless Malware Attack Uses AsyncRAT for Credential Theft ∗∗∗ --------------------------------------------- LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence. --------------------------------------------- https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/ ∗∗∗ CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program ∗∗∗ --------------------------------------------- Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware ∗∗∗ --------------------------------------------- The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. --------------------------------------------- https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2). --------------------------------------------- https://lwn.net/Articles/1037777/ ∗∗∗ Unauthentifizierte SQL Injection Schwachstelle im Shibboleth Service Provider (SP) (ODBC Interface) ∗∗∗ --------------------------------------------- SEC Consult hat eine unauthentifizierte SQL-Injection-Schwachstelle im Shibboleth Service Provider (SP) in der ODBC Schnittstelle identifiziert, die ein Angreifer ausnutzen könnte, um beliebige Datensätze aus der Datenbank mit den Rechten des Datenbankbenutzers auszulesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthentifizierte-sq… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.09.2025
by Daily end-of-shift report 10 Sep '25

10 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-09-2025 18:00 − Mittwoch 10-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing im Namen der WKO: Sensible Daten im Visier ∗∗∗ --------------------------------------------- Kriminelle kopieren aktuell eine echte E-Mail-Nachricht der Wirtschaftskammer Österreich. Über ein angehängtes HTML-Dokument wollen sie Ihre Opfer auf ein Fake-Portal locken und dort sensible Daten erbeuten. Wir zeigen Ihnen, woran Sie den Betrugsversuch erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wko/ ∗∗∗ You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) ∗∗∗ --------------------------------------------- Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse. [..] Today, we are publishing our Detection Artefact Generator which you can find here. --------------------------------------------- https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phon… ∗∗∗ US Investment in Spyware Is Skyrocketing ∗∗∗ --------------------------------------------- A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology. --------------------------------------------- https://www.wired.com/story/us-spyware-investment/ ∗∗∗ CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. --------------------------------------------- https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.ht… ∗∗∗ Pwn My Ride: Exploring the CarPlay Attack Surface ∗∗∗ --------------------------------------------- At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical. --------------------------------------------- https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-su… ∗∗∗ Kerberoasting ∗∗∗ --------------------------------------------- These “Kerberoasting” attacks have been around for ages: the technique and name is credited to Tim Medin who presented it in 2014 (and many popular blogs followed up on it) but the vulnerabilities themselves are much older. [..] I’ll bet most Windows people already know this stuff, but I only happened to learn about it today, after seeing a letter from Senator Wyden to Microsoft, describing how this vulnerability was used in the May 2024 ransomware attack on the Ascension Health hospital system. --------------------------------------------- https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/ ∗∗∗ New Linux Botnet Combines Cryptomining and DDoS Attacks ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.” --------------------------------------------- https://thecyberexpress.com/linux-botnet-combines-cryptomining-and-ddos/ ∗∗∗ Apple Introduces Memory Integrity Enforcement in iPhone 17 to Fight Spyware Exploits ∗∗∗ --------------------------------------------- Apple has introduced Memory Integrity Enforcement (MIE), a system-wide security feature designed to crush one of the most persistent threats to iPhone users—that of Spyware. The company describes MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.” --------------------------------------------- https://thecyberexpress.com/memory-integrity-enforcement-in-iphone-17/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days ∗∗∗ --------------------------------------------- Today is Microsofts September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [..] The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability [..] CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-pa… ∗∗∗ Patchday Adobe: Lücken in Acrobat & Co. können Schadcode auf PCs lassen ∗∗∗ --------------------------------------------- Auflistung der Sicherheitspatches: Acrobat and Reader, After Effects, ColdFusion, Commerce, Dreamweaver, Experience Manager, Premiere Pro, Substance 3D Modeler, Substance 3D Viewer --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Luecken-in-Acrobat-Co-koennen-Scha… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/1037471/ ∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-252-01 Rockwell Automation ThinManager, ICSA-25-252-02 ABB Cylon Aspect BMS/BAS, ICSA-25-252-03 Rockwell Automation Stratix IOS, ICSA-25-252-04 Rockwell Automation FactoryTalk Optix, ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager, ICSA-25-252-06 Rockwell Automation CompactLogix® 5480, ICSA-25-252-07 Rockwell Automation ControlLogix 5580, ICSA-25-252-08 Rockwell Automation Analytics LogixAI, ICSA-25-252-09 Rockwell Automation 1783-NATR --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/09/cisa-releases-fourteen-i… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.09.2025
by Daily end-of-shift report 09 Sep '25

09 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 08-09-2025 18:00 − Dienstag 09-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet. --------------------------------------------- https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.ht… ∗∗∗ GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies ∗∗∗ --------------------------------------------- Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account. --------------------------------------------- https://thehackernews.com/2025/09/github-account-compromise-led-to.html ∗∗∗ RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities ∗∗∗ --------------------------------------------- A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. --------------------------------------------- https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.h… ∗∗∗ Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks ∗∗∗ --------------------------------------------- Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. --------------------------------------------- https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html ∗∗∗ Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data ∗∗∗ --------------------------------------------- Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors. --------------------------------------------- https://www.silentpush.com/blog/salt-typhoon-2025/ ∗∗∗ BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant" ∗∗∗ --------------------------------------------- Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen. --------------------------------------------- https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobils… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1037308/ ∗∗∗ Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed ∗∗∗ --------------------------------------------- An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-rans… ∗∗∗ Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware ∗∗∗ --------------------------------------------- Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE). --------------------------------------------- https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/ ∗∗∗ OpenAI Paper: Halluzinationen offenbar unumgänglich ∗∗∗ --------------------------------------------- In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst. --------------------------------------------- https://heise.de/-10637744 ∗∗∗ LockBit Attempts Comeback with LockBit 5.0 Ransomware Release ∗∗∗ --------------------------------------------- LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0. --------------------------------------------- https://thecyberexpress.com/lockbit-5-0-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe patches critical SessionReaper flaw in Magento eCommerce platform ∗∗∗ --------------------------------------------- Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessi… ∗∗∗ Populäre JavaScript Pakete manipuliert ∗∗∗ --------------------------------------------- Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuli… ∗∗∗ September 2025 Security Update ∗∗∗ --------------------------------------------- Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. --------------------------------------------- https://www.ivanti.com/blog/september-2025-security-update ∗∗∗ SAP Security Patch Day – September 2025 ∗∗∗ --------------------------------------------- SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One. --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-september-2025/ ∗∗∗ VU#461364: Hiawatha open-source web server has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/461364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.09.2025
by Daily end-of-shift report 08 Sep '25

08 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-09-2025 18:00 − Montag 08-09-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ iCloud Calendar abused to send phishing emails from Apple’s servers ∗∗∗ --------------------------------------------- iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-se… ∗∗∗ Fraunhofer SIT gibt auf: Die Volksverschlüsselung wird eingestellt ∗∗∗ --------------------------------------------- Die Volksverschlüsselung, eine gemeinsame Initiative des Fraunhofer-Instituts für Sichere Informationstechnologie (SIT) und der Deutschen Telekom, wird nach rund zehnjährigem Bestehen zum 31. Januar 2026 eingestellt. Das geht aus einer Mitteilung auf der zugehörigen Webseite(öffnet im neuen Fenster) hervor. Ziel der Volksverschlüsselung war es, Ende-zu-Ende-verschlüsselte Kommunikation benutzerfreundlicher zu machen. Doch das Projekt stieß schon zum Start auf Kritik. --------------------------------------------- https://www.golem.de/news/fraunhofer-sit-gibt-auf-die-volksverschluesselung… ∗∗∗ Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test ∗∗∗ --------------------------------------------- A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. --------------------------------------------- https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html ∗∗∗ GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure. --------------------------------------------- https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html ∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursiert eine E-Mail, die angeblich von Netflix stammt. Darin wird behauptet, eine Aktualisierung der Kontodaten sei erforderlich. Andernfalls würden 8,99 € fällig und der Zugang würde eingeschränkt werden. Vorsicht: Es handelt sich um eine Fälschung! Die Nachricht führt auf eine Phishing-Website, über die Kriminelle versuchen, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf-1/ ∗∗∗ Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs ∗∗∗ --------------------------------------------- The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges. --------------------------------------------- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-con… ∗∗∗ GhostAction Attack Steals 3,325 Secrets from GitHub Projects ∗∗∗ --------------------------------------------- On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server. --------------------------------------------- https://hackread.com/ghostaction-attack-steals-github-projects-secrets/ ∗∗∗ Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews ∗∗∗ --------------------------------------------- A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities. --------------------------------------------- https://hackread.com/lazarus-group-malware-clickfix-scam-fake-job-interview/ ∗∗∗ MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access ∗∗∗ --------------------------------------------- FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system. --------------------------------------------- https://feeds.fortinet.com/~/924516446/0/fortinet/blogs~MostereRAT-Deployed… ∗∗∗ Ecovacs Deebot: Angreifer können beliebigen Code einschleusen ∗∗∗ --------------------------------------------- Schwachstellenbeschreibungen vom Wochenende erörtern teils hochriskante Sicherheitslücken in Staubsaugerrobotern aus dem Hause Ecovacs. Für die betroffenen Deebot-Modelle stehen bereits seit einiger Zeit Updates bereit, die die Sicherheitslecks abdichten. Besitzer sollten sicherstellen, die Basisstationen und Saugroboter auf den aktuellen Stand zu bringen. --------------------------------------------- https://heise.de/-10636233 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy). --------------------------------------------- https://lwn.net/Articles/1037157/ ∗∗∗ RICOH Streamline NX vulnerable to tampering with operation history ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN75307484/ ∗∗∗ CVE-2025-8699: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-e… ∗∗∗ Beckhoff Security Advisory 2025-001: CVE-2025-41701 ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.09.2025
by Daily end-of-shift report 05 Sep '25

05 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-09-2025 18:00 − Freitag 05-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. ∗∗∗ --------------------------------------------- Everything to know about the mishap that threatened to expose millions of users queries. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/the-number-of-mis-is… ∗∗∗ Max severity Argo CD API flaw leaks repository credentials ∗∗∗ --------------------------------------------- An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-fla… ∗∗∗ Seit Mai 2024 bekannt: TP-Link bestätigt Zero-Day-Lücke in Archer-Routern ∗∗∗ --------------------------------------------- Es sind auch hierzulande angebotene TP-Link-Modelle betroffen. Angreifer können unter Umständen aus der Ferne Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/seit-mai-2024-bekannt-tp-link-bestaetigt-zero-day… ∗∗∗ IT threat evolution in Q2 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report contains statistics on mobile threats (malware, adware, and unwanted software for Android) for Q2 2025, as well as a description of the most notable malware types identified during the reporting period. --------------------------------------------- https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/ ∗∗∗ IT threat evolution in Q2 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q2 2025. --------------------------------------------- https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/ ∗∗∗ SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild ∗∗∗ --------------------------------------------- A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of .. --------------------------------------------- https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html ∗∗∗ Schwachstellen: KI- und Netzwerktechnik von Nvidia ist angreifbar ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in unter anderem Nvidias KI-Plattformen DGX und HGX. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Nvidia-KI-und-Netzwerktechnik-… ∗∗∗ Stealerium-Malware macht heimlich Webcam-Fotos für Erpressung ∗∗∗ --------------------------------------------- Die frei verfügbare Malware Stealerium erkennt Pornokonsum und fertigt heimlich Webcam-Aufnahmen an. Cyberkriminelle nutzen die Fotos für Erpressung. --------------------------------------------- https://www.heise.de/news/Malware-fotografiert-Nutzer-heimlich-bei-Porno-Ko… ∗∗∗ Cyberattack forces Jaguar Land Rover to tell staff to stay at home ∗∗∗ --------------------------------------------- Luxury automaker Jaguar Land Rover says employees should stay home through the weekend as it works to mitigate the impact of a cyberattack. --------------------------------------------- https://therecord.media/jaguar-land-rover-cyberattack-workers-stay-home ∗∗∗ SEO fraud-as-a-service scheme hijacks Windows servers to promote gambling websites ∗∗∗ --------------------------------------------- A malware campaign dubbed GhostRedirector by researchers at ESET attempts to compromise websites to drive traffic to gambling sites. --------------------------------------------- https://therecord.media/seo-scheme-windows-malware-gambling-sites-ghostredi… ∗∗∗ Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X ∗∗∗ --------------------------------------------- Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious… --------------------------------------------- https://hackread.com/scammers-exploit-grok-ai-video-ad-scam-x-malware/ ∗∗∗ Microsoft erzwingt mehr Multifaktorauthentifizierung ∗∗∗ --------------------------------------------- Microsoft aktualisiert die Pläne für "Phase 2" der erzwungenen Multifaktorauthentifizierung für Azure. Am 1.10. sind mehr Dienste fällig. --------------------------------------------- https://heise.de/-10633932 ∗∗∗ Czechia Warns of Chinese Data Transfers and Remote Administration for Espionage ∗∗∗ --------------------------------------------- Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and I.. --------------------------------------------- https://thecyberexpress.com/czechia-warns-of-chinese-data-transfer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin). --------------------------------------------- https://lwn.net/Articles/1036907/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.09.2025
by Daily end-of-shift report 04 Sep '25

