- Daily - CERT.at

Tageszusammenfassung - 15.10.2025
by Daily end-of-shift report 15 Oct '25

15 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-10-2025 18:00 − Mittwoch 15-10-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ F5 says hackers stole undisclosed BIG-IP flaws, source code ∗∗∗ --------------------------------------------- U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-f5-to-steal-u… ∗∗∗ Exploit-as-a-Service Resurgence in 2025 – Broker Models, Bundles & Subscription Access ∗∗∗ --------------------------------------------- Exploit-as-a-Service in 2025: how exploit brokerages, subscription bundles, and underground access models are reshaping cyber crime economics. --------------------------------------------- https://www.darknet.org.uk/2025/10/exploit-as-a-service-resurgence-in-2025-… ∗∗∗ Microsoft: Exchange 2016 and 2019 have reached end of support ∗∗∗ --------------------------------------------- Microsoft has reminded that Exchange Server 2016 and 2019 reached the end of support and advised IT administrators to upgrade servers to Exchange Server SE or migrate to Exchange Online. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Microsoft signalisiert Windows 10 21H2 Enterprise LTSC als EOL ∗∗∗ --------------------------------------------- Kurze Information an Besitzer bzw. Administratoren von Windows 10 21H2 Enterprise LTSC (und natürlich der IoT-Version). Administratoren dieser Maschinen erhalten (fälschlich) die Information angezeigt, dass der Support für diese Version nun ende. --------------------------------------------- https://www.borncity.com/blog/2025/10/15/mega-pleite-microsoft-signalisiert… ∗∗∗ Oops! Its a kernel stack use-after-free: Exploiting NVIDIAs GPU Linux drivers ∗∗∗ --------------------------------------------- This article details two bugs discovered in the NVIDIA Linux Open GPU Kernel Modules and demonstrates how they can be exploited. [..] They were reported to NVIDIA and the vendor issued fixes in their NVIDIA GPU Display Drivers update of October 2025. --------------------------------------------- http://blog.quarkslab.com/nvidia_gpu_kernel_vmalloc_exploit.html ∗∗∗ Credential Attacks Detected on SonicWall SSLVPN Devices ∗∗∗ --------------------------------------------- A managed security services provider has detected credential attacks on SonicWall SSLVPN devices. The attacks, reported by Huntress, involve “widespread compromise” of SonicWall SSLVPN devices. [..] The report follows a SonicWall advisory that an unauthorized party had accessed firewall configuration backup files for all SonicWall customers who have used the company’s cloud backup service. --------------------------------------------- https://thecyberexpress.com/credential-attacks-on-sonicwall-sslvpn-devices/ ∗∗∗ Dismantling a Critical Supply Chain Risk in VSCode Extension Marketplaces ∗∗∗ --------------------------------------------- Wiz Research identified a pattern of secret leakage by publishers of VSCode IDE Extensions. This occurred across both the VSCode and Open VSX marketplaces, the latter of which is used by AI-powered VSCode forks like Cursor and Windsurf. Critically, in over a hundred cases this included leakage of access tokens granting the ability to update the extension itself. [..] An attacker who discovered this issue would have been able to directly distribute malware to the cumulative 150,000 install base. --------------------------------------------- https://www.wiz.io/blog/supply-chain-risk-in-vscode-extension-marketplaces ∗∗∗ LinkPro: eBPF rootkit analysis ∗∗∗ --------------------------------------------- eBPF (extended Berkeley Packet Filter) is a technology adopted in Linux for its numerous use cases (observability, security, networking, etc.) and its ability to run in the kernel context while being orchestrated from user space. Threat actors are increasingly abusing it to create sophisticated backdoors and evade traditional system monitoring tools. --------------------------------------------- https://www.synacktiv.com/en/publications/linkpro-ebpf-rootkit-analysis.html ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday XXL: Microsoft schließt teils aktiv attackierte Schwachstellen ∗∗∗ --------------------------------------------- Mit mehr als 170 geschlossenen Sicherheitslücken ist Microsofts Patchday diesen Monat überdurchschnittlich umfangreich ausgefallen. Gleich 17 Fixes für kritische Lücken stehen unter anderem für Azure, Copilot, Office sowie den Windows Server Update Service (WSUS) bereit. Überdies machen drei aktiv angegriffene Schwachstellen mit "Important"-Einstufung das (bestenfalls automatische) Einspielen der verfügbaren Updates besonders dringlich. --------------------------------------------- https://heise.de/-10764876 ∗∗∗ Patchday: Adobe schließt kritische Lücken in mehreren Produkten ∗∗∗ --------------------------------------------- Gefährliche Lücken stecken unter anderem in Substance 3D Stager, Connect, Dimension und Illustrator. Aktuelle Security-Fixes schließen sie. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-schliesst-kritische-Luecken-in-meh… ∗∗∗ Fortinet aktualisiert unter anderem FortiOS, FortiPAM und FortiSwitch Manager ∗∗∗ --------------------------------------------- Mit dem Schweregrad "High" bewertet wurden Schwachstellen in FortiOS, FortiPAM, FortiSwitch Manager, FortiDLP, Fortilsolator sowie im FortiClient Mac. [..] Zur unbefugten Ausführung von Systembefehlen per Kommandozeile könnten lokale, authentifizierte Angreifer die Schwachstelle CVE-2025-58325 ("Restricted CLI command bypass"; CVSS-Score 7.8) missbrauchen. --------------------------------------------- https://www.heise.de/news/Fortinet-aktualisiert-unter-anderem-FortiOS-Forti… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, vim, and webkit2gtk3), Debian (distro-info-data, https-everywhere, and php-horde-css-parser), Fedora (inih, mingw-exiv2, mirrorlist-server, rust-maxminddb, rust-monitord-exporter, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, and rust-protobuf-support), Mageia (fetchmail), Oracle (gnutls, kernel, vim, and webkit2gtk3), Red Hat (kernel, kernel-rt, and webkit2gtk3), Slackware (mozilla), SUSE (curl, libxslt, and net-tools), and Ubuntu (linux-azure-5.15, linux-azure-6.8, linux-azure-fips, linux-oracle, linux-oracle-6.14, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/1042076/ ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desk… ∗∗∗ Rockwell Automation 1715 EtherNet/IP Comms Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-287-01 ∗∗∗ F5: K000156572: Quarterly Security Notification (October 2025) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000156572 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.10.2025
by Daily end-of-shift report 14 Oct '25

14 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 13-10-2025 18:00 − Dienstag 14-10-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers can steal 2FA codes and private messages from Android phones ∗∗∗ --------------------------------------------- Android devices are vulnerable to a new attack that can covertly steal two-factor authentication codes, location timelines, and other private data in less than 30 seconds. --------------------------------------------- https://arstechnica.com/security/2025/10/no-fix-yet-for-attack-that-lets-ha… ∗∗∗ Chinese hackers abuse geo-mapping tool for year-long persistence ∗∗∗ --------------------------------------------- Chinese state hackers remained undetected in a target environment for more than a year by turning a component in the ArcGIS geo-mapping tool into a web shell. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-geo-ma… ∗∗∗ Secure Boot bypass risk on nearly 200,000 Linux Framework sytems ∗∗∗ --------------------------------------------- Around 200,000 Linux computer systems from American computer maker Framework were shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. An attacker could take advantage to load bootkits (e.g. BlackLotus, HybridPetya, and Bootkitty) that can evade OS-level security controls and persist across OS re-installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-n… ∗∗∗ Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a previously undocumented threat actor called TA585 that has been observed delivering an off-the-shelf malware called MonsterV2 via phishing campaigns. --------------------------------------------- https://thehackernews.com/2025/10/researchers-expose-ta585s-monsterv2.html ∗∗∗ npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified several malicious packages across npm, Python, and Ruby ecosystems that leverage Discord as a command-and-control (C2) channel to transmit stolen data to actor-controlled webhooks. --------------------------------------------- https://thehackernews.com/2025/10/npm-pypi-and-rubygems-packages-found.html ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Weiterer Notfall-Patch für Oracle E-Business Suite ∗∗∗ --------------------------------------------- Oracle hat ein weiteres außerplanmäßiges Update für die E-Business Suite veröffentlicht. Einer Sicherheitswarnung zufolge lässt sich eine Sicherheitslücke mit der Kennung CVE-2025-61884(öffnet im neuen Fenster) aus der Ferne und ohne Authentifizierung ausnutzen. Angreifer erhalten unter Umständen Zugriff auf vertrauliche Ressourcen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-weiterer-notfall-patch-fuer-ora… ∗∗∗ SAP-Patchday im Oktober behebt mehrere kritische Schwachstellen ∗∗∗ --------------------------------------------- Jetzt updaten: Unter anderem stehen wichtige Sicherheitsupdates und -hinweise für NetWeaver, Print Service und Supplier Relationship Management bereit. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-im-Oktober-behebt-mehrere-kritische-… ∗∗∗ Jetzt patchen: Veeam Backup & Replication anfällig für Remote Code Execution ∗∗∗ --------------------------------------------- Ein frisch veröffentlichter Patch schützt Veeams Backup-Lösung gleich zweimal vor Codeausführung aus der Ferne. Auch der Agent für Windows wurde abgesichert. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Veeam-Backup-Replication-anfaellig-… ∗∗∗ Totgeglaubter Internet Explorer wird zur Sicherheitslücke: Microsoft reagiert ∗∗∗ --------------------------------------------- Nach aktiven Angriffen hat Microsoft den Internet-Explorer-Modus in Edge drastisch eingeschränkt. Angreifer nutzten sogar Zero-Days für Systemübernahmen. --------------------------------------------- https://www.heise.de/news/Gefahr-aus-dem-Grab-Microsoft-verbuddelt-IE-noch-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and libfcgi), Fedora (qt5-qtsvg), Red Hat (kernel, perl-FCGI, perl-FCGI:0.78, and vim), SUSE (bluez, curl, podman, postgresql14, python-xmltodict, and udisks2), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-fips, linux-oracle, and subversion). --------------------------------------------- https://lwn.net/Articles/1041886/ ∗∗∗ Ivanti: October 2025 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2025-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.10.2025
by Daily end-of-shift report 13 Oct '25

13 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-10-2025 18:01 − Montag 13-10-2025 18:00 Handler: Felician Fuchs Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle releases emergency patch for new E-Business Suite flaw ∗∗∗ --------------------------------------------- Oracle has issued an emergency security update over the weekend to patch another E-Business Suite (EBS) vulnerability that can be exploited remotely by unauthenticated attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-releases-emergency-pa… ∗∗∗ Windows 11 23H2 Home and Pro reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded customers again today that systems running Home and Pro editions of Windows 11 23H2 will stop receiving security updates next month. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-23h2-home-and-pr… ∗∗∗ Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks ∗∗∗ --------------------------------------------- In a new wrinkle for adversary tactics, the Storm-2603 threat group is abusing the digital forensics and incident response (DFIR) tool to gain persistent access to victim networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/chinese-hackers-veloci… ∗∗∗ New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims PCs ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts. --------------------------------------------- https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.h… ∗∗∗ Astaroth Banking Trojan Abuses GitHub to Remain Operational After Takedowns ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new campaign that delivers the Astaroth banking trojan that employs GitHub as a backbone for its operations to stay resilient in the face of infrastructure takedowns. --------------------------------------------- https://thehackernews.com/2025/10/astaroth-banking-trojan-abuses-github.html ∗∗∗ Microsoft Locks Down IE Mode After Hackers Turned Legacy Feature Into Backdoor ∗∗∗ --------------------------------------------- Microsoft said it has revamped the Internet Explorer (IE) mode in its Edge browser after receiving "credible reports" in August 2025 that unknown threat actors were abusing the backward compatibility feature to gain unauthorized access to users devices. --------------------------------------------- https://thehackernews.com/2025/10/microsoft-locks-down-ie-mode-after.html ∗∗∗ Invoicely Database Leak Exposes 180,000 Sensitive Records ∗∗∗ --------------------------------------------- Cybersecurity researcher Jeremiah Fowler discovered nearly 180,000 files, including PII and banking details, left exposed on an unprotected database linked to the Invoicely platform. Read about the identity theft and financial fraud risks for over 250,000 businesses worldwide. --------------------------------------------- https://hackread.com/invoicely-database-leak-expose-sensitive-records/ ∗∗∗ 100,000+ IP Botnet Launches Coordinated RDP Attack Wave Against US Infrastructure ∗∗∗ --------------------------------------------- Since October 8, 2025, GreyNoise has tracked a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries targeting Remote Desktop Protocol (RDP) services in the United States. --------------------------------------------- https://www.greynoise.io/blog/botnet-launches-coordinated-rdp-attack-wave ∗∗∗ Kundendaten von Qantas im Netz – auch die von Troy Hunt ∗∗∗ --------------------------------------------- Im Juli erbeuteten Angreifer wichtige Daten bei der australischen Airline. Noch ist nicht klar, was davon jetzt im Netz kursiert. --------------------------------------------- https://heise.de/-10750869 ∗∗∗ Critical GitHub Copilot Vulnerability Leaks Private Source Code ∗∗∗ --------------------------------------------- In June 2025, I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot’s responses, including suggesting malicious code or links. --------------------------------------------- https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnera… ∗∗∗ North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads ∗∗∗ --------------------------------------------- The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Since our July 14, 2025 update, we have identified and analyzed more than 338 malicious packages with over 50,000 cumulative downloads. --------------------------------------------- https://socket.dev/blog/north-korea-contagious-interview-campaign-338-malic… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#538470: Clevo UEFI firmware embedded BootGuard keys compromising Clevos implementation of BootGuard ∗∗∗ --------------------------------------------- Clevo’s UEFI firmware update packages included sensitive private keys used in their Intel Boot Guard implementation. This accidental exposure of the keys could be abused by an attacker to sign malicious firmware using Clevo’s Boot Guard trust chain, potentially compromising the pre-boot UEFI environment on systems where Clevo’s implementation has been adopted. --------------------------------------------- https://kb.cert.org/vuls/id/538470 ∗∗∗ Oracle Security Alert for CVE-2025-61884 - 11 October 2025 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2025-61884 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2025-61884.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (compat-libtiff3, iputils, kernel, open-vm-tools, and vim), Debian (asterisk, ghostscript, kernel, linux-6.1, and tiff), Fedora (cef, chromium, cri-o1.31, cri-o1.32, cri-o1.33, cri-o1.34, docker-buildx, log4cxx, mingw-poppler, openssl, podman-tui, prometheus-podman-exporter, python-socketio, python3.10, python3.11, python3.12, python3.9, skopeo, and valkey), Mageia (open-vm-tools), Red Hat (compat-libtiff3, kernel, kernel-rt, vim, and webkit2gtk3), and SUSE (distrobuilder, docker-stable, expat, forgejo, forgejo-longterm, gitea-tea, go1.25, haproxy, headscale, open-vm-tools, openssl-3, podman, podofo, ruby3.4-rubygem-rack, and weblate). --------------------------------------------- https://lwn.net/Articles/1041779/ ∗∗∗ Two High Checkmk advisories released ∗∗∗ --------------------------------------------- SBAResearch published the following advisories for checkmk: SBA-ADV-20250724-01: Checkmk Agent Privilege Escalation via Insecure Temporary Files, SBA-ADV-20250730-01: Checkmk Path Traversal. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/e84ca741ae34d372b4f7b294ad… ∗∗∗ Auth Bypass Flaw in Service Finder WordPress Plugin Under Active Exploit ∗∗∗ --------------------------------------------- An Authentication Bypass (CVE-2025-5947) in Service Finder Bookings plugin allows any unauthenticated attacker to log in as an administrator. Over 13,800 exploit attempts detected. Update to v6.1 immediately. --------------------------------------------- https://hackread.com/auth-bypass-service-finder-wordpress-plugin-exploit/ ∗∗∗ BigBlueButton: Update fürs Webkonferenz-System fixt Denial-of-Service-Lücken ∗∗∗ --------------------------------------------- Die Entwickler des quelloffenen Webkonferenz-Systems BigBlueButton (BBB) für Windows- und Linux-Server haben mit einem Update auf Version 3.0.13 mehrere Angriffsmöglichkeiten beseitigt. --------------------------------------------- https://heise.de/-10751398 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.10.2025
by Daily end-of-shift report 10 Oct '25