04 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-09-2025 18:00 − Donnerstag 04-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet ∗∗∗ --------------------------------------------- The three certificates were issued in May but only came to light Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-… ∗∗∗ Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn ∗∗∗ --------------------------------------------- A new specimen of “infostealer” malware offers a disturbing feature: It monitors a targets browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim. --------------------------------------------- https://www.wired.com/story/stealerium-infostealer-porn-sextortion/ ∗∗∗ Serientäter bekennen sich zu IT-Angriff auf Jaguar Land Rover ∗∗∗ --------------------------------------------- Drei britische Verbrecherbanden haben sich offenbar zusammengetan. Sie prahlen mit der IT-Attacke auf Jaguar Land Rover. --------------------------------------------- https://www.heise.de/news/Serientaeter-bekennen-sich-zu-IT-Angriff-auf-Jagu… ∗∗∗ Kritische Infrastrukturen: Attacken auf industrielle Kontrollsysteme möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industrielle Kontrollsysteme von unter anderem Hitachi erschienen. Ein Patch steht aber noch aus. --------------------------------------------- https://www.heise.de/news/Kritische-Infrastrukturen-Attacken-auf-industriel… ∗∗∗ TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts ∗∗∗ --------------------------------------------- The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/tp-link-warns-of-botnet-infe… ∗∗∗ Microsoft-Support-Betrug: Phishing-Falle statt Online-Hilfe ∗∗∗ --------------------------------------------- Drängt ein Pop-up-Fenster zu einem Anruf bei der Microsoft-Helpline, ist allerhöchste Vorsicht angesagt! Hinter der Aufforderung warten nämlich keine IT-Expert:innen darauf, bei Computerproblemen weiterzuhelfen. Vielmehr wollen Kriminelle auf diesem Weg Zugriff auf das Konto ihrer Opfer bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-support-betrug/ ∗∗∗ Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak ∗∗∗ --------------------------------------------- Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. --------------------------------------------- https://hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/ ∗∗∗ 25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming ∗∗∗ --------------------------------------------- GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day. --------------------------------------------- https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices ∗∗∗ ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) ∗∗∗ --------------------------------------------- In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine keys to perform remote code .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserial… ∗∗∗ Cookie Chaos: How to bypass __Host and __Secure cookie prefixes ∗∗∗ --------------------------------------------- Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and .. --------------------------------------------- https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure… ∗∗∗ Linux Kernel SMB 0-Day Vulnerability CVE-2025-37899 Uncovered Using ChatGPT o3 ∗∗∗ --------------------------------------------- For the first time, a zero-day vulnerability in the Linux kernel has been discovered using a large language model, OpenAI’s o3. Discovered by security researcher Sean Heelan and assigned .. --------------------------------------------- https://www.upwind.io/feed/linux-kernel-smb-0-day-vulnerability-cve-2025-37… ∗∗∗ s1ngularitys Aftermath: AI, TTPs, and Impact in the Nx Supply Chain Attack ∗∗∗ --------------------------------------------- A deeper look at the Nx supply chain attack: analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation. --------------------------------------------- https://www.wiz.io/blog/s1ngularitys-aftermath ∗∗∗ Nx Investigation Reveals GitHub Actions Workflow Exploit Led to npm Token Theft, Prompting Switch to Trusted Publishing ∗∗∗ --------------------------------------------- On August 26, 2025, the JavaScript ecosystem witnessed a watershed moment in supply chain security. The popular Nx build system, with over 4.6 million weekly downloads, fell victim to an attack that stole thousands of credentials and pioneered a disturbing new technique: weaponizing AI developer tools for scaling reconnaissance and data theft.The Nx team .. --------------------------------------------- https://socket.dev/blog/nx-supply-chain-attack-investigation-github-actions… ∗∗∗ Exploit development for IBM i ∗∗∗ --------------------------------------------- At TROOPERS24, we demonstrated how IBM i systems – still widely used in enterprise environments – can be compromised in both authenticated and unauthenticated scenarios, using only built-in services and a basic understanding of the underlying mechanisms. Despite being labeled “legacy,” these systems remain active in finance, logistics, and manufacturing, often handling critical workloads with little attention paid to their security posture. --------------------------------------------- https://blog.silentsignal.eu/2025/09/04/Exploit-development-for-IBM-i/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.09.2025
by Daily end-of-shift report 03 Sep '25

03 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-09-2025 18:00 − Mittwoch 03-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers breach fintech firm in attempted $130M bank heist ∗∗∗ --------------------------------------------- Hackers tried to steal $130 million from Evertecs Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central banks real-time payment system (Pix). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-… ∗∗∗ What Is a Passkey? Here’s How to Set Up and Use Them (2025) ∗∗∗ --------------------------------------------- Passkeys were built to enable a password-free future. Heres what they are and how you can start using them. --------------------------------------------- https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/ ∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 15 und 16 ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Sicherheitslücken in verschiedenen Android-Versionen. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro… ∗∗∗ Phishing-Alarm: FinanzOnline droht nicht mit der Pfändung des Hausrats! ∗∗∗ --------------------------------------------- Eine höchst aktuelle Phishing-Welle im Namen von FinanzOnline sorgt für große Verunsicherung. Die zentrale Drohung: Pfändung des Hausrats durch den Gerichtsvollzieher! Klingt besorgniserregend, ist in Wahrheit aber nichts anderes als ein Betrugsversuch. Wir erklären, .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-finanzonline-pfaendun… ∗∗∗ Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust ∗∗∗ --------------------------------------------- Model namespace reuse is a potential security risk in the AI supply chain. Attackers can misuse platforms like Hugging Face for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/model-namespace-reuse/ ∗∗∗ Digitale Souveränität: Cloud Edition. ∗∗∗ --------------------------------------------- Das erratische Verhalten der aktuellen US-Regierung hat die Sorgen um die Abhängigkeit Europas von den großen US-Cloudbetreibern verstärkt. In der EU haben sowohl die Kommission als auch das Parlament Dokumente zu diesem Thema vorgelegt, heuer hat die Kommission bereits um Ideen zu einem Cloud and AI Development Act gebeten. Auch in Deutschland .. --------------------------------------------- https://www.cert.at/de/blog/2025/9/digitale-souveranitat-cloud-edition ∗∗∗ Cloudflare, Zscaler among companies impacted by Salesloft Drift incident ∗∗∗ --------------------------------------------- Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data. --------------------------------------------- https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto… ∗∗∗ Corruption case against ousted cyber chief is ‘revenge,’ Ukraine’s security service says ∗∗∗ --------------------------------------------- Ukraine’s security service is accusing the country’s anti-corruption agencies of seeking “revenge” by bringing charges against Illia Vitiuk, the former head of the agency’s cybersecurity unit. --------------------------------------------- https://therecord.media/corruption-case-against-ousted-cyber ∗∗∗ Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps ∗∗∗ --------------------------------------------- Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting… --------------------------------------------- https://hackread.com/cloudflare-mitigates-largest-ddos-attack-11-5-tbps/ ∗∗∗ CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide ∗∗∗ --------------------------------------------- CISA, NSA, and 19 international partners release a shared vision of Software Bill of Materials (SBOM) highlighting the importance of SBOM in securing global supply chains & enhancing software resilience worldwide. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-and-19-international-partner… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, .. --------------------------------------------- https://lwn.net/Articles/1036567/ ∗∗∗ Vulnerability & Patch Roundup — August 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.09.2025
by Daily end-of-shift report 02 Sep '25

02 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-09-2025 18:00 − Dienstag 02-09-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zscaler data breach exposes customer info after Salesloft Drift compromise ∗∗∗ --------------------------------------------- In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. [..] This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. [..] The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-… ∗∗∗ Stolen OAuth tokens expose Palo Alto customer data ∗∗∗ --------------------------------------------- Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth… ∗∗∗ No, Google did not warn 2.5 billion Gmail users to reset passwords ∗∗∗ --------------------------------------------- This is just the latest such story, which numerous news websites and cybersecurity companies have reported without verification in recent years. [..] However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false." --------------------------------------------- https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-… ∗∗∗ Badges, behavior, and BMS: Why the human perimeter matters in energy cybersecurity ∗∗∗ --------------------------------------------- Over the summer, a hacker brought a 158-year-old European technology company to its knees with a guessed password. By identifying a weak admin credential, the attacker gained access to internal systems and extracted sensitive information, laying the groundwork for a broader ransomware campaign. [..] Energy cybersecurity is not just about software protection —it’s also about managing human interaction and physical access to critical infrastructure. [..] Even the most secure system in the world won’t help if someone holds the door open for the wrong person. --------------------------------------------- https://blog.se.com/digital-transformation/cybersecurity/2025/09/01/badges-… ∗∗∗ Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it ∗∗∗ --------------------------------------------- Kaspersky experts explain the different types of cookies, how to configure them correctly, and how to protect yourself from session hijacking attacks. --------------------------------------------- https://securelist.com/cookies-and-session-hijacking/117390/ ∗∗∗ A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd) ∗∗∗ --------------------------------------------- What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? [..] The use of specific cryptocurrency addresses in sextortion messages seems to be fairly short-lived. Approximately 46% of the addresses in the dataset were only used for a single day [..] the average requested amount was 1,716 USD, with a median of 1,370 USD [..] Of the 205 cryptocurrency addresses in our dataset, only 57 (~28%) didn’t receive any payment at all, while the remaining addresses did. --------------------------------------------- https://isc.sans.edu/diary/rss/32252 ∗∗∗ Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. --------------------------------------------- https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.h… ∗∗∗ Achtung, Bitpanda-Phishing: Krypto-Guthaben in Gefahr! ∗∗∗ --------------------------------------------- Kriminelle versenden SMS-Nachrichten und warnen vor einem angeblichen Login auf das Bitpanda-Konto des Opfers. Sie liefern außerdem eine Telefonnummer mit, bei der man sich zur Klärung melden solle. Am anderen warten allerdings die Betrüger:innen – und die haben es auf Krypto-Assets abgesehen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bitpanda-phishing-krypto/ ===================== = Vulnerabilities = ===================== ∗∗∗ Heimautomatisierung: ESPHome-Lücke erlaubt volle Kompromittierung ∗∗∗ --------------------------------------------- In der ESP-IDF-Plattform der ESPHome-Firmwarebasis führt eine nun entdeckte Sicherheitslücke dazu, dass Angreifer eine Authentifizierung umgehen können. Das ermöglicht ihnen sogar, eigene Firmware auf verwundbare Controller zu verfrachten. [..] Ein neuer Schwachstelleneintrag vom Montag dieser Woche erörtert die Sicherheitslücke in der Firmware. [..] (CVE-2025-57808 / noch kein EUVD, CVSS 8.1, Risiko "hoch") --------------------------------------------- https://www.heise.de/news/Heimautomatisierung-ESPHome-Luecke-erlaubt-volle-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1036369/ ∗∗∗ TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup Plus" (ns_backup) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-011 ∗∗∗ Delta Electronics EIP Builder ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01 ∗∗∗ SunPower PVS6 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03 ∗∗∗ Fuji Electric FRENIC-Loader 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.09.2025
by Daily end-of-shift report 01 Sep '25

01 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-08-2025 18:00 − Montag 01-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Transparenz und Kommunikation: BSI rät indirekt von weiterer Paypal-Nutzung ab ∗∗∗ --------------------------------------------- Was passiert mit den Daten, werden bei Ausfällen Gründe genannt? Ohne Paypal zu nennen, ruft das BSI auf, nicht nur nach der Usability auszuwählen. --------------------------------------------- https://www.golem.de/news/transparenz-und-kommunikation-bsi-raet-indirekt-v… ∗∗∗ AWS warnt: Russische Hacker bei Attacken auf Microsoft-Nutzer erwischt ∗∗∗ --------------------------------------------- Die berüchtigte Hackergruppe APT29 soll bestehende Webseiten mit Schadcode verseucht haben, um an die Microsoft-Konten der Besucher zu gelangen. --------------------------------------------- https://www.golem.de/news/aws-warnt-russische-hacker-bei-attacken-auf-micro… ∗∗∗ Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes. --------------------------------------------- https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html ∗∗∗ Traffic to government domains often crosses national borders, or flows through risky bottlenecks ∗∗∗ --------------------------------------------- Sites at yourcountry.gov may also not bother with HTTPs Internet traffic to government domains often flows across borders, relies on a worryingly small number of network connections, or does not require encryption, according to new research. --------------------------------------------- https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measu… ∗∗∗ SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes ∗∗∗ --------------------------------------------- Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email. --------------------------------------------- https://www.wired.com/story/charles-borges-resignation-email-disappearance/ ∗∗∗ Hintertür-Bericht: Britische Regierung will Vollzugriff auf iCloud ∗∗∗ --------------------------------------------- Noch immer ist nicht final entschieden, ob Apple britischen Strafverfolgern Zugriff auf iCloud geben muss. Nun wurde die ganze Datenbreite bekannt. --------------------------------------------- https://www.heise.de/news/Hintertuer-Bericht-Britische-Regierung-will-Vollz… ∗∗∗ Nach Kritik: Ameos Kliniken wollen proaktiv über Datenleak informieren ∗∗∗ --------------------------------------------- Nach einem erfolgreichen Cyberangriff hatte der Klinikkonzern Ameos ein Auskunftsformular bereitgestellt. Nach Kritik wurde selbiges jetzt geändert. --------------------------------------------- https://www.heise.de/news/Ameos-Kliniken-Nach-IT-Angriff-steht-Auskunftsfor… ∗∗∗ IT-Infrastruktur des Innenministeriums "gezielt und professionell" gehackt ∗∗∗ --------------------------------------------- Polizeiliche Daten oder Anwendungen sollen nach eigenen Angaben nicht betroffen sein. Der Angriff fand vor einigen Wochen statt, wurde aber erst jetzt kommuniziert. --------------------------------------------- https://www.derstandard.at/story/3000000285630/cyberangriff-auf-it-infrastr… ∗∗∗ Sweden scrambles after ransomware attack puts sensitive worker data at risk ∗∗∗ --------------------------------------------- Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/sweden-scrambles-afte… ∗∗∗ Merkwürdige Spam-Mail; Accenture gehackt? ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich vor einigen Tage darauf hingewiesen, dass er eine merkwürdige Spam-Mail bekam, die von einer Accenture-Domain verschickt wurde. Inzwischen ist die Domain nicht mehr erreichbar – was die Frage nach dem Hintergrund aufwirft. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/accenture-gehackt-merkwuerdige-phi… ∗∗∗ Starker Anstieg der Cyberangriffe auf den Bildungssektor ∗∗∗ --------------------------------------------- Sicherheitsanbieter Check Point warnt vor einem starken Anstieg von Cyber-Angriffen im Bildungssektor: Weltweit um 41 Prozent, in Deutschland sogar plus 56 Prozent. Bildungseinrichtungen verzeichnen im Schnitt mehr als 4300 Angriffe pro Woche, getrieben von saisonalen Phishing-Kampagnen zum Schul- und Semesterstart. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/starker-anstieg-der-cyberangriffe-… ∗∗∗ PromptLock: Erste KI-gestützte Malware von ESET entdeckt ∗∗∗ --------------------------------------------- ESET-Sicherheitsforscher haben die ihrer Meinung nach "erste bekannte KI-gestützte Ransomware" mit dem Namen PromptLock entdeckt. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/promptlock-erste-ki-gestuetzte-mal… ∗∗∗ Citrix Netscaler backdoors — Part One — May 2025 activity against governments ∗∗∗ --------------------------------------------- This is a follow up post to the prior one, part of a series looking at different Netscaler vulnerabilities that have been exploited in the wild as zero days. --------------------------------------------- https://doublepulsar.com/citrix-netscaler-backdoors-part-one-may-2025-activ… ∗∗∗ 8 Malicious NPM Packages Stole Chrome User Data on Windows ∗∗∗ --------------------------------------------- JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers. --------------------------------------------- https://hackread.com/malicious-npm-packages-stole-chrome-user-data-windows/ ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6190 ∗∗∗ Vishing: So gelingt der Angriff per Telefon selbst auf Großunternehmen ∗∗∗ --------------------------------------------- Auf der Def Con konnte man sich live ansehen, wie Vishing funktioniert. Erstaunlich oft ergattern Angreifer per Telefon selbst wichtigste Firmeninformationen. --------------------------------------------- https://heise.de/-10625451 ∗∗∗ A16-FuseBypass: Debug Logic Enabled on Production Apple Silicon ∗∗∗ --------------------------------------------- This repository documents a critical hardware-level vulnerability in the Apple A16 Bionic chip used in iPhone 14 Pro Max and related devices. --------------------------------------------- https://github.com/JGoyd/A16-FuseBypass ∗∗∗ KernelSnitch: Side-Channel Attacks on Kernel Data Structures ∗∗∗ --------------------------------------------- In this paper, we present a novel generic software side-channel attack, KernelSnitch, targeting kernel data structures such as hash tables and trees. --------------------------------------------- https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf ∗∗∗ Client-side RCE via CSS Injection in Google Web Designer for Windows ∗∗∗ --------------------------------------------- After my recent discovery of two client-side remote code execution vulnerabilities in Google Web Designer (previously disclosed in my articles earlier this year: CVE-2025-1079, CVE-2025-4613), in April 2025 I've found yet another serious issue in the app. --------------------------------------------- https://balintmagyar.com/articles/google-web-designer-css-injection-client-… ∗∗∗ Passkeys are incompatible with open-source software ∗∗∗ --------------------------------------------- After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom. --------------------------------------------- https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/ ∗∗∗ Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions ∗∗∗ --------------------------------------------- Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows. --------------------------------------------- https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer ∗∗∗ The CISO’s Codex – Leo and the Laws of Security ∗∗∗ --------------------------------------------- A a storytelling approach to cybersecurity, where a new CISO named Leo guides his company through foundational security models like Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, and Graham-Denning/HRU. --------------------------------------------- https://thecyberthrone.in/2025/08/30/the-cisos-codex-leo-and-the-laws-of-se… ∗∗∗ Nevada Faces Unprecedented Ransomware Attack ∗∗∗ --------------------------------------------- On August 24, 2025, Nevada made headlines as the victim of a historic cyberattack that forced a near-total shutdown of state government operations. --------------------------------------------- https://thecyberthrone.in/2025/08/31/nevada-faces-unprecedented-ransomware-… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheitslösung Acronis Cyber Protect Cloud Agent ist verwundbar ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Schwachstelle in Acronis Cyber Protect Cloud Agent. --------------------------------------------- https://www.heise.de/news/IT-Sicherheitsloesung-Acronis-Cyber-Protect-Cloud… ∗∗∗ Qnap: Teils hochriskante Lücken in QTS und QuTS hero geschlossen ∗∗∗ --------------------------------------------- Aktualisierungen für die QTS- und QuTS-hero-Firmwares von Qnap-Geräten schließen als hochriskant eingestuft Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Qnap-Update-schliesst-teils-hochriskante-Luecken-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7). --------------------------------------------- https://lwn.net/Articles/1036084/ ∗∗∗ Authenticated Attackers Could Exploit IBM Watsonx Vulnerability to Access Sensitive Data ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability, tracked as CVE-2025-0165, has been reported, specifically concerning the users of the IBM Watsonx Orchestrate Cartridge within the IBM Cloud Pak for Data platform. --------------------------------------------- https://thecyberexpress.com/decoding-cve-2025-0165-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.08.2025
by Daily end-of-shift report 29 Aug '25

29 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-08-2025 18:00 − Freitag 29-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Polizei warnt vor Anrufen von Fake-Innenminister, der Geld will ∗∗∗ --------------------------------------------- Innenminister Karner soll um Spenden für Lösegeldzahlungen gebeten haben. Die Kontaktaufnahme geschah dabei mit einer echten Nummer des Innenministeriums. --------------------------------------------- https://futurezone.at/digital-life/fake-innenminister-karner-anruf-scam-pol… ∗∗∗ Vorsicht! Ankündigung einer Betriebsprüfung durch das Finanzamt ist eine Falle! ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche im Namen des österreichischen Finanzamts macht aktuell die Runde. Diesmal ist es kein Zugangscode, der abläuft. Keine Rückerstattung, die auf ihre Auszahlung wartet. Im aktuellen Fall versuchen Kriminelle, über die Ankündigung einer Betriebsprüfung für Schaden zu sorgen. --------------------------------------------- https://www.watchlist-internet.at/news/falle-finanzamt-betriebspruefung/ ∗∗∗ Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 ∗∗∗ --------------------------------------------- Netscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working. --------------------------------------------- https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-u… ∗∗∗ Vorzeitige Beendigung des Supports für SonicWall SMA100 ∗∗∗ --------------------------------------------- Am 31. Oktober 2025 soll Schluss mit dem Support sein, wie es in einer Mitteilung eines SonicWall-Partners heißt. --------------------------------------------- https://www.borncity.com/blog/2025/08/29/vorzeitige-beendigung-des-supports… ∗∗∗ How attackers adapt to built-in macOS protection ∗∗∗ --------------------------------------------- We analyze the built-in protection mechanisms in macOS: how they work, how threat actors can attack them or deceive users, and how to detect such attacks. --------------------------------------------- https://securelist.com/macos-security-and-typical-attacks/117367/ ∗∗∗ Passkeys Pwned: Turning WebAuthn Against Itself ∗∗∗ --------------------------------------------- On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics. --------------------------------------------- https://labs.sqrx.com/passkeys-pwned-0dbddb7ade1a ∗∗∗ Ransomware gang takedowns causing explosion of new, smaller groups ∗∗∗ --------------------------------------------- The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands. --------------------------------------------- https://therecord.media/ransomware-gang-takedown-proliferation ===================== = Vulnerabilities = ===================== ∗∗∗ Windows: Zero-Day-Lücke bei der LNK-Anzeige ∗∗∗ --------------------------------------------- Laut ZDI stellte Microsoft sich auf den Standpunkt, dass die Sicherheitslücke nicht den Schweregrad für eine Behandlung erreicht. Auch nach etwa einem halben Jahr hin und her änderte Microsoft seine Meinung dazu nicht. Schließlich hat ZDI die Meldung veröffentlicht und jetzt auch einen CVE-Schwachstelleneintrag dazu herausgegeben. [..] "Die Schwachstelle ermöglicht Angreifern aus dem Netz, beliebigen Code auf betroffenen Installationen von Microsoft Windows auszuführen. Benutzerinteraktion ist für den Missbrauch erforderlich, diese müssen eine bösartige Seite besuchen oder eine bösartige Datei öffnen", schlussfolgert die ZDI. [..] (CVE-2025-9491 / noch kein EUVD, CVSS 7.0, Risiko "hoch") --------------------------------------------- https://heise.de/-10625780 ∗∗∗ FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available ∗∗∗ --------------------------------------------- The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. [..] "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html ∗∗∗ clickstudios Passwordstate 2025-08-28 ∗∗∗ --------------------------------------------- Fixed a potential authentication bypass issue associated with accessing the core Passwordstate Products' Emergency Access page, by using a carefully crafted URL, which could allow access to the Passwordstate Administration section. --------------------------------------------- https://www.clickstudios.com.au/security/advisories/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2). --------------------------------------------- https://lwn.net/Articles/1035724/ ∗∗∗ QNAP: Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-19 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-21 ∗∗∗ Tenable: [R1] Stand-alone Security Patches Available for Tenable Security Center versions 6.4.x, 6.5.1 and 6.6.0: SC-202508.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-17 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02 ∗∗∗ GE Vernova CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06 ∗∗∗ Delta Electronics CNCSoft-G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04 ∗∗∗ Delta Electronics COMMGR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.08.2025
by Daily end-of-shift report 28 Aug '25

28 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-08-2025 18:00 − Donnerstag 28-08-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Experimental PromptLock ransomware uses AI to encrypt, steal data ∗∗∗ --------------------------------------------- Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/experimental-promptlock-rans… ∗∗∗ ZipLine Phishers Flip Script as Victims Email First ∗∗∗ --------------------------------------------- "ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-vic… ∗∗∗ AppSuite PDF Editor Backdoor: A Detailed Technical Analysis ∗∗∗ --------------------------------------------- Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor. --------------------------------------------- https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF… ∗∗∗ Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm ∗∗∗ --------------------------------------------- Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen. --------------------------------------------- https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-komm… ∗∗∗ Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery ∗∗∗ --------------------------------------------- During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-s… ∗∗∗ Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3 ∗∗∗ --------------------------------------------- Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen. --------------------------------------------- https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fue… ∗∗∗ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System ∗∗∗ --------------------------------------------- People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a ∗∗∗ Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen ∗∗∗ --------------------------------------------- Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt. --------------------------------------------- https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-… ∗∗∗ Zip Slip, Path Traversal Vulnerability during File Decompression ∗∗∗ --------------------------------------------- Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/89890/ ∗∗∗ Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack ∗∗∗ --------------------------------------------- A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis. --------------------------------------------- https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/ ∗∗∗ Cisco: Mehrere Produkte mit teils hochriskanten Lücken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten. --------------------------------------------- https://heise.de/-10623826 ∗∗∗ Referral Beware, Your Rewards are Mine (Part 1) ∗∗∗ --------------------------------------------- Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we’ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we’ll explore real-world examples of these vulnerability classes in detail. --------------------------------------------- https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-min… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel). --------------------------------------------- https://lwn.net/Articles/1035464/ ∗∗∗ Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.08.2025
by Daily end-of-shift report 27 Aug '25

27 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-08-2025 18:00 − Mittwoch 27-08-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff auf Ameos: Großer Klinikverbund erleidet Datenklau ∗∗∗ --------------------------------------------- Daten von Patienten und Mitarbeitern der Ameos Gruppe sind in die Hände Cyberkrimineller gelangt. Betroffene können jetzt Details anfragen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-ameos-grosser-klinikverbund-erle… ∗∗∗ Schadcode im Anmarsch: Aktiv ausgenutzte Git-Lücke gefährdet Entwickler ∗∗∗ --------------------------------------------- Wer Git im Einsatz hat, sollte die Software dringend aktualisieren. Angreifer bedienen sich einer Sicherheitslücke, um Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/schadcode-im-anmarsch-aktiv-ausgenutzte-git-lueck… ∗∗∗ Cyber-Dome: Bundesregierung plant stärkere Cyberabwehr ∗∗∗ --------------------------------------------- Die Pläne zu einer besseren Cyberabwehr sind noch sehr vage. Ein Gesetzentwurf von Alexander Dobrindt soll bis Ende 2025 kommen. --------------------------------------------- https://www.golem.de/news/cyber-dome-bundesregierung-plant-staerkere-cybera… ∗∗∗ US-Regierung steigt bei Intel ein: Krypto-Funktionen weiter vertrauenswürdig? ∗∗∗ --------------------------------------------- Der Einstieg der US-Regierung bei Intel unterminiert Funktionen wie Confidential Computing und "souveräne Cloud". --------------------------------------------- https://www.heise.de/news/Intel-Chips-USA-inside-10622136.html ∗∗∗ Google Chrome: Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome haben die Entwickler eine Sicherheitslücke geschlossen, die als kritisches Risiko eingestuft wurde. Wer den Browser einsetzt, sollte sicherstellen, die jüngste Version zu nutzen. --------------------------------------------- https://www.heise.de/news/Google-Chrome-Update-schliesst-kritische-Sicherhe… ∗∗∗ Paypal: Deutsche Banken blockierten offenbar Zahlungen von Milliarden Euro ∗∗∗ --------------------------------------------- Die Süddeutsche Zeitung berichtet, dass Deutsche Banken Zahlungen an Paypal gestoppt hatten. Auslöser war ein Sicherheitsproblem. --------------------------------------------- https://www.heise.de/news/Paypal-Deutsche-Banken-blockierten-offenbar-Zahlu… ∗∗∗ Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme ∗∗∗ --------------------------------------------- The U.S. State Department said it worked with the Ministries of Foreign Affairs in Japan and South Korea to organize the forum, which had more than 130 attendees from freelance work platforms, payment service providers, cryptocurrency companies, AI firms and more. --------------------------------------------- https://therecord.media/japan-us-south-korea-forum-north-korea-it-worker-sc… ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) ∗∗∗ --------------------------------------------- As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the face of impressively indisputable evidence, and using their status as a CNA to somehow get CVEs with suspiciously similar identifiers to the point that confusion appears almost intentional. --------------------------------------------- https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime). --------------------------------------------- https://lwn.net/Articles/1035307/ ∗∗∗ Malicious versions of Nx and some supporting plugins were published ∗∗∗ --------------------------------------------- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.08.2025
by Daily end-of-shift report 26 Aug '25

26 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 25-08-2025 18:00 − Dienstag 26-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New AI attack hides data-theft prompts in downscaled images ∗∗∗ --------------------------------------------- Researchers have developed a novel attack that steals user data by injecting malicious prompts in images processed by AI systems before delivering them to a large language model. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ai-attack-hides-data-the… ∗∗∗ ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners ∗∗∗ --------------------------------------------- A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.The large-scale cybercrime campaign, first detected in August 2025, .. --------------------------------------------- https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.ht… ∗∗∗ Malware-ridden apps made it into Googles Play Store, scored 19 million downloads ∗∗∗ --------------------------------------------- Everythings fine, the ad slinger assures us Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans. --------------------------------------------- https://www.theregister.com/2025/08/26/apps_android_malware/ ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf GitHub Enterprise Server möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht GitHub Enterprise Server. Admins sollten die gepatchte Ausgabe zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Unbefugte-Zugriffe-auf-GitHub-… ∗∗∗ ScreenConnect-Admins im Visier von Spear-Phishing-Angriffen ∗∗∗ --------------------------------------------- Derzeit läuft eine Phishing-Kampagne, die Zugangsdaten zu ScreenConnect abgreift. Die Angreifer wollen Ransomware platzieren. --------------------------------------------- https://www.heise.de/news/ScreenConnect-Admins-im-Visier-von-Spear-Phishing… ∗∗∗ HP Security Manager: Schadcode-Lücke in Druckerverwaltungstool ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in HPs Security Manager erlaubt Angreifern, Schadcode einzuschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HP-Security-Manager-Schadcode-Luecke-in-Druckerve… ∗∗∗ DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ ∗∗∗ --------------------------------------------- The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement theyd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditors high-speed Internet connection in the United States. This post .. --------------------------------------------- https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal… ∗∗∗ Cyberangriff auf die Stadt Nürnberg: Prorussische Hacker im Verdacht ∗∗∗ --------------------------------------------- Haftbefehle wurden gegen russische Staatsangehörige erlassen --------------------------------------------- https://www.derstandard.at/story/3000000285014/cyberangriff-auf-die-stadt-n… ∗∗∗ Ewig ruft das Passwort ∗∗∗ --------------------------------------------- Die Verwendung von Passwörtern hat eine lange Tradition in der IT. Und regelmäßig sind sich alle einig, dass wir sie eigentlich loswerden sollten. Das haben wir das noch immer nicht geschafft, auch wenn Passkeys ein interessanter Ansatz sind. Daher sitzen wir alle auf großen Sammlungen von Passwörtern – die ca. 250 Einträge in .. --------------------------------------------- https://www.cert.at/de/blog/2025/8/ewig-ruft-das-passwort ∗∗∗ Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge ∗∗∗ --------------------------------------------- On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. --------------------------------------------- https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and .. --------------------------------------------- https://lwn.net/Articles/1035110/ ∗∗∗ Mehrere (teils kritische) Schwachstellen in NetScaler ADC and NetScaler Gateway ∗∗∗ --------------------------------------------- 26. August 2025 Beschreibung Citrix hat ein Advisory zu mehreren, zum Teil kritischen, Schwachstellen in den Produkten NetScaler ADC (ehemals Citrix ADC) und NetScaler Gateway (ehemals Citrix Gateway) veröffentlicht. Laut Citrix wurden bereits Angriffsversuche gegen verwundbare Systeme beobachtet, welche zumindest die kritische Schwachstelle CVE-2025-7775 auszunutzen versuchten. CVE-Nummern(n): CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 CVSS v4.0 Base Score(s): 9.2, 8.8, 8.7 .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/citrix-netscaler-adc-schwachstellen… ∗∗∗ Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-31 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.08.2025
by Daily end-of-shift report 25 Aug '25