10 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-10-2025 18:01 − Freitag 10-10-2025 18:01 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Discord says hackers stole government IDs of 70,000 users ∗∗∗ --------------------------------------------- Discord says that hackers made off with images of 70,000 users’ government IDs that they were required to provide in order to use the site. --------------------------------------------- https://arstechnica.com/security/2025/10/discord-says-hackers-stole-governm… ∗∗∗ RondoDox botnet targets 56 n-day flaws in worldwide attacks ∗∗∗ --------------------------------------------- A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions. The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n… ∗∗∗ GitHub Copilot CamoLeak AI Attack Exfiltrates Data ∗∗∗ --------------------------------------------- Every week or two nowadays, researchers come up with new ways of exploiting agentic AI tools built crudely into software platforms. Since companies are far more concerned with providing AI functionality than they are securing that functionality, there's been ample opportunity for mischief. --------------------------------------------- https://www.darkreading.com/application-security/github-copilot-camoleak-ai… ∗∗∗ From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability ∗∗∗ --------------------------------------------- Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560. --------------------------------------------- https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html ∗∗∗ 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. --------------------------------------------- https://thehackernews.com/2025/10/175-malicious-npm-packages-with-26000.html ∗∗∗ Cops nuke BreachForums (again) amid cybercrime supergroup extortion blitz ∗∗∗ --------------------------------------------- US authorities have seized the latest incarnation of BreachForums, the cybercriminal bazaar recently reborn under the stewardship of the so-called Scattered Lapsus$ Hunters, with help from French cyber cops and the Paris prosecutor's office. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/10/cops_seize_b… ∗∗∗ Pro-Russian hackers caught bragging about attack on fake water utility ∗∗∗ --------------------------------------------- A pro-Russian hacker group has been caught boasting about a cyberattack that unfolded entirely inside a decoy system set up by researchers. --------------------------------------------- https://therecord.media/fake-water-utility-honeypot-hacked-pro-russian-group ∗∗∗ More Than DoS (Progress Telerik UI for ASP.NET AJAX Unsafe Reflection CVE-2025-3600) ∗∗∗ --------------------------------------------- Welcome back. We’re excited to yet again publish memes under the guise of research and inevitably receive hate mail. But today, we’ll be doing something slightly different to normal. Today, instead of pulling apart “just one” enterprise-grade solution, we have inadvertently ripped apart a widely used ASP.NET library. --------------------------------------------- https://labs.watchtowr.com/more-than-dos-progress-telerik-ui-for-asp-net-aj… ∗∗∗ New Stealit Campaign Abuses Node.js Single Executable Application ∗∗∗ --------------------------------------------- FortiGuard Labs has encountered a new and active Stealit malware campaign that leverages Node.js’ Single Executable Application (SEA) feature to distribute its payloads. This campaign was uncovered following a spike in detections of a particular Visual Basic script, which was later determined to be a component for persistence. --------------------------------------------- https://feeds.fortinet.com/~/926060729/0/fortinet/blogs~New-Stealit-Campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Claroty Product Security Advisory: OIDC Configurations in Claroty Secure Access ∗∗∗ --------------------------------------------- This advisory provides important information regarding a security vulnerability affecting on-premise Claroty Secure Access (formerly known as Claroty Secure Remote Access or SRA) when configured with OpenID Connect (OIDC) authentication, either currently or previously. Fixes for affected products are available in the customer portal. There are no known public exploits or a public proof of concept (POC) of this vulnerability. --------------------------------------------- https://claroty.com/product-security/oidc-configurations-in-claroty-secure-… ∗∗∗ Monitoring-Software Checkmk: Rechteausweitungslücke in Windows-Version ∗∗∗ --------------------------------------------- Checkmk warnt vor Sicherheitslücken in der gleichnamigen Netzwerk-Überwachungssoftware. Eine betrifft den Windows-Agent und verpasst eine Einordnung als kritisches Sicherheitsrisiko nur knapp, eines der weiteren Lecks dürfte Admins hingegen keinen Schlaf rauben. --------------------------------------------- https://www.heise.de/news/Monitoring-Software-Checkmk-Rechteausweitungsluec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, vim, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1041564/ ∗∗∗ Ivanti Endpoint Manager: Zero Day Initiative veröffentlicht 13 Zero-Days ∗∗∗ --------------------------------------------- In Ivantis Endpoint Manager (EPM) steckten schwere Sicherheitslücken, die das Unternehmen seit Monaten kennt – und dennoch erst in einem halben Jahr beheben wollte. Das war Trend Micros Zero Day Initiative (ZDI) zu lang – sie veröffentlicht die Lücken nun als "Zero Days". Im Fehlerkatalog tummeln sich elf SQL Injections, eine Pfadlücke und einmal Deserialisierung nicht vertrauenswürdiger Daten. --------------------------------------------- https://heise.de/-10749054 ∗∗∗ Schadcode-Lücken in Nvidia-GPU-Treiber geschlossen ∗∗∗ --------------------------------------------- Nvidias Entwickler haben mehrere Sicherheitslücken in verschiedenen Grafikkartentreibern geschlossen. Im schlimmsten Fall kann Schadcode Systeme vollständig kompromittieren. Davon sind Linux- und Windows-Computer bedroht. --------------------------------------------- https://heise.de/-10749431 ∗∗∗ 7-Zip: Infos zu geschlossenen Sicherheitslücken verfügbar ∗∗∗ --------------------------------------------- Mit der Version 25.00 von 7-Zip hat der Entwickler im Juli einige Sicherheitslücken geschlossen. Bislang war jedoch unklar, welche. Die Zero-Day-Initiative (ZDI) von Trend Micro hat nun Informationen zu einigen der darin gestopften Sicherheitslecks veröffentlicht. --------------------------------------------- https://heise.de/-10749900 ∗∗∗ Juniper Security Director: Angreifer können Sicherheitsmechanismus umgehen ∗∗∗ --------------------------------------------- Mehrere Produkte des Netzwerkausrüsters Juniper sind verwundbar. Sind Attacken erfolgreich, können Angreifer etwa manipulierte Images installieren oder Hintertüren in Switches verankern. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-10750030 ∗∗∗ DSA-6022-1 valkey - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00188.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog: CVE-2021-43798 Grafana Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-adds-one-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.10.2025
by Daily end-of-shift report 09 Oct '25

09 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-10-2025 18:00 − Donnerstag 09-10-2025 18:01 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Crimson Collective hackers target AWS cloud instances for data theft ∗∗∗ --------------------------------------------- The Crimson Collective threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/crimson-collective-hackers-t… ∗∗∗ New FileFix attack uses cache smuggling to evade security software ∗∗∗ --------------------------------------------- A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victims system and bypassing security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-filefix-attack-uses-cach… ∗∗∗ Hacktivists target critical infrastructure, hit decoy plant ∗∗∗ --------------------------------------------- A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacktivists-target-critical-… ∗∗∗ SonicWall: Firewall configs stolen for all cloud backup customers ∗∗∗ --------------------------------------------- SonicWall has confirmed that all customers that used the companys cloud backup service are affected by last months security breach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-firewall-configs-s… ∗∗∗ Sicherheitsleck: Millionen Gästedaten in Hotelsoftware öffentlich einsehbar ∗∗∗ --------------------------------------------- In der Hotelsoftware Sihot ließen sich Millionen Gästedaten einsehen. Die Sicherheitslücken sind laut Hersteller aber bereits geschlossen. --------------------------------------------- https://www.golem.de/news/sicherheitsleck-millionen-gaestedaten-in-hotelsof… ∗∗∗ Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a nefarious campaign targeting WordPress sites to make malicious JavaScript injections that are designed to redirect users to sketchy sites. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-wordpress-themes-to.html ∗∗∗ localmind.ai: KI-Sicherheitsvorfall, es ist noch nicht vorbei – Teil 3 ∗∗∗ --------------------------------------------- Der Sicherheitsvorfall beim KI-Anbieter localmind.ai scheint noch nicht ausgestanden. Der Anbieter schreibt zwar, dass die Kernsysteme der Localmind-Plattform selbst nicht kompromittiert wurden, und man glaubt, die Infrastruktur gesichert zu haben. Es hat aber den Anschein, dass dies nicht ganz zutreffend ist. --------------------------------------------- https://www.borncity.com/blog/2025/10/09/localmind-ai-ki-sicherheitsvorfall… ∗∗∗ Velociraptor leveraged in ransomware attacks ∗∗∗ --------------------------------------------- Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool that had not previously been definitively tied to ransomware incidents. --------------------------------------------- https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-att… ∗∗∗ Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick) ∗∗∗ --------------------------------------------- Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat. --------------------------------------------- https://hackread.com/fake-teams-installers-oyster-backdoor-broomstick/ ∗∗∗ New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto ∗∗∗ --------------------------------------------- FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency. --------------------------------------------- https://hackread.com/chaos-c-ransomware-windows-data-crypto/ ∗∗∗ Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. The actor began sending a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims Oracle E-Business Suite (EBS) environments. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-s… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments. --------------------------------------------- https://feeds.fortinet.com/~/925395818/0/fortinet/blogs~SVG-Phishing-hits-U… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Framelink Figma MCP Vulnerability Lets Hackers Execute Code Remotely ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands. --------------------------------------------- https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html ∗∗∗ Update: Schadcode-Lücke bedroht IBM Data Replication VSAM ∗∗∗ --------------------------------------------- Angreifer können IBM Data Replication VSAM for z/OS Remote Source attackieren. Nun wurde die Lücke geschlossen. --------------------------------------------- https://www.heise.de/news/Update-Schadcode-Luecke-bedroht-IBM-Data-Replicat… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, kernel, kernel-rt, and open-vm-tools), Debian (chromium, python-django, and redis), Fedora (chromium, insight, mirrorlist-server, oci-seccomp-bpf-hook, rust-maxminddb, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, rust-protobuf-support, turbo-attack, and yarnpkg), Oracle (iputils, kernel, open-vm-tools, redis, and valkey), Red Hat (perl-File-Find-Rule and perl-File-Find-Rule-Perl), SUSE (expat, ImageMagick, matrix-synapse, python-xmltodict, redis, redis7, and valkey), and Ubuntu (fort-validator and imagemagick). --------------------------------------------- https://lwn.net/Articles/1041404/ ∗∗∗ A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk ∗∗∗ --------------------------------------------- We discovered Azure Storage Account credentials exposed in Axis Communications’ Autodesk Revit plugin, allowing unauthorized modification of cloud-hosted files. This exposure, combined with vulnerabilities in Autodesk Revit, could enable supply-chain attacks targeting end users. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/j/axis-plugin-flaw-autodesk-re… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025. ICSA-25-282-01 Hitachi Energy Asset Suite, ICSA-25-282-02 Rockwell Automation Lifecycle Services with Cisco, ICSA-25-282-03 Rockwell Automation Stratix and ICSA-25-128-03 Mitsubishi Electric Multiple FA Products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/09/cisa-releases-four-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.10.2025
by Daily end-of-shift report 08 Oct '25

08 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-10-2025 18:00 − Mittwoch 08-10-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Severe Figma MCP Vulnerability Lets Hackers Execute Code Remotely — Patch Now ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol (MCP) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug [..] The vulnerability has been addressed in version 0.6.3 of figma-developer-mcp, which was released on September 29, 2025. --------------------------------------------- https://thehackernews.com/2025/10/severe-figma-mcp-vulnerability-lets.html ∗∗∗ LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem ∗∗∗ --------------------------------------------- Three prominent ransomware groups DragonForce, LockBit, and Qilin have announced a new strategic ransomware alliance, once underscoring continued shifts in the cyber threat landscape. --------------------------------------------- https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html ∗∗∗ Employees regularly paste company secrets into ChatGPT ∗∗∗ --------------------------------------------- Employees could be opening up to OpenAI in ways that put sensitive data at risk. According to a study by security biz LayerX, a large number of corporate users paste Personally Identifiable Information (PII) or Payment Card Industry (PCI) numbers right into ChatGPT, even if theyre using the bot without permission. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/07/gen_ai_shado… ∗∗∗ “Can you test my game?” Fake itch.io pages spread hidden malware to gamers ∗∗∗ --------------------------------------------- A convincing itch-style page can drop a stealthy stager instead of a game. Here’s how to spot it and what to do if you clicked. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intel/2025/10/can-you-test-my-game… ∗∗∗ Is your computer mouse eavesdropping on you? ∗∗∗ --------------------------------------------- Researchers have found a method they called Mic-E-Mouse, which turns your computer mouse into a spy that can listen in on your conversations. [..] The method uses high-performance optical sensors in optical mice, combined with artificial intelligence, to filter out background noise and: “achieve intelligible reconstruction of user speech.” --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/10/is-your-computer-mouse-eaves… ∗∗∗ Der Klimabonus ist wieder da?! Nein, nur ein neuer Phishing-Versuch! ∗∗∗ --------------------------------------------- Betrügerische SMS-Nachrichten versuchen den Eindruck einer Rückkehr des Klimabonus zu erwecken. Eine frühzeitige Registrierung bringe Informationsvorteile und bessere Chancen für eine Auszahlung. Nichts davon ist wahr. Wir haben es vielmehr mit klassischem Phishing zu tun. --------------------------------------------- https://www.watchlist-internet.at/news/klimabonus-neuer-phishing-versuch/ ∗∗∗ Salesforce data breach: what you need to know ∗∗∗ --------------------------------------------- The Scattered LAPSUS$ Hunters hacking group claims to have accessed data from around 40 customers of Salesforce, the cloud-based customer relationship management service, stealing almost one billion records. [..] The hacker are demanding payment by this Friday, 10 October 2025. [..] Allen Tsai, a Salesforce spokesperson, said the company won’t engage, negotiate with or pay any extortion demand. --------------------------------------------- https://www.fortra.com/blog/salesforce-data-breach-what-need-know ∗∗∗ The ClickFix Factory: First Exposure of IUAM ClickFix Generator ∗∗∗ --------------------------------------------- Unit 42 discovers ClickFix phishing kits, commoditizing social engineering. This kit presents a lowered barrier for inexperienced cybercriminals. --------------------------------------------- https://unit42.paloaltonetworks.com/clickfix-generator-first-of-its-kind/ ∗∗∗ Crafting a Full Exploit RCE from a Crash in Autodesk Revit RFA File Parsing ∗∗∗ --------------------------------------------- This article will be devoted to explaining how I reached arbitrary code execution from the crash point shown above. Of particular interest is the technique I used to achieve ROP execution. --------------------------------------------- https://www.thezdi.com/blog/2025/10/6/crafting-a-full-exploit-rce-from-a-cr… ∗∗∗ Windows 11-Setup: Microsoft blockiert künftig das Anlegen lokaler Konten ∗∗∗ --------------------------------------------- Es deutet sich an, dass lokale Benutzerkonten in Windows 11 zukünftig nicht, oder nur noch mit großen Tricks beim Setup eingerichtet werden können. In der neuesten Insider Preview Build 26220.6772 (KB5065797) vom 06. Oktober 2025 gab Microsoft bekannt, dass die Befehle, um beim Setup doch noch lokale Benutzerkonten einzurichten, gestrichen werden. --------------------------------------------- https://www.borncity.com/blog/2025/10/08/windows-11-setup-microsoft-blockie… ∗∗∗ Introducing HoneyBee: How We Automate Honeypot Deployment for Threat Research ∗∗∗ --------------------------------------------- HoneyBee takes popular cloud-deployed applications such as databases, storage services, and web apps, and automatically generates intentionally insecure Dockerfiles and Docker Compose manifests. [..] We know we aren't the only ones working on these challenges, which is why we’re open-sourcing HoneyBee with the hope that it can be just as useful to others in the security community. --------------------------------------------- https://www.wiz.io/blog/honeybee-threat-research ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti Endpoint Manager Multible 0Day Vulnerabilities ∗∗∗ --------------------------------------------- (ZDI-25-934 - ZDI-25-947) This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (apptainer, civetweb, mod_http2, openssl, pandoc, and pandoc-cli), Oracle (kernel), Red Hat (gstreamer1-plugins-bad-free, iputils, kernel, open-vm-tools, and podman), SUSE (cairo, firefox, ghostscript, gimp, gstreamer-plugins-rs, libxslt, logback, openssl-1_0_0, openssl-1_1, python-xmltodict, and rubygem-puma), and Ubuntu (gst-plugins-base1.0, linux-aws-6.8, linux-aws-fips, linux-azure, linux-azure-nvidia, linux-gke, linux-nvidia-tegra-igx, and --------------------------------------------- https://lwn.net/Articles/1041243/ ∗∗∗ Windows und Android: Google schließt schwerwiegende Lücken in Chrome ∗∗∗ --------------------------------------------- https://www.golem.de/news/windows-und-android-google-schliesst-schwerwiegen… ∗∗∗ ZDI-25-895: (0Day) Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ B&R Automation Runtime DoS Vulnerability in System Diagnostics Manager (SDM) CVE ID: CVE-2025-3450 ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA25P002-f6a69e61.pdf ∗∗∗ B&R Automation Runtime Vulnerabilities in System Diagnostic Manager (SDM) CVE ID: CVE-2025-3449, CVE-2025-3448 ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA25P003-178b6a20.pdf ∗∗∗ ABB: LVS MConfig Insecure memory handling CVE ID: CVE-2025-9970 ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=4TZ00000006008&Lang… ∗∗∗ Tenable: [R1] Security Center Version 6.7.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 07.10.2025
by Daily end-of-shift report 07 Oct '25