25 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-08-2025 18:00 − Montag 25-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Android malware poses as antivirus from Russian intelligence agency ∗∗∗ --------------------------------------------- A new Android malware posing as an antivirus tool software created by Russias Federal Security Services agency (FSB) is being used to target executives of Russian businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as… ∗∗∗ Social Engineering: Krypto-Anleger verliert Bitcoin im Wert von 90 Millionen USD ∗∗∗ --------------------------------------------- Betrüger haben einen Krypto-Anleger um ein Vermögen gebracht. Der Geschädigte ist nun um 783 Bitcoin ärmer. Das Geld sieht er wohl nie wieder. --------------------------------------------- https://www.golem.de/news/social-engineering-krypto-anleger-verliert-bitcoi… ∗∗∗ Criminal background checker APCS faces data breach ∗∗∗ --------------------------------------------- The attack first affected an upstream provider of bespoke software Exclusive A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company. --------------------------------------------- https://www.theregister.com/2025/08/22/apcs_breach/ ∗∗∗ Botnet-Kampagne "Gayfemboy" auch in Deutschland aktiv ∗∗∗ --------------------------------------------- IT-Forscher von Fortinet beobachten ein IoT-Botnet, das auf "Mirai" basiert und "Gayfemboy" genannt wird. Es versteckt sich gut. --------------------------------------------- https://www.heise.de/news/Mirai-basierte-Botnet-Kampagne-Gayfemboy-auch-in-… ∗∗∗ Kriminelle locken mit angeblichen Kryptoguthaben ∗∗∗ --------------------------------------------- Lukas kann seinen Augen kaum trauen. In seinem Postfach liegt eine E-Mail, die behauptet, dass sich ein hoher Betrag in seinem Kryptowallet befindet. Um wieder Zugriff zu erhalten, soll er lediglich ein paar einfache Schritte befolgen. Doch Vorsicht: Die E-Mail stammt von Kriminellen, die ihn zu hohen Überweisungen bewegen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-locken-mit-angeblichen-kr… ∗∗∗ Beliebte eSIMs für Reisen leiten heimlich Daten über China um ∗∗∗ --------------------------------------------- Eine aktuelle Untersuchung zeigt grobe Sicherheits- und Privatsphärendefizite bei vielen Anbietern auf. --------------------------------------------- https://www.derstandard.at/story/3000000284843/beliebte-esims-fuer-reisen-l… ∗∗∗ Phishing in the Classroom: 115,000 Emails Exploit Google Classroom to Target 13,500 Organizations ∗∗∗ --------------------------------------------- Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide. Over the course of just one week, attackers launched .. --------------------------------------------- https://blog.checkpoint.com/email-security/phishing-in-the-classroom-115000… ∗∗∗ Chrome-Erweiterung FreeVPN.One zeichnete Screenshots von Seitenbesuchen auf ∗∗∗ --------------------------------------------- Wer bisher glaubte, dass Microsofts Recall in Punkto Überwachung an der Spitze liegt, muss umdenken. Sicherheitsforscher sind auf die Erweiterung FreeVPN.One des Google Chrome-Browsers gestoßen. Diese fertigte Screenshots von allen .. --------------------------------------------- https://www.borncity.com/blog/2025/08/24/chrome-erweiterung-freevpn-one-zei… ∗∗∗ Cybercriminals Exploit Cheap VPS to Launch SaaS Hijacking Attacks ∗∗∗ --------------------------------------------- Darktrace researchers have discovered a new wave of attacks where cybercriminals use cheap Virtual Private Servers (VPS) .. --------------------------------------------- https://hackread.com/cybercriminals-exploit-cheap-vps-saas-hijack-attacks/ ∗∗∗ Phishing Campaign Targeting Companies via UpCrypter ∗∗∗ --------------------------------------------- FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs). --------------------------------------------- https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-c… ∗∗∗ Webhosting-Software cPanel: Updates schließen Sicherheitslücke ∗∗∗ --------------------------------------------- Die Verwaltungssoftware cPanel und WHM für Webhosting schließt mit neuen Versionen mindestens eine Sicherheitslücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-10599503 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.08.2025
by Daily end-of-shift report 22 Aug '25

22 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-08-2025 18:00 − Freitag 22-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dev gets 4 years for creating kill switch on ex-employers systems ∗∗∗ --------------------------------------------- A software developer has been sentenced to four years in prison for sabotaging his ex-employers Windows network with custom malware and a kill switch that locked out employees when his account was disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-gets-4-years-for-creatin… ∗∗∗ Fake Mac fixes trick users into installing new Shamos infostealer ∗∗∗ --------------------------------------------- A new infostealer malware targeting Mac devices, called Shamos, is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-i… ∗∗∗ Trotz Rolling Code: Inoffizielle Flipper-Zero-Firmware soll Autos knacken ∗∗∗ --------------------------------------------- Ein russischer Akteur verkauft eine eigene Firmware für den Flipper Zero. Selbst neueste Autos gängiger Marken sollen sich damit entriegeln lassen. --------------------------------------------- https://www.golem.de/news/trotz-rolling-code-inoffizielle-flipper-zero-firm… ∗∗∗ Think before you Click(Fix): Analyzing the ClickFix social engineering technique ∗∗∗ --------------------------------------------- The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. This technique exploits users’ tendency to resolve technical issues by tricking them into running malicious commands. These commands, in turn, deliver payloads that ultimately lead to information theft and .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-c… ∗∗∗ Coinbase Reverses Remote-First Policy After North Korean Infiltration Attempts ∗∗∗ --------------------------------------------- Remote work policies designed to attract top talent are becoming security vulnerabilities as state-sponsored hackers seek employment at cryptocurrency firms. Coinbase has implemented mandatory in-person orientation and US citizenship requirements for sensitive roles after detecting North Korean IT workers attempting to infiltrate the company .. --------------------------------------------- https://slashdot.org/story/25/08/22/1515238/coinbase-reverses-remote-first-… ∗∗∗ Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.The "Linux-specific malware infection chain that starts with a spam email with a malicious .. --------------------------------------------- https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html ∗∗∗ Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa ∗∗∗ --------------------------------------------- Crypto mines, BEC scams, fake passports, and a $300M fraud empire allegedly brought down during Serengeti 2.0 Interpols latest clampdown on cybercrime resulted in 1,209 arrests across the African continent, from ransomware crooks to business .. --------------------------------------------- https://www.theregister.com/2025/08/22/interpol_serengeti_20/ ∗∗∗ KI-Assistent: Microsofts Copilot verfälschte monatelang Zugriffsprotokolle ∗∗∗ --------------------------------------------- Fragte man den virtuellen Copilot etwa nach Dokumenten-Zusammenfassungen, unterschlug er mitunter seine Zugriffe. Microsoft verschwieg das Problem. --------------------------------------------- https://www.heise.de/news/KI-Assistent-Microsofts-Copilot-verfaelschte-mona… ∗∗∗ Electronics manufacturer Data I/O reports ransomware attack to SEC ∗∗∗ --------------------------------------------- The tech manufacturer Data I/O reported a ransomware attack to federal regulators, writing that the incident has taken down critical operational systems. --------------------------------------------- https://therecord.media/electronics-manufacturer-dataio-ransomware ∗∗∗ AI Browsers Can Be Tricked Into Paying Fake Stores in PromptFix Attack ∗∗∗ --------------------------------------------- The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores .. --------------------------------------------- https://hackread.com/ai-browsers-trick-paying-fake-stores-promptfix-attack/ ∗∗∗ AUR Chaos malware: an analysis ∗∗∗ --------------------------------------------- Recently, an incident involving malware in the AUR made the headlines. I read a lot of things around this topic, both right and wrong, and sometimes misleading. I was involved in the incident handling I chose to write this blog post, not only for transparency but also for laying down what I learned both during and .. --------------------------------------------- https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat), Debian (squid), Fedora (matrix-synapse, rust-slab, socat, and webkitgtk), SUSE (firefox-esr, gdk-pixbuf, gdk-pixbuf-devel, govulncheck-vulndb, rust-keylime, and wicked2nm), and Ubuntu (linux-nvidia, linux-oracle, linux-oracle-6.8, php7.0, php7.2, php7.4, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and ruby-webrick). --------------------------------------------- https://lwn.net/Articles/1034755/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.08.2025
by Daily end-of-shift report 21 Aug '25

21 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-08-2025 18:00 − Donnerstag 21-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone, iPad und Mac: Aktiv ausgenutzte Sicherheitslücke gefährdet Apple-Nutzer ∗∗∗ --------------------------------------------- Notfallupdates schließen eine aktiv ausgenutzte Sicherheitslücke in iOS, iPadOS und MacOS. Anwender sollten dringend patchen. --------------------------------------------- https://www.golem.de/news/iphone-ipad-und-mac-aktiv-ausgenutzte-sicherheits… ∗∗∗ Airtell Router Scans, and Mislabeled usernames ∗∗∗ --------------------------------------------- Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result .. --------------------------------------------- https://isc.sans.edu/forums/diary/Airtell+Router+Scans+and+Mislabeled+usern… ∗∗∗ Neue Tricks mit QR-Codes ∗∗∗ --------------------------------------------- QR-Codes sind beliebte Vehikel für Verbrecher, Hyperlinks an Sicherheitssystemen vorbei zum Opfer zu schleusen. Der Einfallsreichtum ist groß. --------------------------------------------- https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html ∗∗∗ Docker Desktop: Kritische Sicherheitslücke erlaubt Host-Zugriff ∗∗∗ --------------------------------------------- In Docker Desktop können bösartige Container auf das Host-System durchgreifen, Schutzmaßnahmen greifen nicht. Ein Update hilft. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Kritische-Sicherheitsluecke-erlaub… ∗∗∗ Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein ∗∗∗ --------------------------------------------- Das Urteil gegen einen nach dem Hackerparagrafen verurteilten Sicherheitsforscher ist rechtskräftig. Der Verurteilte geht nun nach Karlsruhe. --------------------------------------------- https://www.heise.de/news/Modern-Solution-Verurteilter-IT-Experte-reicht-Ve… ∗∗∗ SIM-Swapper, Scattered Spider Hacker Gets 10 Years ∗∗∗ --------------------------------------------- A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban .. --------------------------------------------- https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-get… ∗∗∗ Achtung, Phishing-Falle: FinanzOnline will keine Infos zu Krypto-Beständen einholen! ∗∗∗ --------------------------------------------- Aufgrund einer neuen „Steuervorschrift für Kryptowährungen“ verlangt „FinanzOnline“ aktuell via E-Mail vermeintlich die Übermittlung umfassender Informationen rund um Krypto-Vermögen. Natürlich meldet sich hier nicht das echte Finanzportal. Vielmehr versuchen Kriminelle über diese Masche an die Zugangsdaten der Krypto-Wallets ihrer Opfer zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-finanzonline-krypto/ ∗∗∗ Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth ∗∗∗ --------------------------------------------- A campaign leverages CVE-2024-36401 to stealthily monetize victims bandwidth where legitimate software development kits (SDKs) are deployed for passive income. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.08.2025
by Daily end-of-shift report 20 Aug '25

20 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-08-2025 18:00 − Mittwoch 20-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPI now blocks domain resurrection attacks used for hijacking accounts ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resur… ∗∗∗ Hackers steal Microsoft logins using legitimate ADFS redirects ∗∗∗ --------------------------------------------- Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-logi… ∗∗∗ Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a .. --------------------------------------------- https://thehackernews.com/2025/08/experts-find-ai-browsers-can-be-tricked.h… ∗∗∗ Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in ∗∗∗ --------------------------------------------- Intruders hoped no one would notice their presence Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers. --------------------------------------------- https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/ ∗∗∗ Commvault: Hochriskante Lücke ermöglicht Einschleusen von Schadcode ∗∗∗ --------------------------------------------- In der Backup-Software Commvault können Angreifer Sicherheitslücken missbrauchen, um etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Commvault-Hochriskante-Luecke-ermoeglicht-Einschl… ∗∗∗ Infoniqa-IT-Vorfall: Cyberbande will umfangreich Daten kopiert haben ∗∗∗ --------------------------------------------- Vergangene Woche wurde ein IT-Vorfall bei HR-Softwareanbieter Infoniqa bekannt. Nun behauptet eine Cybergang Daten kopiert zu haben. --------------------------------------------- https://www.heise.de/news/Infoniqa-IT-Vorfall-Cyberbande-will-umfangreich-D… ∗∗∗ Impressumsdiebstahl und funktionierende Links: Vorsicht vor besonders ausgeklügelten Fake-Shops! ∗∗∗ --------------------------------------------- Je mehr Aufwand Kriminelle bei der Nachahmung eines Online-Shops betreiben, desto schwieriger ist es, den Betrug zu erkennen. In einem aktuellen Fall nutzen sie nicht nur reale Impressumsdaten, sondern verlinken von ihren Fake-Shops aus zusätzlich zur echten Website und auf die echten Social-Media-Profile des Unternehmens. Woran sich die Falle dennoch relativ einfach erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/besonders-ausgekluegelte-fake-shops/ ∗∗∗ Major Belgian telecom firm says cyberattack compromised data on 850,000 accounts ∗∗∗ --------------------------------------------- The company said no critical data was accessed, but the hacker "gained access to one of our IT systems that contains the following data: name, first name, telephone number, SIM card number, PUK code, tariff plan.” --------------------------------------------- https://therecord.media/belgian-telecom-says-cyberattack-compromised-data-o… ∗∗∗ Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet ∗∗∗ --------------------------------------------- A 22-year-old Oregon man has been charged with running a powerful botnet-for-hire service used to launch hundreds of thousands of cyberattacks worldwide, the U.S. Justice Department said. --------------------------------------------- https://therecord.media/feds-charge-botnet-admin ∗∗∗ Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices ∗∗∗ --------------------------------------------- A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering. --------------------------------------------- https://blog.talosintelligence.com/static-tundra/ ∗∗∗ Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware ∗∗∗ --------------------------------------------- Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html ∗∗∗ A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor ∗∗∗ --------------------------------------------- Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to understand and respond to the most compelling threats we observe. This edition dissects an infection involving two threat groups, UNC5518 and UNC5774, leading to the deployment of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflak… ∗∗∗ Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault ∗∗∗ --------------------------------------------- We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds.Today, were back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, weve continued to spend .. --------------------------------------------- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same… ∗∗∗ Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers ∗∗∗ --------------------------------------------- At DEF CON 33, Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers including: 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and .. --------------------------------------------- https://socket.dev/blog/password-manager-clickjacking ∗∗∗ Marshal madness: A brief history of Ruby deserialization exploits ∗∗∗ --------------------------------------------- This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches. --------------------------------------------- https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, .. --------------------------------------------- https://lwn.net/Articles/1034546/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.08.2025
by Daily end-of-shift report 19 Aug '25