07 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Montag 06-10-2025 18:00 − Dienstag 07-10-2025 18:30 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Kritische Redis Sicherheitslücke (CVE-2025-49844) erlaubt Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- Die kritische Redis Sicherheitslücke erlaubt Remote Code Execution, wenn LUA-Scripting aktiviert ist und ein speziell präpariertes Script im Kontext eines authentifiziertem Benutzer ausgeführt wird. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/10/kritische-redis-sicherheitslucke-c… ∗∗∗ Red Hat Consulting breach puts over 5000 high profile enterprise customers at risk — in detail ∗∗∗ --------------------------------------------- Last week, a little known extortion group called Crimson Collective caught my attention. At the time they only had 22 followers on Telegram. Red Hat confirmed the breach later that day, and started notifying impacted customers. Red Hat Consulting are consultants who come in to large enterprises to deal with complex technology problems. It is pretty clear their documentation and source code around customers has been stolen. --------------------------------------------- https://doublepulsar.com/red-hat-consulting-breach-puts-over-5000-high-prof… ∗∗∗ Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware ∗∗∗ --------------------------------------------- Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware. --------------------------------------------- https://thehackernews.com/2025/10/microsoft-links-storm-1175-to.html ∗∗∗ Das passiert, wenn der KI-Betreiber die Sicherheit vernachlässigt ∗∗∗ --------------------------------------------- Verträge, Rechnungen und weitere sensible Daten erreichten uns via E-Mail. Die Quelle: eine österreichische KI-Firma, die demnach bei der Sicherheit schlampte. --------------------------------------------- https://www.heise.de/news/Sensible-Unternehmensdaten-ueber-Sicherheitsprobl… ∗∗∗ Phishers target 1Password users with convincing fake breach alert ∗∗∗ --------------------------------------------- Attackers are using realistic-looking 1Password emails to trick users into handing over their vault logins. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/10/phishers-target-1password-us… ∗∗∗ Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882) ∗∗∗ --------------------------------------------- We bet you thought you’d be allowed to sit there, breathe, and savour the few moments of peace you’d earned after a painful week in cyber security. Obviously, you were horribly wrong, and you need to wake up now. --------------------------------------------- https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), Red Hat (kernel, open-vm-tools, and postgresql), SUSE (chromedriver and chromium), and Ubuntu (haproxy and pam-u2f). --------------------------------------------- https://lwn.net/Articles/1041069/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. ICSA-25-280-01 Delta Electronics DIAScreen and ICSA-25-226-31 Rockwell Automation 1756-EN4TR, 1756-EN4TRXT. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/07/cisa-releases-two-indust… ∗∗∗ Critical CVE-2025-27237 Vulnerability in Zabbix Agent for Windows Enables Privilege Escalation via OpenSSL Misconfiguration ∗∗∗ --------------------------------------------- A security vulnerability has been identified in Zabbix Agent and Agent2 for Windows, potentially allowing local users to escalate their privileges to the SYSTEM level. Tracked as CVE-2025-27237, the flaw originates from the way these agents handle the OpenSSL configuration file on Windows systems. --------------------------------------------- https://thecyberexpress.com/zabbix-agent-cve-2025-27237/ ∗∗∗ Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin ∗∗∗ --------------------------------------------- On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts with the ‘administrator’ role. --------------------------------------------- https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critic… ∗∗∗ ABB Security Advisory: EIBPORT Reflected XSS (CVE-2021-22291) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A7808&Lan… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 06.10.2025
by Daily end-of-shift report 06 Oct '25

06 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-10-2025 18:00 − Montag 06-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Oracle E-Business Suite - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Oracle hat einen Security Alert zu einer schwerwiegenden Schwachstelle, CVE-2025-61882, in Oracle E-Business Suite veröffentlicht. Die Sicherheitslücke erlaubt es Angreifer:innen auf betroffenen Systemen ohne jedwede Authentifizierung Code auszuführen. Laut Oracle wird die Lücke bereits aktiv durch Bedrohungsakteure missbraucht. --------------------------------------------- https://www.cert.at/de/warnungen/2025/10/schwerwiegende-sicherheitslucke-in… ∗∗∗ Hackers exploited Zimbra flaw as zero-day using iCalendar files ∗∗∗ --------------------------------------------- Researchers monitoring for larger .ICS calendar attachments found that a flaw in Zimbra Collaboration Suite (ZCS) was used in zero-day attacks at the beginning of the year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploited-zimbra-fla… ∗∗∗ XWorm malware resurfaces with ransomware module, over 35 plugins ∗∗∗ --------------------------------------------- New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xworm-malware-resurfaces-wit… ∗∗∗ Scattered Lapsus$ Hunters Returns With Salesforce Leak Site ∗∗∗ --------------------------------------------- After claiming it would shut down, the cybercriminal collective reemerged and threatened to publish the stolen data of Salesforce customers by Oct. 10 if its demands are not met. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/scattered-lapsus-hun… ∗∗∗ Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads ∗∗∗ --------------------------------------------- The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others. --------------------------------------------- https://thehackernews.com/2025/10/rhadamanthys-stealer-evolves-adds.html ∗∗∗ Angreifer kopierten Kundendaten von Red-Hat-GitLab-Instanz ∗∗∗ --------------------------------------------- Beim Softwarehersteller Red Hat kam es zu einem IT-Sicherheitsvorfall. Die Angreifer geben an, 570 GB an Daten kopiert zu haben. --------------------------------------------- https://www.heise.de/news/Angreifer-kopierten-Kundendaten-von-Red-Hat-GitLa… ∗∗∗ Datenleck bei Discord: Support-Dienstleister erfolgreich attackiert ∗∗∗ --------------------------------------------- Kriminelle konnten persönliche Daten von bestimmten Discord-Nutzern erbeuten. Diese könnten für Phishing-Attacken missbraucht werden. --------------------------------------------- https://www.heise.de/news/Datenleck-bei-Discord-Support-Dienstleister-erfol… ∗∗∗ Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High ∗∗∗ --------------------------------------------- On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. The activity was highly targeted and involved multiple, potentially coordinated scanning clusters. --------------------------------------------- https://www.greynoise.io/blog/palo-alto-scanning-surges ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Security Alert for CVE-2025-61882 - 4 October 2025 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2025-61882 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2025-61882.html ∗∗∗ Redis warns of critical flaw impacting thousands of instances ∗∗∗ --------------------------------------------- The Redis security team has released patches for a maximum severity vulnerability that could allow attackers to gain remote code execution on thousands of vulnerable instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/redis-warns-of-max-severity-… ∗∗∗ ZDI-25-932: MLflow Weak Password Requirements Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2025-11200. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-932/ ∗∗∗ ZDI-25-930: win-cli-mcp-server resolveCommandPath Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of win-cli-mcp-server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-11202. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-930/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, git, log4cxx, and openssl), Fedora (containernetworking-plugins, firebird, firefox, jupyterlab, mupdf, and thunderbird), Oracle (ipa), Red Hat (container-tools:rhel8, firefox, gnutls, kernel, kernel-rt, multiple packages, mysql, mysql:8.0, nginx, podman, and thunderbird), Slackware (fetchmail), SUSE (afterburn, chromium, firefox, haproxy, libvmtools-devel, logback, python311-Django, python311-Django4, and redis), and Ubuntu (linux-gcp, linux-gcp-6.14, linux-oem-6.14, linux-nvidia-tegra-igx, linux-oracle, mysql-8.0, poppler, and squid). --------------------------------------------- https://lwn.net/Articles/1040991/ ∗∗∗ Unzählige Sicherheitslücken in Dell PowerProtect Data Domain geschlossen ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Angreifer Dell PowerProtect Data Domain attackieren und Systeme als Root kompromittieren. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-10712169 ∗∗∗ Spiele-Engine Unity: Lücke bedroht Android, Linux, macOS und Windows ∗∗∗ --------------------------------------------- Die Laufzeitumgebung für die Spiele-Engine Unity steckt in diversen populären Spielen. Microsoft meldet nun eine schwerwiegende Sicherheitslücke darin, die Angreifern das Ausführen von Schadcode erlaubt. Bis zur Verfügbarkeit von Updates sollen Nutzerinnen und Nutzer betroffene Software deinstallieren, rät der Hersteller. --------------------------------------------- https://heise.de/-10713427 ∗∗∗ Multiple Vulnerabilities in Qsync Central ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-35 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.10.2025
by Daily end-of-shift report 03 Oct '25

03 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-10-2025 18:00 − Freitag 03-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Oracle links Clop extortion attacks to July 2025 vulnerabilities ∗∗∗ --------------------------------------------- Oracle has linked an ongoing extortion campaign claimed by the Clop ransomware gang to E-Business Suite (EBS) vulnerabilities that were patched in July 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oracle-links-clop-extortion-… ∗∗∗ CommetJacking attack tricks Comet browser into stealing emails ∗∗∗ --------------------------------------------- A new attack called CometJacking exploits URL parameters to pass to Perplexitys Comet AI browser hidden instructions that allow access to sensitive data from connected services, like email and calendar. --------------------------------------------- https://www.bleepingcomputer.com/news/security/commetjacking-attack-tricks-… ∗∗∗ Sicherheitslücke in Zahnarztpraxen-System ∗∗∗ --------------------------------------------- Bei einem von einigen Zahnarztpraxen eingesetzten Praxisverwaltungssystem hat es gravierende Schwachstellen gegeben - dadurch hätten Patientendaten gelesen und verändert werden können. --------------------------------------------- https://www.golem.de/news/security-sicherheitsluecke-in-zahnarztpraxen-syst… ∗∗∗ Coordinated Grafana Exploitation Attempts on 28 September ∗∗∗ --------------------------------------------- GreyNoise observed a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 — a Grafana path traversal vulnerability that enables arbitrary file reads. All observed IPs are classified as malicious. --------------------------------------------- https://www.greynoise.io/blog/coordinated-grafana-exploitation-attempts ∗∗∗ Its Never Simple Until It Is (Dell UnityVSA Pre-Auth Command Injection CVE-2025-36604) ∗∗∗ --------------------------------------------- Welcome back, and what a week! We’re glad that happened for you and/or sorry that happened to you. It will get better and/or worse, and you will likely survive. Today, we’re walking down the garden path and digging into the archives, publishing our analysis of a vulnerability we discovered and disclosed to Dell in March 2025 within their UnityVSA solution. --------------------------------------------- https://labs.watchtowr.com/its-never-simple-until-it-is-dell-unityvsa-pre-a… ===================== = Vulnerabilities = ===================== ∗∗∗ DrayTek warns of remote code execution bug in Vigor routers ∗∗∗ --------------------------------------------- Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow remote, unauthenticated actors to execute perform arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-warns-of-remote-code… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1040729/ ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025: ICSA-25-275-01 Raise3D Pro2 Series 3D Printers and ICSA-25-275-02 Hitachi Energy MSM Product. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/10/02/cisa-releases-two-indust… ∗∗∗ Critical Splunk Vulnerabilities Expose Platforms to Remote JavaScript Injection and More ∗∗∗ --------------------------------------------- Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely, access sensitive information, and perform server-side request forgery (SSRF) attacks. --------------------------------------------- https://thecyberexpress.com/critical-splunk-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.10.2025
by Daily end-of-shift report 02 Oct '25