19 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 18-08-2025 18:00 − Dienstag 19-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In mehreren Webportalen: Reihenweise fest kodierte Zugangsdaten bei Intel entdeckt ∗∗∗ --------------------------------------------- Ein Forscher hat in Webportalen von Intel gravierende Sicherheitslücken gefunden. Teilweise standen Passwörter clientseitig im Code. --------------------------------------------- https://www.golem.de/news/in-mehreren-webportalen-reihenweise-fest-kodierte… ∗∗∗ GodRAT – New RAT targeting financial institutions ∗∗∗ --------------------------------------------- Kaspersky experts analyze GodRAT, a new Gh0st RAT-based tool attacking financial firms. It is likely a successor of the AwesomePuppet RAT connected to the Winnti group. --------------------------------------------- https://securelist.com/godrat/117119/ ∗∗∗ The State of Ransomware in Retail 2025 ∗∗∗ --------------------------------------------- 361 IT and cybersecurity leaders reveal the ransomware realities for retail businesses today. --------------------------------------------- https://news.sophos.com/en-us/2025/08/19/the-state-of-ransomware-in-retail-… ∗∗∗ 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds ∗∗∗ --------------------------------------------- Scam compounds in Cambodia, Myanmar, and Laos have conned people out of billions. New research shows they may be linked to child sextortion crimes too. --------------------------------------------- https://www.wired.com/story/child-sextorition-scam-compounds-southeast-asia/ ∗∗∗ Marokko zerrt deutsche Zeitungen wegen Spyware-Berichten vor den BGH ∗∗∗ --------------------------------------------- Marokko steht unter Verdacht, die Spyware Pegasus gegen Anwälte, Journalisten und Politiker eingesetzt zu haben. Deutsche Medien berichteten, Marokko ist sauer. --------------------------------------------- https://www.heise.de/news/Marokko-zieht-gegen-deutsche-Spyware-Berichtersta… ∗∗∗ Angriffe auf N-able N-central laufen, mehr als 1000 Systeme ungepatcht ∗∗∗ --------------------------------------------- Noch mehr als tausend Instanzen von des RMM N-able N-central sind für kritische Lücken anfällig. Die werden bereits attackiert. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-N-able-N-central-laufen-mehr-als-100… ∗∗∗ Kostenlos 10.000.000 Robux bekommen? Achtung, Fake-Angebot! ∗∗∗ --------------------------------------------- Die Online-Spieleplattform „Roblox“ ist besonders bei Kindern und Jugendlichen beliebt – und grundsätzlich kostenlos. Um bestimmte Funktionen und Inhalte freizuschalten, braucht es aber eine In-Game-Währung namens „Robux“. Und die ist wiederum nur gegen echtes Geld erhältlich. Kriminelle versuchen deshalb, User mit dem Versprechen von kostenlosen „Robux“ in die Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/robux-fake-angebot/ ∗∗∗ Fashionable Phishing Bait: GenAI on the Hook ∗∗∗ --------------------------------------------- GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/genai-phishing-bait/ ∗∗∗ Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft ∗∗∗ --------------------------------------------- Hackers are disguising a powerful strain of malware as a ChatGPT desktop application in preparation for ransomware attacks, Microsoft said. --------------------------------------------- https://therecord.media/ransomware-gang-masking-pipemagic-backdoor ∗∗∗ UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims ∗∗∗ --------------------------------------------- The United Kingdom is backing down from a controversial legal demand targeting Apple, U.S. Director of National Intelligence Tulsi Gabbard claimed on social media. --------------------------------------------- https://therecord.media/uk-agrees-drop-apple-encryption ∗∗∗ Trend Micro Unmasks Global "Task Scam" Industry ∗∗∗ --------------------------------------------- Trend Micro today released new research revealing the mechanics and scale of a rapidly growing fraud model known as "task scams": sophisticated online job scams that lure victims into repetitive digital tasks and systematically strip them of funds through escalating deposit demands. --------------------------------------------- https://newsroom.trendmicro.com/2025-08-19-Trend-Micro-Unmasks-Global-Task-… ∗∗∗ Fake Copyright Notices Drop New Noodlophile Stealer Variant ∗∗∗ --------------------------------------------- Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links .. --------------------------------------------- https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-steale… ∗∗∗ How Indirect Prompt Injections Exploit Context, Format, and Salience ∗∗∗ --------------------------------------------- A breakdown of indirect prompt injection attacks using real-world cases (emails, code comments, diagrams). Introduces the CFS model (Context, Format, Salience) to explain what makes some payloads more likely to succeed. --------------------------------------------- https://www.fogel.dev/prompt_injection_cfs_framework ∗∗∗ Trivial C# Random Exploitation ∗∗∗ --------------------------------------------- Exploiting random number generators requires math, right? Thanks to C#’sRandom, that is not necessarily the case! I ran into an HTTP 2.0 web serviceissuing password reset tokens from a custom encoding of (new Random()).Next(min, max) output. This led to a critical account takeover.Exploitation did not require scripting, math or libraries. Just several clicksin Burp. While I .. --------------------------------------------- https://blog.doyensec.com/2025/08/19/trivial-exploit-on-C-random.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 142 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-64/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.08.2025
by Daily end-of-shift report 18 Aug '25

18 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-08-2025 18:00 − Montag 18-08-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Attacken auf Fortinet-IT-Sicherheitslösungen können bevorstehen ∗∗∗ --------------------------------------------- Beide Schwachstellen (FortiSIEM CVE-2025-25256 "kritisch", FortiWeb CVE-2025-52970 "hoch") haben die Fortinet-Entwickler am vergangenen Patchday geschlossen. Kurz darauf warnten sie davor, dass Exploitcode zum Ausnutzen der Lücke in FortiSIEM in Umlauf ist. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Fortinet-IT-Sicherheit… ∗∗∗ Should Security Solutions Be Secure? Maybe Were All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) ∗∗∗ --------------------------------------------- Today we’re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization’s SIEM (!!!). [..] It’s the kind of “one platform to rule your SOC” solution that we believe (suspect, hope, imagine, guess, pray) might feel impressively safety-first. Except, obviously, this time it didn't because the bar remains so incredibly low. --------------------------------------------- https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-a… ∗∗∗ Gefälschtes Gewinnspiel für Wiener Linien Jahreskarte im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursieren auf Facebook gefälschte Postings, die im Namen der Wiener Linien ein Gewinnspiel für eine Halbjahreskarte bewerben. Bei Teilnahme wird suggeriert, dass man automatisch gewonnen habe. Achtung: Es handelt sich um einen Betrugsversuch, der darauf abzielt, an Bankdaten zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-wiener… ∗∗∗ Verbesserung von nur 1,7 Prozent: Phishing-Training fast immer wirkungslos ∗∗∗ --------------------------------------------- Eine große Studie in einem US-Gesundheitsunternehmen zeigt, dass gängige Phishing-Trainings das Risiko kaum senken – egal wie intensiv oder interaktiv sie sind. --------------------------------------------- https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Trainin… ∗∗∗ MadeYouReset: Neue DDoS-Angriffstechnik legt Webserver lahm ∗∗∗ --------------------------------------------- Forscher haben eine neue Sicherheitslücke entdeckt, die viele gängige HTTP/2-Implementierungen betrifft. Server lassen sich mit wenig Aufwand überlasten. [..] Als anfällig gelten mehrere weitverbreitete HTTP/2-Serverimplementierungen wie Netty, Apache Tomcat, H2O, SwiftNIO und F5 BIG-IP. Weitere betroffene Implementierungen sowie etwaige Reaktionen der Anbieter sind in einer Meldung des CERT Coordination Center der Carnegie Mellon University zu finden. --------------------------------------------- https://www.golem.de/news/madeyoureset-neue-ddos-angriffstechnik-legt-webse… ∗∗∗ Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824 ∗∗∗ --------------------------------------------- We examine the evolution of the PipeMagic backdoor and the TTPs of its operators – from the RansomExx incident in 2022 to attacks in Brazil and Saudi Arabia, and the exploitation of CVE-2025-29824 in 2025. --------------------------------------------- https://securelist.com/pipemagic/117270/ ∗∗∗ How Researchers Collect Indicators of Compromise ∗∗∗ --------------------------------------------- Today, we'll demonstrate a simple workflow showing how researchers use various tools to collect indicators of compromise (IOCs) and develop appropriate signatures from detonated malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researc… ∗∗∗ ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure ∗∗∗ --------------------------------------------- "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. --------------------------------------------- https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html ∗∗∗ Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme ∗∗∗ --------------------------------------------- Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks. --------------------------------------------- https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accoun… ∗∗∗ Scammers turn to ‘ghost-tapping’ retail fraud to launder funds ∗∗∗ --------------------------------------------- In a report released Thursday, researchers at Recorded Future’s Insikt Group detailed what they call “ghost-tapping” — when stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods. --------------------------------------------- https://therecord.media/scammers-ghost-tapping-retail-fraud-launder-cash ∗∗∗ Cyberattack on Dutch prosecution service is keeping speed cameras offline ∗∗∗ --------------------------------------------- Who knew zero-days could be so useful to highway speedsters? The lingering effects of a cyberattack on the Public Prosecution Service of the Netherlands are preventing it from reactivating speed cameras across the country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/15/cyberattack_… ∗∗∗ KI-gestützte Cyberangriffe: Experten beobachten zunehmenden LLM-Einsatz ∗∗∗ --------------------------------------------- Sicherheitsforscher sehen aktuell eine Zunahme KI-unterstützter Angriffe und damit einen Wendepunkt im Cyberwettrüsten. [..] Ukrainische Behörden und mehrere Cybersicherheitsunternehmen konnten die Schadsoftware im Juli erstmals nachweisen. [..] Mit dem zunehmenden Einsatz von KI-Agenten sehen Experten ein neues Risiko für die Zukunft. --------------------------------------------- https://www.heise.de/news/KI-gestuetzte-Cyberangriffe-Experten-beobachten-z… ∗∗∗ Terraform Cloud token abuse turns speculative plan into remote code execution ∗∗∗ --------------------------------------------- Platforms like Terraform are great for making cloud management easier, but that same convenience can work in an attacker’s favour. Increasingly, we’re seeing Terraform used as a pivot point, letting attackers sidestep the usual security roadblocks of MFA and conditional access via token abuse, which remain one of the weaker links in the chain. --------------------------------------------- https://www.pentestpartners.com/security-blog/terraform-token-abuse-specula… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ∗∗∗ Technical Analysis of SAP Exploit Script (Visual Composer “Metadata Uploader” Exploit)… ∗∗∗ --------------------------------------------- This script targets a critical zero-day vulnerability (now identified as CVE-2025–31324) in SAP NetWeaver’s Visual Composer Metadata Uploader component. The vulnerability is a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, allowing unauthenticated file uploads to the server’s filesystem. [..] The blog contains further pseudo code for detection and examples for another way to exploit the vulnerability. --------------------------------------------- https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide). --------------------------------------------- https://lwn.net/Articles/1033901/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11). --------------------------------------------- https://lwn.net/Articles/1034267/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.08.2025
by Daily end-of-shift report 14 Aug '25