02 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-10-2025 18:00 − Donnerstag 02-10-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ That annoying SMS phish you just got may have come from a box like this ∗∗∗ --------------------------------------------- Smishers looking for new infrastructure are getting creative. --------------------------------------------- https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-g… ∗∗∗ Adobe Analytics bug leaked customer tracking data to other tenants ∗∗∗ --------------------------------------------- Adobe is warning its Analytics customers that an ingestion bug caused data from some organizations to appear in the analytics instances of others for approximately one day. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-analytics-bug-leaked-c… ∗∗∗ Clop extortion emails claim theft of Oracle E-Business Suite data ∗∗∗ --------------------------------------------- Mandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle E-Business Suite systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-… ∗∗∗ Android spyware campaigns impersonate Signal and ToTok messengers ∗∗∗ --------------------------------------------- Two new spyware campaigns that researchers call ProSpy and ToSpy lured Android users with fake upgrades or plugins for the Signal and ToTok messaging apps to steal sensitive data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-campaigns-im… ∗∗∗ Shutdown Threatens US Intel Sharing, Cyber Defense ∗∗∗ --------------------------------------------- Lapse of critical information sharing and mass furloughs at CISA are just some of the concerns. --------------------------------------------- https://www.darkreading.com/cyber-risk/shutdown-us-intel-sharing-cyber-defe… ∗∗∗ Datenleck: Schufa-Tochter Bonify bestätigt Sicherheitsvorfall ∗∗∗ --------------------------------------------- Unbekannte erbeuten Identifizierungsdaten von Bonify-Nutzern. Darunter sind auch Ausweisdaten und Fotos. --------------------------------------------- https://www.golem.de/news/datenleck-schufa-tochter-bonify-bestaetigt-sicher… ∗∗∗ 570 GByte Github-Daten: Red Hat meldet Sicherheitsvorfall ∗∗∗ --------------------------------------------- Die Erpressergruppe Crimson Collective ist angeblich im Besitz vertraulicher Kundendaten von Red Hat - und verlangt ein Lösegeld. --------------------------------------------- https://www.golem.de/news/570-gbyte-github-daten-red-hat-meldet-sicherheits… ∗∗∗ New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer ∗∗∗ --------------------------------------------- In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intels Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. --------------------------------------------- https://thehackernews.com/2025/10/new-wiretap-attack-extracts-intel-sgx.html ∗∗∗ Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a malicious package on the Python Package Index (PyPI) repository that claims to offer the ability to create a SOCKS5 proxy service, while also providing a stealthy backdoor-like functionality to drop additional payloads on Windows systems. The deceptive package, named soopsocks, attracted a total of 2,653 downloads before it was taken down. --------------------------------------------- https://thehackernews.com/2025/10/alert-malicious-pypi-package-soopsocks.ht… ∗∗∗ EU funds are flowing into spyware companies, and politicians are demanding answers ∗∗∗ --------------------------------------------- Experts say Commission is ‘fanning the flames’ of the continent’s own Watergate. An arsenal of angry European Parliament members (MEPs) is demanding answers from senior commissioners about why EU subsidies are ending up in the pockets of spyware companies. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/10/02/eu_spyware_f… ∗∗∗ ENISA Threat Landscape 2025 ∗∗∗ --------------------------------------------- Through a more threat-centric approach and further contextual analysis, this latest edition of the ENISA Threat Landscape analyses 4875 incidents over a period spanning from 1 July 2024 to 30 June 2025. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025 ∗∗∗ Meet SpamGPT and MatrixPDF, AI Toolkits Driving Malware Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers at Varonis have discovered two new plug-and-play cybercrime toolkits, MatrixPDF and SpamGPT. Learn how these AI-powered tools make mass phishing and PDF malware accessible to anyone, redefining online security risks. --------------------------------------------- https://hackread.com/spamgpt-matrixpdf-ai-toolkits-malware-attacks/ ∗∗∗ Malicious ZIP Files Use Windows Shortcuts to Drop Malware ∗∗∗ --------------------------------------------- Cybersecurity firm Blackpoint Cyber reveals a new spear phishing campaign targeting executives. Learn how attackers use fraudulent document ZIPs containing malicious shortcut files, leveraging living off the land tactics, and a unique Anti-Virus check to deliver a custom payload. --------------------------------------------- https://hackread.com/malicious-zip-files-windows-shortcuts-malware/ ∗∗∗ $20 YoLink IoT Gateway Vulnerabilities Put Home Security at Risk ∗∗∗ --------------------------------------------- Four critical zero-day flaws found in the $20 YoLink Smart Hub allow remote physical access, threatening your home security. See the urgent steps you must take now. --------------------------------------------- https://hackread.com/20-yolink-iot-gateway-vulnerabilities-home-security/ ∗∗∗ Confucius Espionage: From Stealer to Backdoor ∗∗∗ --------------------------------------------- The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. --------------------------------------------- https://feeds.fortinet.com/~/925674278/0/fortinet/blogs~Confucius-Espionage… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome 141: Google schließt schwerwiegende Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat seinen Browser Chrome auf die Version 141 aktualisiert. Das Update beinhaltet den Versionshinweisen zufolge Patches für 21 Sicherheitslücken. Von mindestens zwei Anfälligkeiten geht demnach ein hohes Risiko aus. Sie erlauben unter Umständen das Einschleusen und Ausführen von Schadcode aus der Ferne und innerhalb der Sandbox des Browsers. --------------------------------------------- https://www.golem.de/news/chrome-141-google-schliesst-schwerwiegende-sicher… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-hwe-6.14, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux, linux-kvm, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-hwe-6.8, linux-kvm, linux-oracle-5.15, linux-oracle-6.14, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux-realtime-6.14, and python-django). --------------------------------------------- https://lwn.net/Articles/1040591/ ∗∗∗ Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0 ∗∗∗ --------------------------------------------- Tenable has released Security Center Patch SC-202509.2.1 to address these issues. --------------------------------------------- https://www.tenable.com/security/tns-2025-20 ∗∗∗ Sicherheitspatches: OpenSSL für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktuellen OpenSSL-Versionen haben die Entwickler drei Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/news/OpenSSL-Angreifer-koennen-auf-ARM-Systemen-privat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.10.2025
by Daily end-of-shift report 01 Oct '25

01 Oct '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-09-2025 18:00 − Mittwoch 01-10-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ China Imposes One-Hour Reporting Rule for Major Cyber Incidents ∗∗∗ --------------------------------------------- The sweeping new regulations show that Chinas serious about hardening its own networks after launching widespread attacks on global networks. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/china-one-hour-reporti… ∗∗∗ MatrixPDF: Neues Hacker-Tool macht PDF-Dateien zu Phishing-Ködern ∗∗∗ --------------------------------------------- Schädliche PDF-Dateien lassen sich damit so gestalten, dass sie den Phishing-Filter von Gmail umgehen. --------------------------------------------- https://www.golem.de/news/matrixpdf-neues-hacker-tool-macht-pdf-dateien-zu-… ∗∗∗ New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected Smartphones ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, with a majority of the infections reported in Spain and Italy.Italian fraud prevention firm Cleafy, which discovered the sophisticated malware .. --------------------------------------------- https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html ∗∗∗ Hackers Exploit Milesight Routers to Send Phishing SMS to European Users ∗∗∗ --------------------------------------------- Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.French cybersecurity company SEKOIA said the attackers are exploiting .. --------------------------------------------- https://thehackernews.com/2025/10/hackers-exploit-milesight-routers-to.html ∗∗∗ Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover ∗∗∗ --------------------------------------------- A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions.OpenShift AI is a platform for managing the lifecycle .. --------------------------------------------- https://thehackernews.com/2025/10/critical-red-hat-openshift-ai-flaw.html ∗∗∗ OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps ∗∗∗ --------------------------------------------- A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain .. --------------------------------------------- https://thehackernews.com/2025/10/onelogin-bug-let-attackers-use-api-keys.h… ∗∗∗ Neue Phishing-Wellen im Namen der WKO ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell über zwei Maschen im Namen der Wirtschaftskammer Österreich für Schaden zu sorgen. Dabei geht es um die Aktualisierung von Unternehmensdaten und Zahlungsinformationen zum Mitgliedsbeitrag. Besonders gefährlich: Für .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wellen-wko/ ∗∗∗ TOTOLINK X6000R: Three New Vulnerabilities Uncovered ∗∗∗ --------------------------------------------- Researchers identified vulnerabilities in TOTOLINK X6000R routers: CVE-2025-52905, CVE-2025-52906 and CVE-2025-52907. We discuss root cause and impact. --------------------------------------------- https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/ ∗∗∗ North Korea IT worker scheme expanding to more industries, countries outside of US tech sector ∗∗∗ --------------------------------------------- Okta said their new research into the scheme revealed that North Korea has honed its skills on U.S.-based companies and has expanded into dozens of different countries and industries. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-expands-outisde-us-tech ∗∗∗ Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer ∗∗∗ --------------------------------------------- Infoblox reveals how the Detour Dog group used server-side DNS to compromise 30,000+ sites across 89 countries, installing the stealthy Strela Stealer malware. --------------------------------------------- https://hackread.com/detour-dog-dns-hijacking-websites-strela-stealer/ ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht NAS-Modelle von Western Digital ∗∗∗ --------------------------------------------- Angreifer können bestimmte Netzwerkspeicher von Western Digital mit My Cloud OS attackieren. --------------------------------------------- https://heise.de/-10696726 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, mysql:8.0, and openssh), Debian (libcommons-lang-java, libcommons-lang3-java, libcpanel-json-xs-perl, libjson-xs-perl, libxml2, open-vm-tools, and u-boot), Fedora (bird, dnsdist, mapserver, ntpd-rs, python-nh3, and rust-ammonia), Oracle (kernel and mysql:8.0), Red Hat (cups, postgresql:12, and postgresql:13), SUSE (cJSON-devel, gimp, kernel-devel, kubecolor, open-vm-tools, openssl-1_1, openssl-3, and ruby3.4-rubygem-rack), .. --------------------------------------------- https://lwn.net/Articles/1040375/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-273-01 MegaSys Enterprises Telenium Online Web ApplicationICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-QICSA-25-273-03 Festo CPX-CEC-C1 and .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/30/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 30.09.2025
by Daily end-of-shift report 30 Sep '25

30 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 29-09-2025 18:00 − Dienstag 30-09-2025 18:00 Handler: n/a Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ransomware gang sought BBC reporter’s help in hacking media giant ∗∗∗ --------------------------------------------- Threat actors claiming to represent the Medusa ransomware gang tempted a BBC correspondent to become an insider threat by offering a significant amount of money. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-sought-bbc-r… ∗∗∗ AI-Powered Voice Cloning Raises Vishing Risks ∗∗∗ --------------------------------------------- A researcher-developed framework could enable attackers to conduct real-time conversations using simulated audio to compromise organizations and extract sensitive information. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/ai-voice-cloning-vis… ∗∗∗ Researchers Disclose Google Gemini AI Flaws Allowing Prompt Injection and Cloud Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Googles Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. --------------------------------------------- https://thehackernews.com/2025/09/researchers-disclose-google-gemini-ai.html ∗∗∗ Google’s Latest AI Ransomware Defense Only Goes So Far ∗∗∗ --------------------------------------------- Google has launched a new AI-based protection in Drive for desktop that can shut down an attack before it spreads—but its benefits have their limits. --------------------------------------------- https://www.wired.com/story/googles-latest-ai-ransomware-defense-only-goes-… ∗∗∗ Auf GitHub: Zahlreiche Fakes bekannter Mac-Apps kursieren ∗∗∗ --------------------------------------------- In einer offenbar konzertierten Aktion versuchen Scammer, gefälschte Apps für Mac-Nutzer zu verbreiten. Unklar ist, was das bezwecken soll. --------------------------------------------- https://www.heise.de/news/Auf-GitHub-Zahlreiche-Fakes-bekannter-Mac-Apps-ku… ∗∗∗ Vorsicht vor Festnetz-Spoofing: Kriminelle nutzen (teilweise) reale Telefonnummern! ∗∗∗ --------------------------------------------- Wer aktuell Anrufe von vermeintlichen Bank-Berater:innen bekommt, sollte besonders misstrauisch und vorsichtig sein! Kriminellen gelingt es immer öfter, real existierende Service-Festnetznummern als Deckmantel für ihre Betrugsmaschen zu nutzen. Ziel des „Spoofings“ ist der Zugriff auf das Konto des Opfers. --------------------------------------------- https://www.watchlist-internet.at/news/vorsich-festnetz-spoofing/ ∗∗∗ Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite ∗∗∗ --------------------------------------------- Phantom Taurus is a previously undocumented Chinese threat group. Explore how this groups distinctive toolset lead to uncovering their existence.The post Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/phantom-taurus/ ∗∗∗ XiebroC2 Identified in MS-SQL Server Attack Cases ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike. --------------------------------------------- https://asec.ahnlab.com/en/90369/ ∗∗∗ Cybercrime Observations from the Frontlines: UNC6040 Proactive Hardening Recommendations ∗∗∗ --------------------------------------------- Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-… ∗∗∗ When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise ∗∗∗ --------------------------------------------- In early 2025, we encountered a mission-critical software component called TRUfusion Enterprise on the perimeter of one of our customers that is used to transfer highly sensitive data. Since Rocket Software claims that they are undergoing regular audits and also follow secure coding guidelines, we didn’t expect to find much but to our surprise, it took us just two minutes to discover the first totally unsophisticated, but critical pre-auth path traversal vulnerability that already gave us admin rights. --------------------------------------------- https://www.rcesecurity.com/2025/09/when-audits-fail-four-critical-pre-auth… ===================== = Vulnerabilities = ===================== ∗∗∗ Broadcom fixes high-severity VMware NSX bugs reported by NSA ∗∗∗ --------------------------------------------- Broadcom has released security updates to patch two high-severity VMware NSX vulnerabilities reported by the U.S. National Security Agency (NSA). --------------------------------------------- https://www.bleepingcomputer.com/news/security/broadcom-fixes-high-severity… ∗∗∗ IBM App Connect Enterprise Toolkit kann Daten leaken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für IBM App Connect Enterprise Toolkit, InfoSphere und WebSphere erschienen. --------------------------------------------- https://www.heise.de/news/IBM-App-Connect-Enterprise-Toolkit-kann-Daten-lea… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff). --------------------------------------------- https://lwn.net/Articles/1040152/ ∗∗∗ Security Vulnerabilities fixed in Firefox 143.0.3 ∗∗∗ --------------------------------------------- Mozilla has fixed three vulnerabilities labeled as high. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-80/ ∗∗∗ Critical Vulnerability Alert: CVE-2025-10035 in GoAnywhere MFT ∗∗∗ --------------------------------------------- A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerability-alert-cve-2025-10035-g… ∗∗∗ Apple Security Update Addresses Critical Font Parser Vulnerability Across Multiple Platforms ∗∗∗ --------------------------------------------- Apple has rolled out a series of important security updates across multiple platforms, addressing a vulnerability affecting the system font parser. These Apple security updates cover iOS, iPadOS, macOS, visionOS, watchOS, and tvOS. --------------------------------------------- https://thecyberexpress.com/apple-security-updates/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.09.2025
by Daily end-of-shift report 29 Sep '25

29 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-09-2025 18:00 − Montag 29-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ First Malicious MCP in the Wild: The Postmark Backdoor Thats Stealing Your Emails ∗∗∗ --------------------------------------------- This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface. --------------------------------------------- https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-the… ∗∗∗ Akira ransomware breaching MFA-protected SonicWall VPN accounts ∗∗∗ --------------------------------------------- Ongoing Akira ransomware attacks targeting SonicWall SSL VPN devices continue to evolve, with the threat actors found to be successfully logging in despite OTP MFA being enabled on accounts. Researchers suspect that this may be achieved through the use of previously stolen OTP seeds, although the exact method remains unconfirmed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-breaching-m… ∗∗∗ Pointer leaks through pointer-keyed data structures ∗∗∗ --------------------------------------------- Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointe… ∗∗∗ Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security ∗∗∗ --------------------------------------------- Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses. "Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2025/09/microsoft-flags-ai-driven-phishing-llm.ht… ∗∗∗ Cyber threat-sharing law set to shut down, along with US government ∗∗∗ --------------------------------------------- Barring a last-minute deal, the US federal government would shut down on Wednesday, October 1, and the 2015 Cybersecurity Information Sharing Act would lapse at the same time, threatening what many consider a critical plank of US cybersecurity policy. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/26/government_s… ∗∗∗ Sex offenders, terrorists, drug dealers, exposed in spyware breach ∗∗∗ --------------------------------------------- RemoteCOMs monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/sex-offenders-terrorists-dru… ∗∗∗ From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion ∗∗∗ --------------------------------------------- The intrusion took place in May 2024, when a user executed a malicious JavaScript file. This Javascipt file has been previously reported as associated with the Lunar Spider initial access group by EclecticIQ. The heavily obfuscated file, masquerading as a legitimate tax form, contained only a small amount of executable code dispersed among extensive filler content used for evasion. The JavaScript payload triggered the download of a MSI package, which deployed a Brute Ratel DLL file using rundll32. --------------------------------------------- https://thedfirreport.com/2025/09/29/from-a-single-click-how-lunar-spider-e… ∗∗∗ Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M ∗∗∗ --------------------------------------------- Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings. --------------------------------------------- https://hackread.com/medusa-ransomware-comcast-data-breach/ ∗∗∗ CISA and UK NCSC Release Joint Guidance for Securing OT Systems ∗∗∗ --------------------------------------------- CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: [Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture]. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/29/cisa-and-uk-ncsc-release… ∗∗∗ Supply chain security for the 0.001% (and why it won’t catch on) ∗∗∗ --------------------------------------------- After yet another supply chain issue (npm this time, but it doesn’t really matter that much), Shai-hulud, 500 packages affected and millions of downloads later, I finally wrapped up the protection system for my dev environment. I really don’t want to be the next one exploited. --------------------------------------------- https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src). --------------------------------------------- https://lwn.net/Articles/1040058/ ∗∗∗ REDCap: Multiple Cross-Site Scripting (XSS) Vulnerabilities ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/redcap-mult… ∗∗∗ DataSpider Servista improper restriction of XML external entity references ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23423519/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.09.2025
by Daily end-of-shift report 26 Sep '25

26 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-09-2025 18:00 − Freitag 26-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Schwerwiegende Sicherheitslücken in Cisco Adaptive Security Appliance - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Cisco hat Informationen zu einer vermutlich bereits seit einigen Monaten laufenden Angriffskampagne veröffentlicht. Im Rahmen dieser Kampagne haben Angreifer:innen, denen bereits im vergangenen Jahr eine breitgefächerte Kampagne gegen Edge-Devices zugerechnet wurde, Cisco Adaptive Security Appliance (ASA) Systeme der 5500-X Reihe welche "VPN web services" kompromittiert um in weiterer Folge auf den übernommenen Geräten Schadsoftware zu platzieren und Daten zu stehlen. --------------------------------------------- https://www.cert.at/de/warnungen/2025/9/schwerwiegende-sicherheitslucken-in… ∗∗∗ Unofficial Postmark MCP npm silently stole users emails ∗∗∗ --------------------------------------------- A npm package copying the official postmark-mcp project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users email communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unofficial-postmark-mcp-npm-… ∗∗∗ Salesforce AI Agents Forced to Leak Sensitive Data ∗∗∗ --------------------------------------------- Yet again researchers have uncovered an opportunity (dubbed "ForcedLeak") for indirect prompt injection against autonomous agents lacking sufficient security controls — but this time the risk involves PII, corporate secrets, physical location data, and so much more. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/salesforce-ai-agents-le… ∗∗∗ HeartCrypt’s wholesale impersonation effort ∗∗∗ --------------------------------------------- How the notorious Packer-as-a-Service operation built itself into a hydra. --------------------------------------------- https://news.sophos.com/en-us/2025/09/26/heartcrypts-wholesale-impersonatio… ∗∗∗ New COLDRIVER Malware Campaign Joins BO Team and Bearlyfy in Russia-Focused Cyberattacks ∗∗∗ --------------------------------------------- The Russian advanced persistent threat (APT) group known as COLDRIVER has been attributed to a fresh round of ClickFix-style attacks designed to deliver two new "lightweight" malware families tracked as BAITSWITCH and SIMPLEFIX. --------------------------------------------- https://thehackernews.com/2025/09/new-coldriver-malware-campaign-joins-bo.h… ∗∗∗ North Koreas Lazarus Group shares its malware with IT work scammers ∗∗∗ --------------------------------------------- North Korean-linked crews connected to the pervasive IT worker scams have upped their malware game, using more advanced tools, including a backdoor that has much of the same code as Pyongyang's infamous Lazarus Group deploys. --------------------------------------------- https://theregister.com/2025/09/25/lazarus_group_shares_malware_with_it_sca… ∗∗∗ LockBits new variant is most dangerous yet, hitting Windows, Linux and VMware ESXi ∗∗∗ --------------------------------------------- Trend Micro has sounded the alarm over the new LockBit 5.0 ransomware strain, which it warns is "significantly more dangerous" than past versions due to its newfound ability to simultaneously target Windows, Linux, and VMware ESXi environments. --------------------------------------------- https://theregister.com/2025/09/26/lockbits_new_variant_is_most/ ∗∗∗ Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer ∗∗∗ --------------------------------------------- New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam. --------------------------------------------- https://hackread.com/vietnamese-hackers-fake-copyright-notice-lone-none-ste… ∗∗∗ It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2 ∗∗∗ --------------------------------------------- We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035. --------------------------------------------- https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-… ∗∗∗ SVG Phishing hits Ukraine with Amatera Stealer, PureMiner ∗∗∗ --------------------------------------------- Phishing emails disguised as official notices from Ukraine’s police deliver Amatera Stealer and PureMiner in a fileless attack chain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-wit… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2). --------------------------------------------- https://lwn.net/Articles/1039749/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 ∗∗∗ --------------------------------------------- Security Center leverages third-party software to help provide underlying functionality. One of the third-party components (PostgreSQL) was found to contain vulnerabilities, and an updated version has been made available by the provider. --------------------------------------------- https://www.tenable.com/security/tns-2025-18 ∗∗∗ Security Update Dingtian DT-R002 ∗∗∗ --------------------------------------------- All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user's username without authentication. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.09.2025
by Daily end-of-shift report 25 Sep '25

25 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-09-2025 18:00 − Donnerstag 25-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft will offer free Windows 10 security updates in Europe ∗∗∗ --------------------------------------------- Microsoft will offer free extended security updates for Windows 10 users in the European Economic Area (EEA), which includes Iceland, Liechtenstein, Norway, and all 27 European Union member states. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-offer-free-w… ∗∗∗ Malicious Rust packages on Crates.io steal crypto wallet keys ∗∗∗ --------------------------------------------- Two malicious packages with nearly 8,500 downloads in Rusts official crate repository scanned developers systems to steal cryptocurrency private keys and other secrets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rust-packages-on-c… ∗∗∗ Supermicro: Unzählige Server-Mainboards anfällig für Firmware-Backdoors ∗∗∗ --------------------------------------------- Angreifer können in die BMC-Firmware zahlreicher Mainboards von Supermicro Malware einschleusen und damit dauerhaft die Kontrolle übernehmen. --------------------------------------------- https://www.golem.de/news/supermicro-unzaehlige-server-mainboards-anfaellig… ∗∗∗ XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-aga… ∗∗∗ OnePlus leaves researchers on read over Android bug that exposes texts ∗∗∗ --------------------------------------------- Rapid7 warns flaw could let any app peek at your SMS, but smartphone vendor wont pick up Updated Security researchers report that OnePlus smartphone users remain vulnerable to a critical bug that allows any application to read SMS and .. --------------------------------------------- https://www.theregister.com/2025/09/23/rapid7_oneplus_android_bug/ ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco-Netzwerkgeräte möglich ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco warnt vor Angriffen unter anderem auf Router und Switches. Admins sollten die aktuellen Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Netzwerkgerae… ∗∗∗ Zu unsicher: IT-Dienstleister NTT Data trennt sich wohl von Ivanti-Produkten ∗∗∗ --------------------------------------------- Nicht nur das interne Netz, sondern auch der Weiterverkauf an Kunden ist betroffen. Die Sicherheit der Produkte sei ein unvertretbares Risiko. --------------------------------------------- https://www.heise.de/news/Zu-unsicher-IT-Dienstleister-NTT-Data-trennt-sich… ∗∗∗ Kriminelle kündigen Bankanruf per SMS oder WhatsApp an ∗∗∗ --------------------------------------------- Dass Kriminelle sich am Telefon als Bankmitarbeiter:innen ausgeben, ist seit Langem bekannt. Neu ist jedoch eine besonders raffinierte Variante, die derzeit im Umlauf ist. Dabei bauen die Kriminellen gezielt Vertrauen auf, indem sie den Anruf vorab per SMS oder WhatsApp-Nachricht ankündigen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kuendigen-bankanruf-per-s… ∗∗∗ International anti-fraud crackdown recovers more than $400 million, Interpol says ∗∗∗ --------------------------------------------- Authorities from more than 40 countries and territories blocked 68,000 bank accounts and froze about 400 cryptocurrency wallets as part of the operation from April through August, Interpol said. --------------------------------------------- https://therecord.media/anti-fraud-interpol-crackdown-recovers-over-400-mil… ∗∗∗ Securing Microsoft Entra ID: Lessons from the Field – Part 1 ∗∗∗ --------------------------------------------- This multipart blog series is focused on the real-world lessons learned while securing Microsoft Entra ID. Based on hands-on experience across various environments and organizations, we’ll explore the practical, high-impact strategies that work and more importantly, the common misconfigurations, overlooked settings, and pitfalls that can .. --------------------------------------------- https://blog.nviso.eu/2025/09/25/securing-microsoft-entra-id-lessons-from-t… ∗∗∗ This Is How Your LLM Gets Compromised ∗∗∗ --------------------------------------------- Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/prevent-llm-compromise.html ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. Since March 2025, Mandiant Consulting has responded to intrusions across a range of industry verticals, most notably legal services, Software as a Service .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ 180,000 ICS/OT Devices and Counting: The Unforgivable Exposure ∗∗∗ --------------------------------------------- A new Bitsight TRACE threat research report shows that Industrial Control System and Operational Technology (ICS/OT) exposure is climbing again. --------------------------------------------- https://www.bitsight.com/blog/the-growing-exposure-of-ics-ot-devices ∗∗∗ Yet Another Random Story: VBScripts Randomize Internals ∗∗∗ --------------------------------------------- In one of our recent posts, Dennis shared an interesting case study of C# exploitation that rode on Random-based password-reset tokens. He demonstrated how to use the single-packet attack, or a bit of old-school math, to beat the game. Recently, I performed a security test on a target which had a dependency written in VBScript. This blog post focuses .. --------------------------------------------- https://blog.doyensec.com/2025/09/25/yet-another-random-story.html ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in iMonitorSoft EAM ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 24.09.2025
by Daily end-of-shift report 24 Sep '25

24 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-09-2025 18:00 − Mittwoch 24-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supermicro server motherboards can be infected with unremovable malware ∗∗∗ --------------------------------------------- One of the two vulnerabilities is the result of an incomplete patch Supermicro released in January, said Alex Matrosov, founder and CEO of Binarly, the security firm that discovered it. [..] The two new vulnerabilities—tracked as CVE-2025-7937 and CVE-2025-6198—reside inside silicon soldered onto Supermicro motherboards that run servers inside data centers. [..] Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities. The company is currently testing and validating affected products. --------------------------------------------- https://arstechnica.com/security/2025/09/supermicro-server-motherboards-can… ∗∗∗ PyPI urges users to reset credentials after new phishing attacks ∗∗∗ --------------------------------------------- The Python Software Foundation has warned victims of a new wave of phishing attacks using a fake Python Package Index (PyPI) website to reset credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-urges-users-to-reset-cr… ∗∗∗ YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. The malware is particularly interesting because it contains significant code overlaps with IcedID and Latrodectus. Similar to Zloader and Qakbot, IcedID was originally designed for facilitating banking and wire fraud. --------------------------------------------- https://www.zscaler.com/blogs/security-research/yibackdoor-new-malware-fami… ∗∗∗ Fake Malwarebytes, LastPass, and others on GitHub serve malware ∗∗∗ --------------------------------------------- Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/fake-malwarebytes-lastpass-a… ∗∗∗ Betrugs-Website mit Fake-Investitionsprojekt im Stil von orf.at ∗∗∗ --------------------------------------------- Plus gefälschtes Video von Bundespräsident Van der Bellen. Die Täter wollen persönliche Daten abgreifen und 250 Euro abkassieren --------------------------------------------- https://www.derstandard.at/story/3000000289130/betrugs-website-mit-fake-inv… ∗∗∗ Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. [..] The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espiona… ∗∗∗ Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035) ∗∗∗ --------------------------------------------- On Thursday, September 18, Fortra published a security advisory fi-2025-012 titled: Deserialization Vulnerability in GoAnywhere MFT's License Servlet. The title in itself is reason for alarm, with the description going further to explain how we likely got to a CVSS 10.0 [..] No mystery is complete without a few unanswered questions. Despite our usual routine of reverse engineering and creative detours, we’ve ended this one with more questions than usual. --------------------------------------------- https://labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-1… ∗∗∗ Mobilfunk-Server mit 100.000 SIM-Karten in New York beschlagnahmt ∗∗∗ --------------------------------------------- Rund um das New Yorker Hauptquartier der UNO wurden 300 SIM-Karten-Server und 100.000 SIM-Karten entdeckt. Deren Zweck ist undeutlich. --------------------------------------------- https://heise.de/-10668021 ∗∗∗ Cyberattacke auf Flughäfen: Weiterhin Probleme am BER und eine Festnahme ∗∗∗ --------------------------------------------- Auch Tage nach der Cyberattacke halten die Beeinträchtigungen am Flughafen BER an. In Großbritannien wurde indessen ein Tatverdächtiger festgenommen. --------------------------------------------- https://heise.de/-10669658 ∗∗∗ How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More ∗∗∗ --------------------------------------------- During our security testing, we discovered that connecting to a malicious MCP server via common coding tools like Claude Code and Gemini CLI could give attackers instant control over user computers. --------------------------------------------- https://verialabs.com/blog/from-mcp-to-shell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched flaw in OnePlus phones lets rogue apps text messages ∗∗∗ --------------------------------------------- A vulnerability in multiple OnePlus OxygenOS versions allows any installed app to access SMS data and metadata without requiring permission or user interaction. [..] The flaw, tracked as CVE-2025-10184, and discovered by Rapid7 researchers, is currently unpatched and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-flaw-in-oneplus-ph… ∗∗∗ Two Critical Flaws Uncovered in Wondershare RepairIt Exposing User Data and AI Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two security flaws in Wondershare RepairIt that exposed private user data and potentially exposed the system to artificial intelligence (AI) model tampering and supply chain risks. [..] Successful exploitation of the two flaws can allow an attacker to circumvent authentication protection on the system and launch a supply chain attack, ultimately resulting in the execution of arbitrary code on customers' endpoints. [..] The cybersecurity company said it responsibly disclosed the two issues through its Zero Day Initiative (ZDI) in April 2025, but not that it has yet to receive a response from the vendor despite repeated attempts. In the absence of a fix, users are recommended to "restrict interaction with the product." CVE-2025-10643, CVE-2025-10644 --------------------------------------------- https://thehackernews.com/2025/09/two-critical-flaws-uncovered-in.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server). --------------------------------------------- https://lwn.net/Articles/1039311/ ∗∗∗ Libraesva ESG Security advisory: command injection vulnerability (CVE-2025-59689) ∗∗∗ --------------------------------------------- https://docs.libraesva.com/knowledgebase/security-advisory-command-injectio… ∗∗∗ ZDI-25-907: Autodesk Revit RFA File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-907/ ∗∗∗ Google Chrome: Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/chrome-for-android-update_23.h… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… ∗∗∗ AutomationDirect CLICK PLUS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-02 ∗∗∗ Viessmann Vitogate 300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-266-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 23.09.2025
by Daily end-of-shift report 23 Sep '25

23 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 22-09-2025 18:00 − Dienstag 23-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SonicWall releases SMA100 firmware update to wipe rootkit malware ∗∗∗ --------------------------------------------- SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-releases-sma100-fi… ∗∗∗ GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security ∗∗∗ --------------------------------------------- GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA), granular tokens that will have a limited lifetime of seven days, and trusted publishing, which enables the ability to securely publish npm packages directly from CI/CD workflows using OpenID Connect (OIDC). --------------------------------------------- https://thehackernews.com/2025/09/github-mandates-2fa-and-short-lived.html ∗∗∗ Vier Jahre langes Hin und Her zwischen Sicherheitsforscher und Vasion Print ∗∗∗ --------------------------------------------- Vasion Print war oder ist sogar noch verwundbar. Ob bereits alle Schwachstellen geschlossen sind, ist auf den ersten Blick nicht erkennbar. --------------------------------------------- https://www.heise.de/news/Vier-Jahre-langes-Hin-und-Her-zwischen-Sicherheit… ∗∗∗ [Guest Diary] Distracting the Analyst for Fun and Profit, (Tue, Sep 23rd) ∗∗∗ --------------------------------------------- Distributed denial of service (DDoS) attacks are a type of cyber-attack where the threat actor attempts to disrupt a service by flooding the target with a ton of requests to overload system resources and prevent legitimate traffic from reaching it. [..] We can draw a few conclusions from analyzing each wave of this attack. --------------------------------------------- https://isc.sans.edu/diary/rss/32308 ∗∗∗ Technical Analysis of Zloader Updates ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-… ∗∗∗ CISA Shares Lessons Learned from an Incident Response Engagement ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to highlight lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency. CISA is publicizing this advisory to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and aggregating logs in a centralized out-of-band location. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds releases third patch to fix Web Help Desk RCE bug ∗∗∗ --------------------------------------------- SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication. Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-pa… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam). --------------------------------------------- https://lwn.net/Articles/1039124/ ∗∗∗ Fehlende Validierung von Zertifikaten führt zu RCE in CleverControl Überwachungssoftware für Mitarbeitende ∗∗∗ --------------------------------------------- Eine fehlende Validierung des TLS Serverzertifikats in dem Installer der "CleverControl" Überwachungssoftware für Mitarbeitende erlaubt es Angreifern, die sich in die Netzwerkverbindung zwischen Client und Server platzieren können, beliebigen Code mit Administratorrechten auszuführen. CVE-2025-10548 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/fehlende-validierung-… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0006.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.09.2025
by Daily end-of-shift report 22 Sep '25