14 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-08-2025 18:00 − Donnerstag 14-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spike in Fortinet VPN brute-force attacks raises zero-day concerns ∗∗∗ --------------------------------------------- A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spike-in-fortinet-vpn-brute-… ∗∗∗ New downgrade attack can bypass FIDO auth in Microsoft Entra ID ∗∗∗ --------------------------------------------- Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-byp… ∗∗∗ When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified an EncryptHub campaign that combines social engineering with abuse of the Brave Support platform to deliver malicious payloads via the CVE-2025-26633 vulnerability. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hacker… ∗∗∗ A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode ∗∗∗ --------------------------------------------- The motivation behind writing this post is that we want to provide the kind of resource that we wouldve liked to have seen more of when starting our own careers in malware research. --------------------------------------------- https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Info… ∗∗∗ Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks ∗∗∗ --------------------------------------------- Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-… ===================== = Vulnerabilities = ===================== ∗∗∗ N-central 2025.3.1 ∗∗∗ --------------------------------------------- This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit. --------------------------------------------- https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq). --------------------------------------------- https://lwn.net/Articles/1033737/ ∗∗∗ Rockwell Automation Security Advisories 14.08.2025 ∗∗∗ --------------------------------------------- Rockwell Automation has released 6 new security advisories (3x Critical, 3x High) --------------------------------------------- https://www.rockwellautomation.com/en-us/trust-center/security-advisories.h… ∗∗∗ Sicherheitspatches: Angreifer können Schadcode auf GitLab-Servern verankern ∗∗∗ --------------------------------------------- Die GitLab-Entwickler haben insgesamt zwölf Sicherheitslücken geschlossen. Angreifer können Systeme kompromittieren. [..] In einer Warnmeldung versichern die Verantwortlichen, dass GitLab.com bereits abgesichert sei. Sie empfehlen, dass Admins von On-premise-Instanzen die reparierten Ausgaben 18.0.6, 18.1.4 oder 18.2.2 zeitnah installieren sollten. Noch gibt es keine Informationen, ob bereits Attacken laufen. --------------------------------------------- https://heise.de/-10523017 ∗∗∗ Nvidia stopft Sicherheitslücken in KI-Software ∗∗∗ --------------------------------------------- In diverser KI-Software von Nvidia haben die Entwickler Sicherheitslücken gefunden. Diese stellen teils ein hohes Risiko dar. [..] Betroffen sind die Nvidia-Projekte Apex, Isaac-GR00T, Megatron LM, Merlin Transformers4Rec, NeMo Framework sowie WebDataset. --------------------------------------------- https://heise.de/-10524310 ∗∗∗ Foxit PDF Reader: Präparierte PDFs können Schadcode auf PCs schleusen ∗∗∗ --------------------------------------------- Sicherheitsupdates für Foxit PDF Reader und Editor schließen mehrere Sicherheitslücken. [..] Im schlimmsten Fall kann Schadcode auf Systeme gelangen und diese vollständig kompromittieren. Das kann etwa über mit JavaScript präparierte PDFs erfolgen (etwa CVE-2025-55313 "hoch"). Dabei ist aber davon auszugehen, dass Opfer mitspielen und so eine Datei öffnen müssen, damit eine Attacke eingeleitet werden kann. --------------------------------------------- https://heise.de/-10524778 ∗∗∗ Drupal: Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-097 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ ABB: 2025-08-12: Cyber Security Advisory -ABB AbilityTM zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002743&Language… ∗∗∗ ABB: 2025-08-11: Cyber Security Advisory -ELSB/BLBA ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462&Lan… ∗∗∗ TYPO3-PSA-2025-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2025-001 ∗∗∗ Siemens: SSA-395458 V1.0: Account Hijacking Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-395458.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Bosch: Vulnerabilities in ctrlX OS - Setup ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-129652.html ∗∗∗ Bosch: Denial of Service on Rexroth Fieldbus Couplers ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-757244.html ∗∗∗ Kubernetes: CVE-2025-5187 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133471 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.08.2025
by Daily end-of-shift report 13 Aug '25

13 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-08-2025 18:00 − Mittwoch 13-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Docker Hub still hosts dozens of Linux images with the XZ backdoor ∗∗∗ --------------------------------------------- The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozen… ∗∗∗ New trends in phishing and scams: how AI and social media are changing the game ∗∗∗ --------------------------------------------- Common tactics in phishing and scams in 2025: learn about the use of AI and deepfakes, phishing via Telegram, Google Translate and Blob URLs, biometric data theft, and more. --------------------------------------------- https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/ ∗∗∗ Geld zurück nach Krypto-Betrug? Vorsicht vor Recovery Scam! ∗∗∗ --------------------------------------------- Was einmal geklappt hat, kann wieder funktionieren. Darauf hoffen Kriminelle und kontaktieren jene Menschen, denen sie in der Vergangenheit durch Krypto- bzw. Investmentbetrug geschadet haben. Sie geben sich als Agentur, Behörde etc. aus, die dabei helfen kann, das verlorene Geld zurückzuholen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-recovery-scam/ ∗∗∗ The MedusaLocker ransomware gang is hiring penetration testers ∗∗∗ --------------------------------------------- MedusaLocker, the ransomware-as-a-service group that has been active since 2019 is openly recruiting for penetration testers to help it compromise more businesses. --------------------------------------------- https://www.fortra.com/blog/medusalocker-ransomware-gang-hiring-penetration… ∗∗∗ Malvertising campaign leads to PS1Bot, a multi-stage malware framework ∗∗∗ --------------------------------------------- Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.” --------------------------------------------- https://blog.talosintelligence.com/ps1bot-malvertising-campaign/ ∗∗∗ Microsoft Patchday August 2025: Sicherheitseinschätzungen von Tenable ∗∗∗ --------------------------------------------- Zum 12. August 2025 hat Microsoft zum Patchday Sicherheitsupdates für die noch im Support befindlichen Produkte veröffentlich und Schwachstellen geschlossen. [..] Inzwischen liegt mir eine Einschätzung seitens Tenable im Hinblick auf die Auswirkungen der Schwachstellen vor, die ich hier einfach zur Information in den Blog einstelle. --------------------------------------------- https://www.borncity.com/blog/2025/08/13/microsoft-patchday-august-2025-sic… ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Sicherheitsupdates August 2025 ∗∗∗ --------------------------------------------- Microsoft hat zum 12. August 2025 das "August 2025" Sicherheitsupdate für Exchange Server freigegeben. Das Sicherheitsupdate gilt Exchange Server 2016, Exchange Server 2019, und erstmals für Exchange Server Subscription Edition (SE). --------------------------------------------- https://www.borncity.com/blog/2025/08/12/exchange-server-sicherheitsupdates… ∗∗∗ Microsoft Security Update Summary (12. August 2025) ∗∗∗ --------------------------------------------- Microsoft hat am 12. August 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 107 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert und war öffentlich bekannt. --------------------------------------------- https://www.borncity.com/blog/2025/08/12/microsoft-security-update-summary-… ∗∗∗ Angriff über Websites: Kritische Grafik-Schwachstellen gefährden Windows-Nutzer ∗∗∗ --------------------------------------------- Während sich CVE-2025-50165 nur auf Windows 11 24H2 und Windows Server 2025 bezieht, ist die Zahl der anfälligen Systeme im Falle von CVE-2025-53766 deutlich höher. [..] Beide lassen sich demnach über das Netzwerk ausnutzen und erfordern vorab keinerlei Authentifizierung oder Nutzerinteraktion. Die Angriffskomplexität ist laut Microsoft jeweils gering. --------------------------------------------- https://www.golem.de/news/angriff-ueber-websites-kritische-grafik-schwachst… ∗∗∗ AMD und Intel stopfen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- AMD und Intel haben im August Updates herausgegeben, die zahlreiche Sicherheitslücken in VGA- sowie Netzwerktreibern und Prozessoren schließen. --------------------------------------------- https://heise.de/-10520732 ∗∗∗ Patchday: Mehrere Fortinet-Produkte sind angreifbar ∗∗∗ --------------------------------------------- Am gefährlichsten gilt einer Warnmeldung zufolge eine "kritische" Sicherheitslücke (CVE-2025-25256) in der IT-Sicherheitslösung FortiSIEM. An dieser Stelle können Angreifer ohne Authentifizierung mit präparierten CLI-Anfragen ansetzen, um Schadcode auszuführen. [..] Wie ein Sicherheitsforscher in einem Beitrag schreibt, können Angreifer die Authentifizierung von FortiWeb-Firewalls umgehen. --------------------------------------------- https://heise.de/-10519770 ∗∗∗ Zoom: Windows-Clients ermöglichen Angriffe aus dem Netz ∗∗∗ --------------------------------------------- Zwei Sicherheitslücken meldet Zoom in den Windows-Clients. Sie ermöglicht Angreifern aus dem Netz ohne vorherige Anmeldung, ihre Rechte auszuweiten. [..] Details dazu, wie Angriffe aussehen könnten, nennen sie hingegen nicht. --------------------------------------------- https://heise.de/-10520206 ∗∗∗ Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products ∗∗∗ --------------------------------------------- Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite. --------------------------------------------- https://thecyberexpress.com/adobe-security-update-2/ ∗∗∗ VU#767506: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames ∗∗∗ --------------------------------------------- OverviewA vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. [..] Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. --------------------------------------------- https://kb.cert.org/vuls/id/767506 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle). --------------------------------------------- https://lwn.net/Articles/1033588/ ∗∗∗ Palo Alto Networks Security Advisories 2025-08-13 ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ f5: K000152635: Quarterly Security Notification (August 2025) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152635 ∗∗∗ Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02 ∗∗∗ Santesoft Sante PACS Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-224-01 ∗∗∗ AVEVA PI Integrator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-04 ∗∗∗ Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01 ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.08.2025
by Daily end-of-shift report 12 Aug '25

12 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 11-08-2025 18:00 − Dienstag 12-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs ∗∗∗ --------------------------------------------- The Netherlands National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler… ∗∗∗ Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug ∗∗∗ --------------------------------------------- Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices… ∗∗∗ Scam hunter scammed by tax office impersonators ∗∗∗ --------------------------------------------- Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/08/scam-hunter-scammed-by-tax-o… ∗∗∗ Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe ∗∗∗ --------------------------------------------- A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data. --------------------------------------------- https://hackread.com/russian-curly-comrades-mucoragent-malware-europe/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect… ∗∗∗ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual… ∗∗∗ 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin ∗∗∗ --------------------------------------------- On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality. --------------------------------------------- https://www.wordfence.com/blog/2025/08/40000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17). --------------------------------------------- https://lwn.net/Articles/1033445/ ∗∗∗ Vtenext 25.02: A three-way path to RCE ∗∗∗ --------------------------------------------- Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server. --------------------------------------------- https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/ ∗∗∗ OMSA-2025-0004: Omnissa Workspace ONE UEM addresses multiple vulnerabilities (CVE-2025-25229, CVE-2025-25231) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0004/ ∗∗∗ OMSA-2025-0003: Omnissa Secure Email Gateway (SEG) updates address Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-25235) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0003/ ∗∗∗ Matrix protocol vulnerabilities fixed in room version 12 ∗∗∗ --------------------------------------------- https://matrix.org/blog/2025/08/security-release/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.08.2025
by Daily end-of-shift report 11 Aug '25

11 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-08-2025 18:00 − Montag 11-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks ∗∗∗ --------------------------------------------- A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. [..] The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploit… ∗∗∗ Command Injection in Jenkins via Git Parameter (CVE-2025-53652) ∗∗∗ --------------------------------------------- On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. [..] was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin. [..] Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild. [..] The patch can be disabled, so detection remains important even after upgrading. --------------------------------------------- https://www.vulncheck.com/blog/git-parameter-rce ∗∗∗ EU law to protect journalists from spyware takes effect ∗∗∗ --------------------------------------------- Critics from press freedom groups say member states have not taken steps to give the law any teeth. --------------------------------------------- https://therecord.media/eu-law-to-protect-journalists-from-spyware-takes-ef… ∗∗∗ Sicherheitslücken: Hacker knackt Auto über Webportal des Herstellers ∗∗∗ --------------------------------------------- Er konnte nicht nur aus der Ferne unzählige fremde Autos orten, entriegeln und starten, sondern auch nach Belieben die Halterdaten abfragen. [..] Zveare stellte seine Entdeckungen am vergangenen Sonntag auf der Def Con in Las Vegas vor. Den Angaben zufolge konnte er sich in dem besagten Händlerportal ein "nationales Administratorkonto" erstellen und erhielt damit einen weitreichenden Zugriff, der "nur wenigen ausgewählten Unternehmensnutzern vorbehalten ist" und "eine Vielzahl von lustigen Exploits" ermöglichte. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hacker-knackt-auto-ueber-webpo… ∗∗∗ Spionage: Rauchwarnmelder in Abhörwanzen verwandelt ∗∗∗ --------------------------------------------- Zwei junge Sicherheitsforscher haben im Rahmen der Def Con in Las Vegas Sicherheitslücken in smarten Rauchwarnmeldern des Typs Halo 3C aufgedeckt. [..] Der Hersteller der Halo-3C-Warnmelder hört auf den Namen IPVideo und ist laut der Webseite seit 2023 Teil von Motorola Solutions. Das Unternehmen hat dem Wired-Bericht zufolge bereits ein Firmwareupdate bereitgestellt, um die von Garcia und seinem Kollegen entdeckten Sicherheitslücken zu schließen. Mit der Cloud verbundene Geräte sollen das Update automatisch erhalten. --------------------------------------------- https://www.golem.de/news/spionage-smarte-rauchwarnmelder-in-abhoerwanzen-v… ∗∗∗ Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple security flaws in Dells ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. [..] Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations. --------------------------------------------- https://thehackernews.com/2025/08/researchers-reveal-revault-attack.html ∗∗∗ DEF CON hackers plug security holes in US water systems amid tsunami of threats ∗∗∗ --------------------------------------------- A DEF CON hacker walks into a small-town water facility … no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It's a true story that happened at five utilities across four states. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hack… ∗∗∗ libarchive: Sicherheitslücke entpuppt sich als kritisch ∗∗∗ --------------------------------------------- In der Open-Source-Kompressionsbibliothek libarchive klafft eine Sicherheitslücke, die zunächst als lediglich niedriges Risiko eingestuft wurde. [..] Die ursprüngliche Meldung der Lücke an das libarchive-Projekt durch Tobias Stöckmann mitsamt eines Proof-of-Concept-Exploits fand bereits am 10. Mai dieses Jahres statt. Am 20. Mai haben die Entwickler die Version 3.8.0 von libarchive herausgegeben. Die öffentliche Schwachstellenmeldung erfolgte am 9. Juni ebenfalls auf Github. Dort wurde auch die CVE-Nummer CVE-2025-5914 zugewiesen, jedoch zunächst mit dem Schweregrad CVSS 3.9, Risiko "niedrig", wie Red Hat die Lücke einordnete. --------------------------------------------- https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kr… ∗∗∗ Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild ∗∗∗ --------------------------------------------- CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ ∗∗∗ BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons ∗∗∗ --------------------------------------------- A new class of USB-based attacks has come to light. [..] Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system. --------------------------------------------- https://thecyberexpress.com/badcam-linux-webcam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix). --------------------------------------------- https://lwn.net/Articles/1033328/ ∗∗∗ SQUID-2025:1 Buffer Overflow in URN Handling ∗∗∗ --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3 ∗∗∗ Xerox® FreeFlow® Core v8.0.5 ∗∗∗ --------------------------------------------- https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.08.2025
by Daily end-of-shift report 08 Aug '25

08 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-08-2025 18:00 − Freitag 08-08-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New EDR killer tool used by eight different ransomware groups ∗∗∗ --------------------------------------------- A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-… ∗∗∗ Why blow up satellites when you can just hack them? ∗∗∗ --------------------------------------------- Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them. In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/07/balck_hat_sa… ∗∗∗ US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms ∗∗∗ --------------------------------------------- U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago. The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators. --------------------------------------------- https://therecord.media/us-confirms-blacksuit-takedown ∗∗∗ Abusing Ubuntu 24.04 features for root privilege escalation ∗∗∗ --------------------------------------------- With the recent release of Ubuntu 24.04, we at Snyk Security Labs thought it would be interesting to examine the latest version of this Linux distribution to see if we could find any interesting privilege escalation vulnerabilities. In this post, we have seen that it only takes the leveraging of one small vulnerability, combined with a number of features, to achieve a chain of exploitation resulting in a full privilege escalation. Even where security controls are in place preventing the direct exploitation of a small vulnerability it may still be possible to finesse limited exploitation potential into a much greater impact. --------------------------------------------- https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/ ∗∗∗ Oops Safari, I think You Spilled Something ∗∗∗ --------------------------------------------- In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer remote code execution capabilities on macOS and iOS. Such capabilities, and many others including LPEs and RCEs on Windows and Linux, are available to Exodus’ customers. --------------------------------------------- https://blog.exodusintel.com/2025/08/04/oops-safari-i-think-you-spilled-som… ∗∗∗ 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign ∗∗∗ --------------------------------------------- Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware. --------------------------------------------- https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2). --------------------------------------------- https://lwn.net/Articles/1033009/ ∗∗∗ CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability ∗∗∗ --------------------------------------------- Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mit… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2025
by Daily end-of-shift report 07 Aug '25