22 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-09-2025 18:00 − Montag 22-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Cyberattacke auf Dienstleister behindert Flughäfen in Europa ∗∗∗ --------------------------------------------- Ein Dienstleister für die Systeme zur Passagierabfertigung ist am Freitagabend angegriffen worden, wie der Berliner Flughafen mitteilte. [..] Der Systemanbieter wird europaweit an Flughäfen eingesetzt. [..] Passagiere müssen nun mit längeren Wartezeiten beim Check-in und Boarding und mit Verspätungen rechnen. --------------------------------------------- https://www.heise.de/news/Cyberangriff-behindert-europaeische-Flughaefen-au… ∗∗∗ LastPass: Fake password managers infect Mac users with malware ∗∗∗ --------------------------------------------- LastPass is warning users of a campaign that targets macOS users with malicious software impersonating popular products delivered through fraudulent GitHub repositories. [..] The attackers created a large number of deceptive GitHub repositories from multiple accounts to evade takedown and optimize them to rank high in search results. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lastpass-fake-password-manag… ∗∗∗ BlockBlasters: Infected Steam game downloads malware disguised as patch ∗∗∗ --------------------------------------------- A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - including crypto wallet data. Hundreds of users are potentially affected. --------------------------------------------- https://feeds.feedblitz.com/~/925181471/0/gdatasecurityblog-en~BlockBlaster… ∗∗∗ Understanding Spamhaus and Its Role in Email Security ∗∗∗ --------------------------------------------- One of the often “behind‐the‐scenes” organizations helping to defend email systems is Spamhaus. In this post, we’ll explain what Spamhaus is, how it works, why it matters, and what best practices companies should follow to stay out of blacklists and protect deliverability. --------------------------------------------- https://blog.sucuri.net/2025/09/understanding-spamhaus-and-its-role-in-emai… ∗∗∗ Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered what they say is the earliest example known to date of a malware with that bakes in Large Language Model (LLM) capabilities.The malware has been codenamed MalTerminal by SentinelOne SentinelLABS research team. --------------------------------------------- https://thehackernews.com/2025/09/researchers-uncover-gpt-4-powered.html ∗∗∗ Achtung vor WKO Phishing-Mails zu angeblichen Abgabenrückständen! ∗∗∗ --------------------------------------------- Derzeit erhalten viele Unternehmen eine gefälschte E-Mail, die angeblich von der Wirtschaftskammer Österreich (WKO) stammt. Darin wird behauptet, es gebe offene Abgaben von 482,00 Euro, die über einen Link bezahlt werden sollen. Achtung: Zahlen Sie nicht, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-wko-phishing-mails-zu-an… ∗∗∗ Fake-Shops: Kriminelle nutzen die finnische Kultmarke „Marimekko“ als Deckmantel ∗∗∗ --------------------------------------------- Derzeit tauchen auf Social-Media-Plattformen vermehrt Werbeanzeigen auf, die ungewöhnlich hohe Rabatte in Marimekko-Onlineshops versprechen. Natürlich stimmt daran nichts. Die Spezialpreise sollen die Fans der finnischen Design-Marke zu Impulskäufen verleiten. Geliefert werden die bestellten Produkte nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-marimekko/ ∗∗∗ Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures ∗∗∗ --------------------------------------------- In this blog, we highlight the evolution of Minibike into a new variant dubbed MiniJunk, the use of fake recruiting portals for malware delivery, victimology across the Middle East and Western Europe, and the broader implications for defense, telecom, and aviation sectors. --------------------------------------------- https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-… ∗∗∗ Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams ∗∗∗ --------------------------------------------- For the past few months, I have been trialing various AI-native security scanners, with a main focus on finding a product on the market today that is able to analyze the source code of a project in order to find vulnerabilities. This post will detail that journey, the successes and failures I’ve come across, my thoughts, and offer a general review of new on-the-market products that fit the category. --------------------------------------------- https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters ∗∗∗ Kernel Security in the Wild: Side-Channel-Assisted Exploit Techniques, Kernel-Level Defenses, and Real-World Analysis ∗∗∗ --------------------------------------------- In this thesis, we address all three challenges to advance the state of kernel security. [..] We introduce three novel side channels: SLUBStick, a timing side channel on the kernel’s memory allocator to infer heap memory reuse; KernelSnitch, a software- induced side channel that leaks the location of kernel heap objects via data structure access timing; and a hardware-induced TLB side channel that leaks fine-grained memory layout information. --------------------------------------------- https://tugraz.elsevierpure.com/ws/portalfiles/portal/98775241/main.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ VU#780141: Cross-site scripting vulnerability in Lectora course navigation ∗∗∗ --------------------------------------------- Lectora Desktop versions 21.0–21.3 and Lectora Online versions 7.1.6 and older contained a cross-site scripting (XSS) vulnerability in courses published with Seamless Play Publish (SPP) enabled and Web Accessibility disabled. The vulnerability was initially patched in Lectora Desktop version 21.4 (October 25, 2022), but users must republish existing courses to apply the patch. CVE-2025-9125 --------------------------------------------- https://kb.cert.org/vuls/id/780141 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2). --------------------------------------------- https://lwn.net/Articles/1039053/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.09.2025
by Daily end-of-shift report 19 Sep '25

19 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-09-2025 18:00 − Freitag 19-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backup-Diebstahl: Angreifer stahlen bei Sonicwall Firewallkonfigurationen ∗∗∗ --------------------------------------------- Der Firewallhersteller Sonicwall meldet einen Einbruch in Cloud-Konten seiner Kunden. Dabei haben Unbekannte Sicherungskopien von Firewallkonfigurationsdateien unerlaubt vervielfältigt und exfiltriert. Es handelt sich jedoch nicht um einen Cyberangriff auf Sonicwall, sondern offenbar um massenhaftes Durchprobieren von Zugangsdaten. [..] Die entwendeten Konfigurationsdateien können sensible Informationen enthalten und Angriffe erleichtern. Offenbar sind nur wenige Kunden betroffen. --------------------------------------------- https://heise.de/-10662565 ∗∗∗ CISA exposes malware kits deployed in Ivanti EPMM attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-exposes-malware-kits-de… ∗∗∗ New attack on ChatGPT research agent pilfers secrets from Gmail inboxes ∗∗∗ --------------------------------------------- Today’s installment hits OpenAI’s Deep Research agent. Researchers recently devised an attack that plucked confidential information out of a user’s Gmail inbox and sent it to an attacker-controlled web server, with no interaction required on the part of the victim and no sign of exfiltration. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/new-attack-on-chatgp… ∗∗∗ Threat landscape for industrial automation systems in Q2 2025 ∗∗∗ --------------------------------------------- Kaspersky industrial threat report contains statistics on various malicious objects detected and blocked on ICS computers by Kaspersky solutions in Q2 2025. --------------------------------------------- https://securelist.com/industrial-threat-report-q2-2025/117532/ ∗∗∗ How AI-Native Development Platforms Enable Fake Captcha Pages ∗∗∗ --------------------------------------------- Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/ai-development-platforms-ena… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability ∗∗∗ --------------------------------------------- Fortra has disclosed details of a critical security flaw in GoAnywhere Managed File Transfer (MFT) software that could result in the execution of arbitrary commands. The vulnerability, tracked as CVE-2025-10035, carries a CVSS score of 10.0, indicating maximum severity. "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection," Fortra said in an advisory released Thursday. --------------------------------------------- https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/1038802/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-261-01 Westermo Network Technologies WeOS 5, ICSA-25-261-02 Westermo Network Technologies WeOS 5, ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit, ICSA-25-261-04 Hitachi Energy Asset Suite, ICSA-25-261-05 Hitachi Energy Service Suite, ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware, ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/18/cisa-releases-nine-indus… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.09.2025
by Daily end-of-shift report 18 Sep '25

18 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-09-2025 18:00 − Donnerstag 18-09-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks ∗∗∗ --------------------------------------------- The ShinyHunters extortion group claims to have stolen over 1.5 billion Salesforce records from 760 companies using compromised Salesloft Drift OAuth tokens. For the past year, the threat actors have been targeting Salesforce customers in data theft attacks using social engineering and malicious OAuth applications to breach Salesforce instances and download data. The stolen data is then used to extort companies into paying a ransom to prevent the data from being publicly leaked. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billi… ∗∗∗ SystemBC malware turns infected VPS systems into proxy highway ∗∗∗ --------------------------------------------- The operators of the SystemBC proxy botnet are hunting for vulnerable commercial virtual private servers (VPS) and maintain an average of 1,500 bots every day that provide a highway for malicious traffic. Compromised servers are located all over the world and have at least one unpatched critical vulnerability, some of them being plagued by tens of security issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/systembc-malware-turns-infec… ∗∗∗ Microsoft: Hacker konnten wohl beliebige Entra-ID-Tenants kapern ∗∗∗ --------------------------------------------- Der Sicherheitsforscher Dirk-Jan Mollema hat eine gefährliche Sicherheitslücke in der von vielen Unternehmen genutzten cloudbasierten Identitäts- und Zugriffsverwaltungsplattform Microsoft Entra ID entdeckt. Wie der Forscher in einem Blogbeitrag(öffnet im neuen Fenster) schildert, konnte er damit weltweit so ziemlich jeden Entra-ID-Tenant kompromittieren – mit Ausnahme nationaler Cloud-Deployments, die er lediglich mangels Zugriff nicht testen konnte. --------------------------------------------- https://www.golem.de/news/microsoft-hacker-konnten-wohl-beliebige-entra-id-… ∗∗∗ SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems. --------------------------------------------- https://thehackernews.com/2025/09/silentsync-rat-delivered-via-two.html ∗∗∗ CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT. --------------------------------------------- https://thehackernews.com/2025/09/countloader-broadens-russian-ransomware.h… ∗∗∗ Phishing-Mails im Namen der Statistik Austria im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing-E-Mail, die vorgibt, von der Statistik Austria zu stammen. In der Nachricht werden Unternehmen aufgefordert, sensible Finanz- und Geschäftsdaten (z. B. Listen ausländischer Geschäftspartner, Beträge, Zahlungsfristen) zu übermitteln. Es ist davon auszugehen, dass die Daten für gefälschte Geldforderungen an Geschäftspartner missbraucht werden könnten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mails-im-namen-der-statisti… ∗∗∗ What We Know About the NPM Supply Chain Attack ∗∗∗ --------------------------------------------- On September 15, the Node Package Manager (NPM) repository experienced an ongoing supply chain attack, in which the attackers executed a highly targeted phishing campaign to compromise the account of an NPM package maintainer. With privileged access, the attackers injected malicious code into widely used JavaScript packages, threatening the entire software ecosystem. Notably, the attack has disrupted several key NPM packages, including those integral to application development and cryptography. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/npm-supply-chain-attack.html ∗∗∗ New Raven Stealer Malware Hits Browsers for Passwords and Payment Data ∗∗∗ --------------------------------------------- New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it’s a growing risk for everyday users. --------------------------------------------- https://hackread.com/raven-stealer-malware-browsers-passwords-payment-data/ ∗∗∗ Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams ∗∗∗ --------------------------------------------- Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware. Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date. --------------------------------------------- https://hackread.com/vane-viper-malvertising-adtech-global-scams/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notfallpatch: Aktiv ausgenutzte Chrome-Lücke gefährdet unzählige Nutzer ∗∗∗ --------------------------------------------- Google hat einen Notfallpatch für seinen weit verbreiteten Webbrowser Chrome bereitgestellt. Damit schließt der Konzern gleich mehrere gefährliche Sicherheitslücken. Eine davon wird bereits aktiv ausgenutzt, wie aus den Release Notes(öffnet im neuen Fenster) hervorgeht. Anwender sollten den Browser daher zügig aktualisieren, um sich vor möglichen Angriffen zu schützen. Betroffen sind Chrome-Versionen für Windows, Mac und Linux. --------------------------------------------- https://www.golem.de/news/notfallpatch-aktiv-ausgenutzte-chrome-luecke-gefa… ∗∗∗ Schwachstellen bedrohen HPE Aruba Networking EdgeConnect SD-WAN ∗∗∗ --------------------------------------------- Angreifer können Wide Area Networks (WAN) attackieren, die auf HPE Aruba Networking EdgeConnect SD-WAN fußen. Die Entwickler haben jüngst mehrere Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer unter anderem Sicherheitsbeschränkungen umgehen oder sogar Schadcode ausführen, um Systeme vollständig zu kompromittieren. --------------------------------------------- https://www.heise.de/news/Schwachstellen-bedrohen-HPE-Aruba-Networking-Edge… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14). --------------------------------------------- https://lwn.net/Articles/1038638/ ∗∗∗ Open-Source Tool Greenshot Hit by Severe Code Execution Vulnerability ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in Greenshot, the widely used open-source screenshot tool for Windows. The Greenshot vulnerability exposes to the risk of arbitrary code execution, potentially allowing attackers to bypass established security protocols and launch further malicious activities. A proof-of-concept (PoC) exploit has already been released, drawing attention to the critical nature of the vulnerability. --------------------------------------------- https://thecyberexpress.com/greenshot-vulnerability/ ∗∗∗ ENCS testers help resolve critical vulnerabilities in solar inverters ∗∗∗ --------------------------------------------- ENCS cybersecurity testers uncovered several vulnerabilities in consumer solar inverters widely used in Europe, as part of the work on consumer IoT equipment. We reported these to the Dutch Institute for Vulnerability Disclosure (DIVD) CSIRT to start a responsible vulnerability disclosure process. Six vulnerabilities have now been resolved by the manufacturers. --------------------------------------------- https://encs.eu/news/encs-testers-help-resolve-critical-vulnerabilities-in-… ∗∗∗ ZDI-25-895: Wondershare Repairit Incorrect Permission Assignment Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-895/ ∗∗∗ CVE-2025-9242: WatchGuard Firebox iked Out of Bounds Write Vulnerability ∗∗∗ --------------------------------------------- https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00015 ∗∗∗ Third-Party Libraries and Supply Chains - PSA-2025-09-17 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2025-09-17 ∗∗∗ Daikin Security Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 17.09.2025
by Daily end-of-shift report 17 Sep '25

17 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-09-2025 18:00 − Mittwoch 17-09-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ From ClickFix to MetaStealer: Dissecting Evolving Threat Actor Techniques ∗∗∗ --------------------------------------------- ClickFix isnt just back—its mutating. New variants use fake CAPTCHAs, File Explorer tricks & MSI lures to drop MetaStealer. Stay ahead with Huntress Tradecraft Tuesday threat briefings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/from-clickfix-to-metastealer… ∗∗∗ Critical Bugs in Chaos Mesh Enable Cluster Takeover ∗∗∗ --------------------------------------------- "Chaotic Deputy" is a set of four vulnerabilities in the chaos engineering platform that many organizations use to test the resilience of their Kubernetes environments. Such is the case with a set of four serious vulnerabilities that researchers at JFrog recently discovered in Chaos Mesh that give attackers a way to take over entire Kubernetes clusters. --------------------------------------------- https://www.darkreading.com/cyber-risk/critical-bugs-chaos-mesh-cluster-tak… ∗∗∗ GOLD SALEM’s Warlock operation joins busy ransomware landscape ∗∗∗ --------------------------------------------- Counter Threat Unit (CTU) researchers are monitoring a threat group that refers to itself as Warlock Group. The group, which CTU researchers track as GOLD SALEM, has compromised networks and deployed its Warlock ransomware since March 2025. --------------------------------------------- https://news.sophos.com/en-us/2025/09/17/gold-salems-warlock-operation-join… ∗∗∗ Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims ∗∗∗ --------------------------------------------- Cybersecurity researchers have tied a fresh round of cyber attacks targeting financial services to the notorious cybercrime group known as Scattered Spider, casting doubt on their claims of going "dark". Threat intelligence firm ReliaQuest said it has observed indications that the threat actor has shifted their focus to the financial sector. --------------------------------------------- https://thehackernews.com/2025/09/scattered-spider-resurfaces-with.html ∗∗∗ Microsoft seizes 338 websites to disrupt rapidly growing ‘RaccoonO365’ phishing service ∗∗∗ --------------------------------------------- Microsoft’s Digital Crimes Unit (DCU) has disrupted RaccoonO365, the fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords (“credentials”). --------------------------------------------- https://blogs.microsoft.com/on-the-issues/2025/09/16/microsoft-seizes-338-w… ∗∗∗ Ransomware HybridPetya hebelt UEFI Secure Boot aus ∗∗∗ --------------------------------------------- ESET Research hat HybridPetya auf der Sample-Sharing-Plattform VirusTotal entdeckt. Es handelt sich um einen Nachahmer der berüchtigten Petya/NotPetya-Malware, der zusätzlich die Fähigkeit besitzt, UEFI-basierte Systeme zu kompromittieren und CVE-2024-7344 als Waffe einzusetzen, um UEFI Secure Boot auf veralteten Systemen zu umgehen. --------------------------------------------- https://www.welivesecurity.com/de/eset-research/ransomware-hybridpetya-hebe… ∗∗∗ Myth Busting: Why "Innocent Clicks" Dont Exist in Cybersecurity ∗∗∗ --------------------------------------------- Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers. --------------------------------------------- https://unit42.paloaltonetworks.com/why-innocent-clicks-dont-exist-in-cyber… ∗∗∗ Der npm-Angriff geht weiter – "Wurm" infiziert Pakete ∗∗∗ --------------------------------------------- Der Lieferkettenangriff auf ein npm-Entwicklerkonto und 18 kompromittierten Paketen schien glimpflich ausgegangen zu sein. Jetzt wird bekannt, dass die Angriffe (über ein anderes Konto) weitergehen und eine selbstreplizierende Malware (Shai-Hulud) bereits mehr als 500 npm-Pakete infiziert hat. --------------------------------------------- https://www.borncity.com/blog/2025/09/17/der-npm-angriff-geht-weiter-wurm-i… ∗∗∗ PyPI Token Exfiltration Campaign via GitHub Actions Workflows ∗∗∗ --------------------------------------------- I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows attempting to steal PyPI publishing tokens. PyPI was not compromised, and no PyPI packages were published by the attackers. --------------------------------------------- https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/ ∗∗∗ Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ∗∗∗ --------------------------------------------- Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Halud" supply chain attack that has now impacted nearly 500 packages. --------------------------------------------- https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm… ∗∗∗ Microsoft: Office 2016 and Office 2019 reach end of support next month ∗∗∗ --------------------------------------------- Microsoft reminded customers again this week that Office 2016 and Office 2019 will reach the end of extended support in less than 30 days, on October 14, 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-office-2016-and-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict). --------------------------------------------- https://lwn.net/Articles/1038453/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. The following products are affected, Schneider Electric Altivar Products, Schneider Electric ATVdPAC Module, Schneider Electric ILC992 InterLink Converter, Schneider Electric Galaxy VS, Schneider Electric Galaxy VL, Schneider Electric Galaxy VXL, Hitachi Energy RTU500 Series, Siemens SIMATIC NET CP, Siemens SINEMA, Siemens SCALANCE, Siemens RUGGEDCOM, Siemens SINEC NMS, Siemens Industrial Products (OpenSSL Vulnerability), Siemens Multiple Industrial Products and Delta Electronics DIALink. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/16/cisa-releases-eight-indu… ∗∗∗ CVE-2025-9708: Kubernetes C# Client, improper certificate validation in custom CA mode may lead to man-in-the-middle attacks ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/134063 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 16.09.2025
by Daily end-of-shift report 16 Sep '25

16 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 15-09-2025 18:00 − Dienstag 16-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neuer NPM-Großangriff: Selbst-vermehrende Malware infiziert Dutzende Pakete ∗∗∗ --------------------------------------------- Verschiedene IT-Sicherheitsunternehmen warnen vor neuen Angriffen auf das npm-Ökosystem rund um node.js. Mehrere Dutzend Pakete (mindestens 40, in einem Bericht gar an die 150) sind mit einer Malware infiziert, die geheime Daten stiehlt und über einen Webhook ausleitet. Zudem repliziert sich die Schadsoftware selbsttätig – und ist somit ein Wurm. [..] Unklar ist noch, wo der Angriff begann – einen klaren "Patient Null" nennen die drei analysierenden Unternehmen nicht. [..] JavaScript-Entwickler und insbesondere die Verwalter von auf npm gehosteten Paketen sollten größte Vorsicht walten lassen und die umfangreiche Liste infizierter Pakete konsultieren. --------------------------------------------- https://heise.de/-10651111 ∗∗∗ Apple backports zero-day patches to older iPhones and iPads ∗∗∗ --------------------------------------------- Apple has released security updates to backport patches released last month to older iPhones and iPads, addressing a zero-day bug that was exploited in "extremely sophisticated" attacks. This security flaw is the same one Apple has patched for devices running iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, and macOS (Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8) on August 20. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-pat… ∗∗∗ Patchstatus unklar: Angreifer attackieren Fertigungsmanagementtool DELMIA Apriso ∗∗∗ --------------------------------------------- DELMIA Apriso ist eine Manufacturing-Operations-Management-Software (MOM) und ein Manufacturing Execution System (MES) [..] Der Anbieter der Software, Dassault Systèmes, erwähnte die Sicherheitslücke (CVE-2025-5086 "kritisch") bereits im Juni dieses Jahres in einer äußerst knapp formulierten Warnmeldung. [..] Anfang September warnte nun ein Sicherheitsforscher des SANS-Institut Internet Strom Center in einem Beitrag vor Exploitversuchen. [..] Unklar bleibt auch, ob es einen Sicherheitspatch gibt. --------------------------------------------- https://www.heise.de/news/Patchstatus-unklar-Attacken-auf-Fertigungsmanagem… ∗∗∗ IServ: Schullösung mit Schwäche inbegriffen? ∗∗∗ --------------------------------------------- Am 8. September 2025 ist jemandem aufgefallen, dass das Web-Frontend des IServ-Schul-Servers der IServ GmbH eine "Benutzeraufzählung" im weitesten Sinne ermöglicht. Gibt jemand den Namen einer Person an der IServ-Anmeldeseite einer Schule ein, und versucht er eine Anmeldung, ohne das Passwort zu kennen, schlägt diese Anmeldung natürlich fehl. Noch ist also alles im grünen Bereich, da dieser Anmeldeversuch abgewiesen wird. Das Problem liegt darin, dass sich die Antworten dieser fehlgeschlagenen Anmeldeversuche unterscheiden, nachdem, ob das Benutzerkonto existiert oder nicht und hängt angeblich noch von anderen Bedingungen ab. --------------------------------------------- https://www.borncity.com/blog/2025/09/16/iserve-schulloesung-mit-schwaeche-… ∗∗∗ Microsoft: Exchange 2016 and 2019 reach end of support in 30 days ∗∗∗ --------------------------------------------- Microsoft has reminded administrators again that Exchange 2016 and Exchange 2019 will reach the end of extended support next month and has provided guidance for decommissioning outdated servers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and… ∗∗∗ Phoenix: Neue Rowhammer-Variante verleiht Angreifern Root-Rechte ∗∗∗ --------------------------------------------- Forscher von Google und der ETH Zürich haben eine neue Variante des Rowhammer-Angriffs vorgestellt. Sie betrifft auch moderne DDR5-RAM-Module, die eigentlich vor entsprechenden Attacken geschützt sein sollten. [..] Die Phoenix genannte Angriffstechnik greift laut Informationsseite der Entdecker(öffnet im neuen Fenster) auf eine Schwachstelle bei den Rowhammer-Abwehrmaßnahmen zurück, die bestimmte Refresh-Intervalle des Speichers nicht abdecken. --------------------------------------------- https://www.golem.de/news/phoenix-neue-rowhammer-variante-verleiht-angreife… ∗∗∗ RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT ∗∗∗ --------------------------------------------- Kaspersky GReAT expert takes a closer look at the RevengeHotels threat actors new campaign, including AI-generated scripts, targeted phishing, and VenomRAT. --------------------------------------------- https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-la… ∗∗∗ New FileFix Variant Delivers StealC Malware Through Multilingual Phishing Site ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new campaign that's leveraging a variant of the FileFix social engineering tactic to deliver the StealC information stealer malware. "The observed campaign uses a highly convincing, multilingual phishing site (e.g., fake Facebook Security page), with anti-analysis techniques and advanced obfuscation to evade detection," Acronis security researcher Eliad Kimhy said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/09/new-filefix-variant-delivers-stealc.html ∗∗∗ SmokeLoader Rises From the Ashes ∗∗∗ --------------------------------------------- Active since 2011, SmokeLoader (aka Smoke or Dofoil) is a popular malware loader that is designed to deliver second-stage payloads such as trojans, ransomware, and information stealers. [..] In May 2024, Operation Endgame, an international collaboration between law enforcement and private industry (which included Zscaler ThreatLabz) dismantled numerous instances of SmokeLoader and remotely removed the malware from infected systems. [..] ThreatLabz has identified two new SmokeLoader versions that are being used by multiple threat groups. --------------------------------------------- https://www.zscaler.com/blogs/security-research/smokeloader-rises-ashes ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim). --------------------------------------------- https://lwn.net/Articles/1038325/ ∗∗∗ Spring Security and Spring Framework Release Fixes for CVE-2025-41248 and CVE-2025-41249 ∗∗∗ --------------------------------------------- https://spring.io/blog/2025/09/15/spring-framework-and-spring-security-fixe… ∗∗∗ LG WebOS TV Path Traversal, Authentication Bypass and Full Device Takeover ∗∗∗ --------------------------------------------- https://ssd-disclosure.com/lg-webos-tv-path-traversal-authentication-bypass… ∗∗∗ Mozilla Security Advisories September 16, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ TYPO3-EXT-SA-2025-013: Vulnerability in bundled package in extension "Base Excel" (base_excel) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-013 ∗∗∗ TYPO3-EXT-SA-2025-012: Cross-Site Scripting in extension "Form to Database" (form_to_database) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-012 ∗∗∗ Synology-SA-25:11 Safe Access ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 15.09.2025
by Daily end-of-shift report 15 Sep '25

15 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-09-2025 18:00 − Montag 15-09-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft reminds of Windows 10 support ending in 30 days ∗∗∗ --------------------------------------------- On Friday, Microsoft reminded customers once again that Windows 10 will reach its end of support in 30 days, on October 14. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-reminds-of-window… ∗∗∗ Shiny tools, shallow checks: how the AI hype opens the door to malicious MCP servers ∗∗∗ --------------------------------------------- Kaspersky experts discuss the Model Context Protocol used for AI integration. We describe the MCPs architecture, attack vectors and follow a proof of concept to see how it can be abused. --------------------------------------------- https://securelist.com/model-context-protocol-for-ai-integration-abused-in-… ∗∗∗ A Cyberattack Victim Notification Framework ∗∗∗ --------------------------------------------- When cyber incidents occur, victims should be notified in a timely manner so they have the opportunity to assess and remediate any harm. However, providing notifications has proven a challenge across industry. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/a-cyberattack-victim-notific… ∗∗∗ Lawsuit About WhatsApp Security ∗∗∗ --------------------------------------------- Attaullah Baig, WhatsApp’s former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission. --------------------------------------------- https://www.schneier.com/blog/archives/2025/09/lawsuit-about-whatsapp-secur… ∗∗∗ FBI Warns of UNC6040 and UNC6395 Targeting Salesforce Platforms in Data Theft Attacks ∗∗∗ --------------------------------------------- The U.S. Federal Bureau of Investigation (FBI) has issued a flash alert to release indicators of compromise (IoCs) associated with two cybercriminal groups tracked as UNC6040 and UNC6395 for a string of data theft and extortion attacks. "Both groups have recently been observed targeting organizations Salesforce platforms via different initial access mechanisms," the FBI said. --------------------------------------------- https://thehackernews.com/2025/09/fbi-warns-of-unc6040-and-unc6395.html ∗∗∗ All your vulns are belong to us! CISA wants to maintain gov control of CVE program ∗∗∗ --------------------------------------------- Get ready for a fight over who steers the global standard for vulnerability identification The Cybersecurity and Infrastructure Security Agency (CISA) nearly let the Common Vulnerabilities and Exposures (CVE) program lapse earlier this year, but a new "vision" document it released this week signals that it now wants more control over the global standard for vulnerability identification. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/cisas_vision… ∗∗∗ Docker Image Security – Teil 2: Minimale und sichere Docker Images ∗∗∗ --------------------------------------------- Distroless Images reduzieren Paketgrößen drastisch, indem sie unnötige Komponenten wie Bash und Paketmanager weglassen. Das erhöht Performance und Sicherheit. --------------------------------------------- https://www.heise.de/hintergrund/Docker-Image-Security-Teil-2-Minimale-und-… ∗∗∗ Cyberkriminelle: "Scattered Lapsus$ Hunters" haben keine Lust mehr ∗∗∗ --------------------------------------------- Die Bande machte zuletzt durch Cyberangriffe auf Jaguar und Marks & Spencer von sich reden, die immense Schäden verursachten. Nicht alle halten die Füße still. --------------------------------------------- https://www.heise.de/news/Cybergang-Scattered-Lapsus-Hunters-kuendigt-Absch… ∗∗∗ Angreifer können IT-Sicherheitslösung IBM QRadar SIEM lahmlegen ∗∗∗ --------------------------------------------- Verschiedene Komponenten in IBMs IT-Sicherheitslösung QRadar SIEM sind verwundbar. Nutzen Angreifer die Schwachstellen erfolgreich aus, können sie unter anderem DoS-Zustände erzeugen, sodass Dienste abstürzen. Fällt dadurch der eigentlich durch die Anwendung versprochene Schutz weg, kann das fatale Folgen haben. --------------------------------------------- https://www.heise.de/news/Angreifer-koennen-IT-Sicherheitsloesung-IBM-QRada… ∗∗∗ Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain ∗∗∗ --------------------------------------------- Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation. --------------------------------------------- https://unit42.paloaltonetworks.com/third-party-supply-chain-token-manageme… ∗∗∗ npm-Hack: Angreifer schauen weitgehend in die Röhre ∗∗∗ --------------------------------------------- Es war zwar ein Desaster im Hinblick auf die Kompromittierung einer Lieferkette – der Hack eines npm-Entwicklerkontos samt Injektion von Schadcode. Der Angreifer scheint aber mit ziemlich leeren Händen aus der Sache rausgegangen zu sein – er soll, je nach Quelle zwischen 65 und 600 US-Dollar an Kryptogeld gestohlen haben. --------------------------------------------- https://www.borncity.com/blog/2025/09/14/npm-hack-angreifer-schauen-weitgeh… ∗∗∗ New VoidProxy Phishing Service Bypasses MFA on Microsoft and Google Accounts ∗∗∗ --------------------------------------------- Okta Threat Intelligence exposes VoidProxy, a new PhaaS platform. Learn how this advanced service uses the Adversary-in-the-Middle technique to bypass MFA and how to protect yourself from attacks targeting Microsoft and Google accounts. --------------------------------------------- https://hackread.com/voidproxy-phishing-service-bypasses-mfa-microsoft-goog… ∗∗∗ Qrator Labs Mitigated Record L7 DDoS Attack from 5.76M-Device Botnet ∗∗∗ --------------------------------------------- Qrator Labs blocked a record L7 DDoS attack from a 5.76M-device botnet targeting government systems, showing rapid global growth since March. --------------------------------------------- https://hackread.com/qrator-labs-mitigate-l7-ddos-attack-5-76m-botnet/ ∗∗∗ 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet ∗∗∗ --------------------------------------------- Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report. --------------------------------------------- https://hackread.com/great-firewall-of-china-data-published-largest-leak/ ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- FortiGuard Labs’ network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/shadowsilk-data-exfiltration ∗∗∗ Phishing campaign targeting crates.io users ∗∗∗ --------------------------------------------- We received multiple reports of a phishing campaign targeting crates.io users (from the rustfoundation.dev domain name), mentioning a compromise of our infrastructure and asking users to authenticate to limit damage to their crates. --------------------------------------------- https://blog.rust-lang.org/2025/09/12/crates-io-phishing-campaign/ ∗∗∗ The Internet Coup ∗∗∗ --------------------------------------------- A Technical Analysis on How a Chinese Company is Exporting The Great Firewall to Autocratic Regimes. --------------------------------------------- https://interseclab.org/research/the-internet-coup/ ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Microsoft Agentic AI und Visual Studio kann Schadcode passieren lassen ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Microsoft Agentic AI und Visual Studio ansetzen. Klappt eine Attacke, können sie Schadcode ausführen und Systeme mit hoher Wahrscheinlichkeit vollständig kompromittieren. Ein Sicherheitsupdate steht zum Download bereit. --------------------------------------------- https://www.heise.de/news/Schadcode-Schlupfloch-in-Microsoft-Agentic-AI-und… ∗∗∗ Jetzt patchen! Attacken auf Android-Smartphones von Samsung beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine Sicherheitslücke in Samsung-Smarthpones mit Android 13, 14, 15 und 16 aus. Darüber kann Schadcode auf Geräte gelangen. Ein Sicherheitspatch ist für ausgewählte Geräte verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Android-Smartphones-vo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen). --------------------------------------------- https://lwn.net/Articles/1038231/ ∗∗∗ CVE-2025-58434: Critical FlowiseAI Flaw Enables Full Account Takeover ∗∗∗ --------------------------------------------- A severe security vulnerability has been discovered in FlowiseAI, an open-source AI workflow automation tool, exposing users to the risk of complete account compromise. Tracked as CVE-2025-58434, this vulnerability affects both the cloud-hosted version of FlowiseAI and self-hosted deployments that expose the relevant API endpoints. --------------------------------------------- https://thecyberexpress.com/cve-2025-58434/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.09.2025
by Daily end-of-shift report 12 Sep '25