07 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-08-2025 18:00 − Donnerstag 07-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations ∗∗∗ --------------------------------------------- A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuse… ∗∗∗ Wave of 150 crypto-draining extensions hits Firefox add-on store ∗∗∗ --------------------------------------------- A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-… ∗∗∗ Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults ∗∗∗ --------------------------------------------- Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs… ∗∗∗ Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment. --------------------------------------------- https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html ∗∗∗ How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes ∗∗∗ --------------------------------------------- SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist? --------------------------------------------- https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabil… ∗∗∗ New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite ∗∗∗ --------------------------------------------- Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances. --------------------------------------------- https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-inv… ∗∗∗ Unveiling a New Variant of the DarkCloud Campaign ∗∗∗ --------------------------------------------- In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis. --------------------------------------------- https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Var… ∗∗∗ HTTP/1.1 must die: the desync endgame ∗∗∗ --------------------------------------------- Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials. --------------------------------------------- https://portswigger.net/research/http1-must-die ∗∗∗ Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch ∗∗∗ --------------------------------------------- Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted. --------------------------------------------- https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-w… ===================== = Vulnerabilities = ===================== ∗∗∗ 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. --------------------------------------------- https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler). --------------------------------------------- https://lwn.net/Articles/1032861/ ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen ∗∗∗ --------------------------------------------- IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit. --------------------------------------------- https://heise.de/-10513072 ∗∗∗ EG4 Electronics EG4 Inverters ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 ∗∗∗ Dreame Technology iOS and Android Mobile Applications ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06 ∗∗∗ Packet Power EMX and EG ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04 ∗∗∗ Burk Technology ARC Solo ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03 ∗∗∗ Johnson Controls FX80 and FX90 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02 ∗∗∗ Delta Electronics DIAView ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2025
by Daily end-of-shift report 06 Aug '25

06 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-08-2025 18:00 − Mittwoch 06-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Driver of destruction: How a legitimate driver is being used to take down AV processes ∗∗∗ --------------------------------------------- In an incident response case, Kaspersky experts discovered new malware that terminates AV processes by abusing the legitimate ThrottleStop driver. --------------------------------------------- https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/ ∗∗∗ CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.ht… ∗∗∗ CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. --------------------------------------------- https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html ∗∗∗ GenAI Used For Phishing Websites Impersonating Brazil’s Government ∗∗∗ --------------------------------------------- In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education. --------------------------------------------- https://www.zscaler.com/blogs/security-research/genai-used-phishing-website… ∗∗∗ Kriminelle versenden gefälschte Zahlungsaufforderungen im Namen der WKO ∗∗∗ --------------------------------------------- Die Wirtschatfskammer Österreich (WKO) ist erneut Ziel einer Phishing-Attacke geworden. Aktuell kursiert eine betrügerische E-Mail, die vorgibt, von der WKO zu stammen. In der E-Mail wird der Eindruck erweckt, dass eine ausstehende Mitgliedsrechnung bezahlt werden müsse. Das Ziel der Attacke ist es, an persönliche Informationen und Log-in-Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-zah… ∗∗∗ Makop Ransomware Identified in Attacks in South Korea ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks. --------------------------------------------- https://asec.ahnlab.com/en/89397/ ∗∗∗ The Cost of a Call: From Voice Phishing to Data Extortion ∗∗∗ --------------------------------------------- In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Experience Manager: Adobe patcht 90 Tage nicht und bringt nun Notfallupdate ∗∗∗ --------------------------------------------- Da Proof-of-Concept-Code im Umlauf ist, könnten Angriffe auf Adobe Experience Manager bevorstehen. Angreifer können an zwei Sicherheitslücken [..] ansetzen, um Systeme zu attackieren. Die Schwachstellen sind seit April dieses Jahres bekannt, Sicherheitspatches gibt es aber erst jetzt. --------------------------------------------- https://www.heise.de/news/Experience-Manager-Adobe-patcht-90-Tage-nicht-und… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/1032700/ ∗∗∗ Docker: Sicherheitsalptraum MCP – sechs Lücken identifiziert ∗∗∗ --------------------------------------------- Die Containerplattform Docker warnt vor Sicherheitsrisiken, die sich durch die Nutzung von MCP-Quellen ergeben und Angreifern leichten Zugriff auf Dateien, Datenbanken, Netzwerk und Secrets eröffnen. Außerdem können die Täter weitreichend Befehle absetzen und schädlichen Code einschleusen. --------------------------------------------- https://heise.de/-10510262 ∗∗∗ Sicherheitsupdates: Root-Attacken auf Dell PowerProtect und Unity möglich ∗∗∗ --------------------------------------------- Um möglichen Attacken vorzubeugen, sollten Admins Dell PowerProtect Data Domain und Unity, UnityVSA sowie Unity XT auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem mit Root-Rechten auf Instanzen zugreifen und diese kompromittieren. --------------------------------------------- https://heise.de/-10511706 ∗∗∗ JVN: Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN16547726/ ∗∗∗ ZDI-25-771: Trend Micro Apex One Console Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-771/ ∗∗∗ ZDI-25-807: (0Day) AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-807/ ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2025
by Daily end-of-shift report 05 Aug '25

05 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 04-08-2025 18:00 − Dienstag 05-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android gets patches for Qualcomm flaws exploited in attacks ∗∗∗ --------------------------------------------- Google has released security patches for six vulnerabilities in Androids August 2025 security update, including two Qualcomm flaws exploited in targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-gets-patches-for-qua… ∗∗∗ Stealing Machine Keys for fun and profit (or riding the SharePoint wave) ∗∗∗ --------------------------------------------- About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused .. --------------------------------------------- https://isc.sans.edu/diary/Stealing+Machine+Keys+for+fun+and+profit+or+ridi… ∗∗∗ Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor ∗∗∗ --------------------------------------------- Plague malware has been around for months without tripping alarms Updated Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and say antivirus engines do not flag the code as malicious. --------------------------------------------- https://www.theregister.com/2025/08/05/plague_linux_backdoor/ ∗∗∗ CrowdStrike investigated 320 North Korean IT worker cases in the past year ∗∗∗ --------------------------------------------- Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report. --------------------------------------------- https://cyberscoop.com/crowdstrike-north-korean-operatives/ ∗∗∗ Mozilla: Phishing-Attacken auf Add-on-Entwickler beobachtet ∗∗∗ --------------------------------------------- Zurzeit haben es Kriminelle auf Add-on-Entwickler abgesehen, die Erweiterungen für Firefox erstellen. --------------------------------------------- https://www.heise.de/news/Mozilla-warnt-vor-Phishing-Attacken-auf-Add-on-En… ∗∗∗ From code to stolen wallets: How hackers are trapping AI development tools ∗∗∗ --------------------------------------------- When AI becomes a target At a time when AI technology is developing rapidly, AI has been increasingly integrated into our daily lives. However, due .. --------------------------------------------- https://blog.360totalsecurity.com/en/from-code-to-stolen-wallets-how-hacker… ∗∗∗ Achtung Fake-Shop: vorwerk-deutschland.de ∗∗∗ --------------------------------------------- Auf vorwerk-deutschland.de freuen sich viele Kund:innen über ein Schnäppchen. Der neue Thermomix TM7 wird dort zu einem günstigeren Preis angeboten. Doch Vorsicht: Es handelt sich um einen Fake-Shop, der nur Zahlung per Vorkasse akzeptiert. Wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vorwerk-deutschlan… ∗∗∗ Ukrainische Hacker erbeuteten Geheimdokumente über das neueste russische Atom-U-Boot ∗∗∗ --------------------------------------------- Die erbeuteten Daten umfassen Besatzungslisten, Einsatzdaten und Baupläne. Laut dem ukrainischen Geheimdienst wurden auch die Schwächen des U-Boots offengelegt --------------------------------------------- https://www.derstandard.at/story/3000000282244/ukrainische-hacker-erbeutete… ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- SonicWall berichtet über eine deutliche Zunahme von Sicherheitsvorfällen in den letzten 96 Stunden, die Gen 7 SonicWall Firewalls mit aktiviertem SSLVPN betreffen. Die Bedrohungsaktivität wurde sowohl intern als auch von externen Organisationen und Unternehmen wie Arctic Wolf, Google Mandiant und Huntress gemeldet. Es ist noch nicht .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira ∗∗∗ --------------------------------------------- Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery .. --------------------------------------------- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumbleb… ∗∗∗ Cursor IDE: Persistent Code Execution via MCP Trust Bypass ∗∗∗ --------------------------------------------- Check Point Research uncovered a persistent remote code execution vulnerability in Cursor, a fast-growing AI-powered coding platform trusted by developers worldwide. MCP Vulnerability Cursor allows attackers to gain long-term, silent access to .. --------------------------------------------- https://blog.checkpoint.com/research/cursor-ide-persistent-code-execution-v… ∗∗∗ Vietnamese-speaking hackers appear to be running global data theft operation through Telegram ∗∗∗ --------------------------------------------- A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally. --------------------------------------------- https://therecord.media/pxa-infostealer-telegram-bots-vietnamese-speaking-h… ∗∗∗ Neue Insights zum SharePoint-Gate: Mitarbeiter aus China für die Wartung ∗∗∗ --------------------------------------------- Seit dem SharePoint-Desaster im Juli 2025, bei dem Schwachstellen angegriffen wurden, gibt es fast jeden Tag neue Enthüllungen. Es wurde spekuliert, dass mutmaßlich chinesische Hacker vorab auf interne .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/neue-insights-zum-sharepoint-gate-… ∗∗∗ Microsoft Recall erfasst weiterhin (Juli 2025) Kreditkartendaten und Passwörter ∗∗∗ --------------------------------------------- Ist es eine Überraschung? Nein, keine Überraschung, sondern zu erwarten. Die Spionagefunktion Recall, die Microsoft auf die Windows-Systeme drückt, erfasst weiterhin Sensitives wie Kreditkartendaten und Passwörter. Und dies, .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/microsoft-recall-erfasst-weiterhin… ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Validation – Part 3 ∗∗∗ --------------------------------------------- In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. Setting up validation pipelines is a key step, as it helps enforce the defined standards, reduce errors, and ensure that detections are reliable and consistent. --------------------------------------------- https://blog.nviso.eu/2025/08/05/detection-engineering-practicing-detection… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2025
by Daily end-of-shift report 04 Aug '25

04 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-08-2025 18:00 − Montag 04-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Pi-hole discloses data breach triggered by WordPress plugin flaw ∗∗∗ --------------------------------------------- Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breac… ∗∗∗ Mozilla warns of phishing attacks targeting add-on developers ∗∗∗ --------------------------------------------- Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-at… ∗∗∗ New Plague Linux malware stealthily maintains SSH access ∗∗∗ --------------------------------------------- A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors… ∗∗∗ Exchange: China wirft den USA Militär-Hacking vor ∗∗∗ --------------------------------------------- China beschuldigt US-Geheimdienste, über ein Jahr lang Microsoft Exchange-Schwachstellen ausgenutzt zu haben, um Militärdaten zu stehlen. --------------------------------------------- https://www.golem.de/news/exchange-china-wirft-den-usa-militaer-hacking-vor… ∗∗∗ CISA roasts unnamed critical national infrastructure body for shoddy security hygiene ∗∗∗ --------------------------------------------- Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/02/cisa_coast_g… ∗∗∗ Lazarus Group rises again, this time with malware-laden fake FOSS ∗∗∗ --------------------------------------------- Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of “shadow downloads” that appear to be popular open source software development tools but are full of malware. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/04/infosec_in_b… ∗∗∗ Gefälschte Rückerstattungs-Mails im Namen der WKO ∗∗∗ --------------------------------------------- Derzeit werden E-Mails mit dem Betreff „Ihr möglicher Erstattungsbetrag von bis zu 476 Euro“ an zahlreiche Mitglieder der Wirtschaftskammer Österreich (WKO) versendet. Darin wird behauptet, dass möglicherweise ein Rückerstattungsanspruch der Mitgliederbeiträge besteht, den man über einen Link prüfen kann. Achtung: Der Link führt zu einer betrügerischen Website, auf der persönliche Daten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mails-zu-rueckersta… ∗∗∗ Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN ∗∗∗ --------------------------------------------- Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched. --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero… ∗∗∗ Doch Sicherheitsvorfall bei Logitech-Partnerliste ∗∗∗ --------------------------------------------- Es hat einen Sicherheitsvorfall bei einem Dienstleister gegeben, der für die Firma Logitech die Logitech-Partner betreut. Logitech-Partner erhielten die Tage eine Betrugs-Mail, die vor dem Risiko eines Angriffs auf eine MetaMask-Wallet warnte, aber einen Phishing-Link enthielt. --------------------------------------------- https://www.borncity.com/blog/2025/08/03/doch-sicherheitsvorfall-bei-logite… ∗∗∗ New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor ∗∗∗ --------------------------------------------- Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control. --------------------------------------------- https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/ ∗∗∗ When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal ∗∗∗ --------------------------------------------- Flatpak’s sandbox model is robust in design, but imperfect in deployment. Sandboxes dissolved through misconfiguration, vulnerabilities like CVE‑2024‑32462, and symlink exploits illustrate the friction between ideal and actual protection. --------------------------------------------- https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Phishingangriffe auf IBM Operational Decision Manager möglich ∗∗∗ --------------------------------------------- IBMs Businesstool Operational Decision Manager ist verwundbar. In aktuellen Versionen haben die Entwickler zwei Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Phishingangriffe-auf-IBM-Operat… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot). --------------------------------------------- https://lwn.net/Articles/1032371/ ∗∗∗ Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover ∗∗∗ --------------------------------------------- Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIAs Triton Inference Server. --------------------------------------------- https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server ∗∗∗ Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape ∗∗∗ --------------------------------------------- A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE). --------------------------------------------- https://socket.dev/blog/nestjs-rce-vuln ∗∗∗ VU#317469: Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/317469 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2025
by Daily end-of-shift report 01 Aug '25

01 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-07-2025 18:00 − Freitag 01-08-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft to disable Excel workbook links to blocked file types ∗∗∗ --------------------------------------------- Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. [..] After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-extern… ∗∗∗ Kali Linux can now run in Apple containers on macOS systems ∗∗∗ --------------------------------------------- Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apples new containerization framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-can-now-run-in-ap… ∗∗∗ Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses. --------------------------------------------- https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html ∗∗∗ Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. --------------------------------------------- https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html ∗∗∗ Huawei, at the heart of the Post outage ∗∗∗ --------------------------------------------- The cyberattack that hit Post (and Luxembourg) last week is believed to have targeted Huawei routers and their operating software. The presence of the Chinese giant at the heart of the infrastructure raises questions. The public company says it is reserving its answers for the MPs and ministers who will meet this Thursday at 10am in parliament. --------------------------------------------- https://en.paperjam.lu/article/huawei-at-the-heart-of-the-post-outage ∗∗∗ CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response ∗∗∗ --------------------------------------------- “How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, Associate Director for Threat Hunting, CISA. “This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans.” --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-open-source-eviction-st… ∗∗∗ CISA and USCG Issue Joint Advisory to Strengthen Cyber Hygiene in Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. [..] CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-and-uscg-issue-join… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8). --------------------------------------------- https://lwn.net/Articles/1032174/ ∗∗∗ WordPress Vulnerability & Patch Roundup — July 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ Rockwell Automation Lifecycle Services with VMware ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2025
by Daily end-of-shift report 31 Jul '25

31 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-07-2025 18:00 − Donnerstag 31-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install ∗∗∗ --------------------------------------------- The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html ∗∗∗ N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto ∗∗∗ --------------------------------------------- The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. --------------------------------------------- https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html ∗∗∗ Scammers Unleash Flood of Slick Online Gaming Sites ∗∗∗ --------------------------------------------- Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites. --------------------------------------------- https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-… ∗∗∗ Vorsicht vor dieser iCloud Phishing-Mail ∗∗∗ --------------------------------------------- „Letzte Mitteilung: Ihre Fotos und Videos werden gelöscht – ergreifen Sie Maßnahmen!“ Mit diesem Betreff versenden Kriminelle aktuell Phishing-Mails, die scheinbar von iCloud stammen. Unter dem Vorwand, das Speicherabonnement müsse verlängert werden, versuchen sie, an Zahlungsdaten zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-icloud-phishing-… ∗∗∗ Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities ∗∗∗ --------------------------------------------- SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government. --------------------------------------------- https://therecord.media/patents-silk-typhoon-company-beijing ∗∗∗ GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities ∗∗∗ --------------------------------------------- It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. --------------------------------------------- https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emer… ∗∗∗ In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network ∗∗∗ --------------------------------------------- Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1032083/ ∗∗∗ Schnell installieren: Apple fixt Zero-Day-Angriff in WebKit ∗∗∗ --------------------------------------------- Apples in der Nacht zum Mittwoch erschienene Updates für iOS, iPadOS und macOS sollten dringend schnell eingespielt werden: Wie nun erst bekannt wurde, wird damit auch ein WebKit-Bug gefixt, für den es bereits einen Exploit gibt. Dieser wird allerdings bislang nur verwendet, um Chrome-Nutzer anzugreifen, wie es in der zugehörigen NIST-Meldung heißt (CVE-2025-6558). Der Fehler wird mit "Severity: High" bewertet. Verwirrend: Apple warnt in seinen Sicherheitsunterlagen nicht vor bekannten aktiven Angriffen – offenbar, weil es für den Apple-Browser Safari noch keine entsprechenden Berichte gibt. --------------------------------------------- https://heise.de/-10505297 ∗∗∗ Sicherheitsupdate: Schwachstellen gefährden HCL BigFix Remote Control ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform HCL BigFix ist verwundbar (CVE-2025-31965 "hoch"), und Angreifer können unbefugt Daten einsehen oder mit viel Aufwand und richtigem Timing sogar auf einen privaten Schlüssel zugreifen. Die Schwachstellen finden sich konkret in HCL BigFix Remote Control. Eine abgesicherte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-10505415 ∗∗∗ CVE-2025-8292 - DSA-5968-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00132.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2025
by Daily end-of-shift report 30 Jul '25

30 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-07-2025 18:00 − Mittwoch 30-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Attackers Can Use Browser Extensions to Inject AI Prompts ∗∗∗ --------------------------------------------- A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/attackers-use-browser-e… ∗∗∗ PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain ∗∗∗ --------------------------------------------- The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack thats targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply(a)pypj[.]org (note that the domain is not "pypi[.]org"). --------------------------------------------- https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.h… ∗∗∗ 2025 Unit 42 Global Incident Response Report: Social Engineering Edition ∗∗∗ --------------------------------------------- Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why its surging. We detail eight critical countermeasures. --------------------------------------------- https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-r… ∗∗∗ Google Project Zero to publicly announce bugs within a week of reporting them ∗∗∗ --------------------------------------------- The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers havent integrated it yet. --------------------------------------------- https://therecord.media/google-project-zero-publicly-announce-vulnerabiliti… ∗∗∗ Decryptor released for FunkSec ransomware; Avast works with law enforcement to help victims ∗∗∗ --------------------------------------------- Cybersecurity company Avast released a decryptor for the short-lived FunkSec ransomware and said it is assisting dozens of the gangs targets with the process. --------------------------------------------- https://therecord.media/funksec-ransomware-decryptor-avast ∗∗∗ New Choicejacking Attack Steals Data from Phones via Public Chargers ∗∗∗ --------------------------------------------- Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds. --------------------------------------------- https://hackread.com/choicejacking-attack-steals-data-phones-public-charger… ∗∗∗ CISA Releases Part One of Zero Trust Microsegmentation Guidance ∗∗∗ --------------------------------------------- This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-releases-part-one-z… ===================== = Vulnerabilities = ===================== ∗∗∗ New Lenovo UEFI firmware updates fix Secure Boot bypass flaws ∗∗∗ --------------------------------------------- Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface). --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lenovo-uefi-firmware-upd… ∗∗∗ Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome ∗∗∗ --------------------------------------------- Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser's ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page. --------------------------------------------- https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.h… ∗∗∗ Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices. --------------------------------------------- https://thehackernews.com/2025/07/critical-dahua-camera-flaws-enable.html ∗∗∗ Autodesk Security Advisory 29.07.2025 ∗∗∗ --------------------------------------------- Certain Autodesk products use a shared component that is affected by multiple vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0015 ∗∗∗ Sicherheitsupdates: Angreifer können auf Dell ECS und ObjectScale zugreifen ∗∗∗ --------------------------------------------- Angreifer können mit vergleichsweise wenig Aufwand auf Dell Elastic Cloud Storage (ECS) und ObjectScale zugreifen. Damit setzten Firmen unter anderem Cloudspeicher auf. Liegen dort wichtige Daten, können unbefugte Zugriffe weitreichende Folgen haben. Sicherheitsupdates schließen die Schwachstelle. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-auf-Dell-ECS… ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable channel has been updated to 138.0.7204.183/.184 for Windows, Mac and 138.0.7204.183 for Linux which will roll out over the coming days/weeks. This update includes 4 security fixes. --------------------------------------------- http://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desk… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl). --------------------------------------------- https://lwn.net/Articles/1031919/ ∗∗∗ Zahnarzt Praxis-Verwaltung-System (PVS): Sicherheitslücken beim CGM Z1 – Teil 1 ∗∗∗ --------------------------------------------- Von der Firma CompuGroup Medical (CGM) wird auch ein Praxis-Verwaltungssystem (PVS) für Zahnärzte vertrieben. Das System ist laut Firmenaussage bei über 7.000 Zahnärzten im Einsatz. Eine anonym bleiben wollende Quelle informierte mich Anfang des Jahres über potentielle Sicherheitsprobleme in dieser Software. Inzwischen hat es ein Software-Update gegeben, mit dem diese Probleme ausgeräumt sein sollten. Ich fasse mal den Sachverhalt in einigen Blog-Beiträgen zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/07/30/sicherheit-beim-zahnarzt-pvs-z1/ ∗∗∗ Delta Electronics DTN Soft ∗∗∗ --------------------------------------------- According to Delta Electronics, if a version of DTN Soft prior to v2.1.0 is installed, it should be updated to v2.1.0 or later. If DTM Soft is also installed, it should be updated to v1.6.0.0 (released on March 25, 2025) or later. Successful exploitation of this vulnerability could allow an attacker to use a specially crafted project file to execute arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-03 ∗∗∗ TP-Link Archer C50 router is vulnerable to configuration-file decryption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/554637 ∗∗∗ Security update for Tenable Patch Management Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-15 ∗∗∗ CISA: Security update for National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-01 ∗∗∗ CISA: Security update for Samsung HVAC DMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2025
by Daily end-of-shift report 29 Jul '25

29 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 28-07-2025 18:00 − Dienstag 29-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test ∗∗∗ --------------------------------------------- On Friday, OpenAI's new ChatGPT Agent, which can perform multistep tasks for users, proved it can pass through one of the Internet's most common security checkpoints by clicking Cloudflare's anti-bot verification—the same checkbox that's supposed to keep automated programs like itself at bay. --------------------------------------------- https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agen… ∗∗∗ Exploit available for critical Cisco ISE bug exploited in attacks ∗∗∗ --------------------------------------------- Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-critic… ∗∗∗ Endgame Gear mouse config tool infected users with malware ∗∗∗ --------------------------------------------- Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-to… ∗∗∗ Critical Flaw in Vibe-Coding Platform Base44 Exposed Apps ∗∗∗ --------------------------------------------- The rise of "vibe coding" platforms that enable developers to build software with minimal traditional coding could create a slew of new security risks for organizations. A recent example is a now-patched vulnerability in the Base44 AI-powered development platform that allowed unauthorized users to gain complete access to private enterprise applications hosted on the service. --------------------------------------------- https://www.darkreading.com/application-security/critical-flaw-vibe-coding-… ∗∗∗ Parasitic Sharepoint Exploits ∗∗∗ --------------------------------------------- Last week, newly exploited SharePoint vulnerabilities took a lot of our attention. It is fair to assume that last Monday (July 21st), all exposed vulnerable SharePoint installs were exploited. Of course, there is nothing to prevent multiple exploitation of the same instance, and a lot of that certainly happened. But why exploit it yourself if you can just take advantage of backdoors left behind by prior exploits? A number of these backdoors were widely publicised. The initial backdoor "spinstall0.aspx", was frequently observed and Microsoft listed various variations of this filename [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/32148 ∗∗∗ Windows auf veraltete libcurl-Bibliotheken in Programmen überprüfen ∗∗∗ --------------------------------------------- Microsoft liefert die cURL-Bibliothek häufiger mit veralteten Versionen, die Sicherheitslücken aufweisen, aus. Auch Software-Pakete kommen mit uralten libcurl-Dateien daher. Wie kann ich prüfen, ob da irgendwelche Altlasten auf meinen Systemen schlummern? --------------------------------------------- https://www.borncity.com/blog/2025/07/29/software-und-die-veralteten-libcur… ∗∗∗ Gunra Ransomware Group Unveils Efficient Linux Variant ∗∗∗ --------------------------------------------- Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-varia… ∗∗∗ SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm ∗∗∗ --------------------------------------------- Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks. --------------------------------------------- https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/ ∗∗∗ Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) ∗∗∗ --------------------------------------------- Our initial journey started with analyzing SonicWall N-days that were receiving coveted attention from our friendly APT groups. But somewhere along the way - deep in a fog of malformed headers and reverse proxy schenanigans - we stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming. --------------------------------------------- https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-d… ∗∗∗ Security: CERT@VDE wird erste deutsche Schaltzentrale für Sicherheitslücken ∗∗∗ --------------------------------------------- Das Sicherheits- und Computer-Notfallteam des Elektrotechnik- und IT-Verbands VDE spielt international seit wenigen Tagen eine wichtigere Rolle. Die Branchenvereinigung teilte am Freitag mit, dass das eigene Computer Emergency Response Team CERT@VDE zur zentralen Stelle im Kampf gegen IT-Sicherheitslücken im Bereich der Industrieautomation mit Fokus auf kleine und mittlere Unternehmen aufgestiegen sei. Dessen Arbeit zur Koordination von Security-Problemen in diesem Sektor erhält damit eine weltweite Bedeutung. --------------------------------------------- https://heise.de/-10502241 ∗∗∗ Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely! ∗∗∗ --------------------------------------------- Generative AI and LLM technologies have shown great potential in recent years, and for this reason, an increasing number of applications are starting to integrate them for multiple purposes. These applications are becoming increasingly complex, adopting approaches that involve multiple specialized agents, each focused on one or more tasks, interacting with one another and using external tools to access information, perform operations, or carry out tasks that LLMs are not capable of handling directly (e.g., mathematical computations). --------------------------------------------- https://security.humanativaspa.it/attacking-genai-applications-and-llms-som… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2025-26397 - ZDI-25-654: SolarWinds TFTP Server Deserialization of Untrusted Data Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds TFTP Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the internal TFTP communications endpoint, which listens on the localhost interface on TCP port 8099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-654/ ∗∗∗ Jetzt patchen! Attacken auf PaperCut NG/MF beobachtet ∗∗∗ --------------------------------------------- Aufgrund derzeit laufender Angriffe sollten Admins sicherstellen, dass sie eine aktuelle Ausgabe der Druckermanagementsoftware PaperCut NG/MF installiert haben. Sind Attacken erfolgreich, können Angreifer im schlimmsten Fall Schadcode auf Systeme schieben und ausführen. Sicherheitsupdates sind schon länger verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-PaperCut-NG-MF-beobach… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freerdp, git-lfs, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, icu, ipa, iputils, krb5, libvpx, nodejs:22, osbuild-composer, perl, python-tornado, qt6-qtbase, sqlite, unbound, valkey, wireshark, and yggdrasil), Debian (libfastjson and php8.2), Fedora (glibc), Oracle (firefox, icu, perl, and unbound), Red Hat (389-ds-base, glib2, icu, libtpms, redis:6, redis:7, and yelp), SUSE (boost, forgejo-longterm, java-11-openj9, java-17-openj9, java-1_8_0-openj9, kernel, nginx, and salt), and Ubuntu (linux-xilinx-zynqmp, openjdk-8, openjdk-lts, poppler, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1031812/ ∗∗∗ Samsung Security Updates for Smart TV, Audio and Displays ∗∗∗ --------------------------------------------- https://security.samsungtv.com/securityUpdates ∗∗∗ CVE-2025-2179 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-2179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0