12 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-09-2025 18:00 − Freitag 12-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Panama Ministry of Economy discloses breach claimed by INC ransomware ∗∗∗ --------------------------------------------- Panama's Ministry of Economy and Finance (MEF) has disclosed that one of its computers may have been compromised in a cyberattack. The government noted that it activated the security procedures for these situations, stating that the incident has been contained and didn't impact core systems that are vital to its operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/panama-ministry-of-economy-d… ∗∗∗ Vidar Infostealer Back with a Vengeance ∗∗∗ --------------------------------------------- The long-running Vidar infostealer has evolved with new obfuscation techniques. That is according to researchers at cybersecurity vendor Aryaka, which published research last week dedicated to a fresh campaign involving the malware-as-a-service Vidar that has emerged in recent weeks. First tracked in late 2018, Vidar is an infostealer that enables affiliates to grab credentials, operating system details, cookies, sensitive financial data, various authentication tokens, and more from compromised environments. --------------------------------------------- https://www.darkreading.com/endpoint-security/vidar-infostealer-back-with-v… ∗∗∗ Senator Wyden Urges FTC to Probe Microsoft for Ransomware-Linked Cybersecurity Negligence ∗∗∗ --------------------------------------------- U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. --------------------------------------------- https://thehackernews.com/2025/09/senator-wyden-urges-ftc-to-probe.html ∗∗∗ New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new ransomware strain dubbed HybridPetya that resembles the notorious Petya/NotPetya malware, while also incorporating the ability to bypass the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems using a now-patched vulnerability disclosed earlier this year. --------------------------------------------- https://thehackernews.com/2025/09/new-hybridpetya-ransomware-bypasses.html ∗∗∗ Apple Warns French Users of Fourth Spyware Campaign in 2025, CERT-FR Confirms ∗∗∗ --------------------------------------------- Apple has notified users in France of a spyware campaign targeting their devices, according to the Computer Emergency Response Team of France (CERT-FR). The agency said the alerts were sent out on September 3, 2025, making it the fourth time this year that Apple has notified citizens in the county that at least one of the devices linked to their iCloud accounts may have been compromised as part of highly-targeted attacks. --------------------------------------------- https://thehackernews.com/2025/09/apple-warns-french-users-of-fourth.html ∗∗∗ Huntresss hilarious attacker surveillance splits infosec community ∗∗∗ --------------------------------------------- Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as "hilarious" – split opinion across the cybersecurity community. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/12/huntress_att… ∗∗∗ Bulletproof Host Stark Industries Evades EU Sanctions ∗∗∗ --------------------------------------------- In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers. --------------------------------------------- https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evade… ∗∗∗ Swiss government looks to undercut privacy tech, stoking fears of mass surveillance ∗∗∗ --------------------------------------------- The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. --------------------------------------------- https://therecord.media/switzerland-digital-privacy-law-proton-privacy-surv… ∗∗∗ Wurden Router-URLs sphairon.box und zyxel.box gekapert? ∗∗∗ --------------------------------------------- Ich stelle mal ein Thema hier in den Blog, das mir jetzt von zwei Lesern gemeldet wurde und mich an einen alten Vorfall bei AVM zur fritz.box-URL erinnert. Es sieht so aus, dass die von Routern (Zyxel, Sphairon) zum Zugriff auf die Router-Funktionen verwendeten URLs sphairon.box und zyxel.box durch registrierte Domains gekapert wurden. Die Zielseiten sind als "malicious" einzustufen. --------------------------------------------- https://www.borncity.com/blog/2025/09/12/wurden-router-urls-sphairon-box-un… ∗∗∗ EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks ∗∗∗ --------------------------------------------- Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/evilai.html ∗∗∗ Muck Stealer Malware Used Alongside Phishing in New Attack Waves ∗∗∗ --------------------------------------------- A new report from Cofense reveals that cybercriminals are blending phishing and malware, including Muck Stealer, Info Stealer, ConnectWise RAT, and SimpleHelp RAT in dual-threat attacks, making them harder to defend against. --------------------------------------------- https://hackread.com/muck-stealer-malware-phishing-new-attack-waves/ ∗∗∗ Social Engineering & KI: Cyberkriminelle rekrutieren im Darknet ∗∗∗ --------------------------------------------- Cyberkriminelle suchen im Darknet verstärkt nach Experten für Social Engineering und KI. Ein Hinweis darauf, auf welche Bedrohungen Firmen achten sollten. --------------------------------------------- https://heise.de/-10642617 ∗∗∗ ChillyHell macOS Backdoor Resurfaces ∗∗∗ --------------------------------------------- In 2025, cybersecurity researchers uncovered a deeply concerning threat targeting macOS systems called ChillyHell—a modular backdoor malware that had managed to fly under the radar for years by cleverly abusing macOS security mechanisms and Apple’s own notarization process. --------------------------------------------- https://thecyberthrone.in/2025/09/11/chillyhell-macos-backdoor-resurfaces/ ===================== = Vulnerabilities = ===================== ∗∗∗ Samsung patches actively exploited zero-day reported by WhatsApp ∗∗∗ --------------------------------------------- Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices. Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13. --------------------------------------------- https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exp… ∗∗∗ Jetzt patchen! Erneut Attacken auf SonicWall-Firewalls beobachtet ∗∗∗ --------------------------------------------- Die "kritische" Sicherheitslücke (CVE-2024-40766) ist seit August vergangenen Jahres bekannt. Wiederholt ist die Schwachstelle in bestimmten Firewalls von SonicWall im Visier von Angreifern. Sicherheitsupdates sind bereits seit rund einem Jahr verfügbar, aber offensichtlich weiterhin nicht flächendeckend installiert. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firew… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu). --------------------------------------------- https://lwn.net/Articles/1037919/ ∗∗∗ CISA Releases Eleven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/11/cisa-releases-eleven-ind… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.09.2025
by Daily end-of-shift report 11 Sep '25

11 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-09-2025 18:00 − Donnerstag 11-09-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New VMScape attack breaks guest-host isolation on AMD, Intel CPUs ∗∗∗ --------------------------------------------- A new Spectre-like attack dubbed VMScape allows a malicious virtual machine (VM) to leak cryptographic keys from an unmodified QEMU hypervisor process running on modern AMD or Intel CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-vmscape-attack-breaks-gu… ∗∗∗ K2 Think AI Model Jailbroken Mere Hours After Release ∗∗∗ --------------------------------------------- Researchers discovered that measures designed to make AI more transparent to users and regulators can also make it easier for bad actors to abuse. --------------------------------------------- https://www.darkreading.com/application-security/k2-think-llm-jailbroken ∗∗∗ Ordner öffnen reicht: Beliebter KI-Code-Editor führt automatisch Schadcode aus ∗∗∗ --------------------------------------------- Wer den KI-Code-Editor Cursor verwendet, sollte beim Öffnen fremder Repos vorsichtig sein. Es kann unbemerkt Malware ausgeführt werden. --------------------------------------------- https://www.golem.de/news/ordner-oeffnen-reicht-beliebter-ki-code-editor-fu… ∗∗∗ Fake Madgicx Plus and SocialMetrics Extensions Are Hijacking Meta Business Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed two new campaigns that are serving fake browser extensions using malicious ads and fake websites to steal sensitive data. The malvertising campaign, per Bitdefender, is designed to push fake "Meta Verified" browser extensions named SocialMetrics Pro that claim to unlock the blue check badge for Facebook and Instagram profiles. --------------------------------------------- https://thehackernews.com/2025/09/fake-madgicx-plus-and-socialmetrics.html ∗∗∗ Akira ransomware crims abusing trifecta of SonicWall security holes for extortion attacks ∗∗∗ --------------------------------------------- Affiliates of the Akira ransomware gang are again exploiting a critical SonicWall vulnerability abused last summer, after a suspected zero-day flaw actually turned out to be related to a year-old bug. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/10/akira_ransom… ∗∗∗ Beijing went to EggStreme lengths to attack Philippines military, researchers say ∗∗∗ --------------------------------------------- ‘EggStreme’ framework looks like the sort of thing Beijing would find handy in its ongoing territorial beefs Infosec outfit Bitdefender says it’s spotted a strain of in-memory malware that looks like the work of Chinese advanced persistent threat groups that wanted to achieve persistent access at a “military company” in the Philippines. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/11/eggstreme_ma… ∗∗∗ Technical Analysis of kkRAT ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, which has been active since early May 2025. The campaign delivers three types of malware: ValleyRAT, FatalRAT, and a new Remote Access Trojan (RAT) that ThreatLabz named kkRAT. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat ∗∗∗ The Great NPM Heist – September 2025 ∗∗∗ --------------------------------------------- On September 8, 2025, the JavaScript ecosystem experienced what is now considered the largest supply chain attack in npm history. A sophisticated phishing campaign led to the compromise of a trusted maintainer’s account, resulting in the injection of cryptocurrency-stealing malware into 18+ foundational npm packages. --------------------------------------------- https://blog.checkpoint.com/crypto/the-great-npm-heist-september-2025/ ∗∗∗ Global Cyber Threats August 2025: Agriculture in the Crosshairs ∗∗∗ --------------------------------------------- In August 2025, the global cyber threat landscape presented a complex interplay of stability and alarming new challenges. Organizations around the world confronted an average of nearly 2,000 cyber attacks each week—a slight 1% decrease from July but a stark 10% rise compared to the same month last year. --------------------------------------------- https://blog.checkpoint.com/research/global-cyber-threats-august-2025-agric… ∗∗∗ How the Infamous APT 1 Report Exposing China’s PLA Hackers Came to Be ∗∗∗ --------------------------------------------- This is the first in a series of pieces I’ll publish that take an in-depth look at significant events, people and cases in security and surveillance from the past. --------------------------------------------- https://www.zetter-zeroday.com/how-the-infamous-apt-1-report-exposing-china… ∗∗∗ CyberVolk Ransomware: Analysis of Double Encryption Structure and Disguised Decryption Logic ∗∗∗ --------------------------------------------- The CyberVolk ransomware, which first emerged in May 2024, has been launching attacks on public institutions and key infrastructures of various countries, posing a continuous threat. The ransomware is particularly notable for its pro-Russia nature, as it primarily targets anti-Russian countries, making it a geopolitically significant cyber threat. --------------------------------------------- https://asec.ahnlab.com/en/90077/ ∗∗∗ Trigona Rebranding Suspicions and Global Threats, and BlackNevas Ransomware Analysis ∗∗∗ --------------------------------------------- BlackNevas has been continuously launching ransomware attacks against companies in various industries and countries, including South Korea. This post provides a technical analysis on the characteristics, encryption methods, and reasons why BlackNevas encrypts files in a way that makes them impossible to decrypt. --------------------------------------------- https://asec.ahnlab.com/en/90080/ ∗∗∗ New Fileless Malware Attack Uses AsyncRAT for Credential Theft ∗∗∗ --------------------------------------------- LevelBlue Labs reports AsyncRAT delivered through a fileless attack chain using ScreenConnect, enabling credential theft and persistence. --------------------------------------------- https://hackread.com/fileless-malware-attack-asyncrat-credential-theft/ ∗∗∗ CISA Presents Vision for the Common Vulnerabilities and Exposures (CVE) Program ∗∗∗ --------------------------------------------- Agency Unveils Upcoming Program Enhancements: Strengthening Partnerships, Modernization, Transparency and Elevating Data Quality and Responsiveness. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-presents-vision-common-vulnerabi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm, leading to a denial of service (DoS) condition on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ DuckDB NPM packages 1.3.3 and 1.29.2 compromised with malware ∗∗∗ --------------------------------------------- The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. --------------------------------------------- https://github.com/duckdb/duckdb-node/security/advisories/GHSA-w62p-hx95-gf… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2). --------------------------------------------- https://lwn.net/Articles/1037777/ ∗∗∗ Unauthentifizierte SQL Injection Schwachstelle im Shibboleth Service Provider (SP) (ODBC Interface) ∗∗∗ --------------------------------------------- SEC Consult hat eine unauthentifizierte SQL-Injection-Schwachstelle im Shibboleth Service Provider (SP) in der ODBC Schnittstelle identifiziert, die ein Angreifer ausnutzen könnte, um beliebige Datensätze aus der Datenbank mit den Rechten des Datenbankbenutzers auszulesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthentifizierte-sq… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 10.09.2025
by Daily end-of-shift report 10 Sep '25

10 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-09-2025 18:00 − Mittwoch 10-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing im Namen der WKO: Sensible Daten im Visier ∗∗∗ --------------------------------------------- Kriminelle kopieren aktuell eine echte E-Mail-Nachricht der Wirtschaftskammer Österreich. Über ein angehängtes HTML-Dokument wollen sie Ihre Opfer auf ein Fake-Portal locken und dort sensible Daten erbeuten. Wir zeigen Ihnen, woran Sie den Betrugsversuch erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-wko/ ∗∗∗ You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819) ∗∗∗ --------------------------------------------- Today, inside this hellscape we call the Internet, a mean person has discovered a zero-day(s) in FreePBX (now lovingly called CVE-2025-57819). But they didn’t stop there - the dastardly individual(s) then proceeded to exploit FreePBX hosts en-masse. [..] Today, we are publishing our Detection Artefact Generator which you can find here. --------------------------------------------- https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phon… ∗∗∗ US Investment in Spyware Is Skyrocketing ∗∗∗ --------------------------------------------- A new report warns that the number of US investors in powerful commercial spyware rose sharply in 2024 and names new countries linked to the dangerous technology. --------------------------------------------- https://www.wired.com/story/us-spyware-investment/ ∗∗∗ CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered two new malware families, including a modular Apple macOS backdoor called CHILLYHELL and a Go-based remote access trojan (RAT) named ZynorRAT that can target both Windows and Linux systems. --------------------------------------------- https://thehackernews.com/2025/09/chillyhell-macos-backdoor-and-zynorrat.ht… ∗∗∗ Pwn My Ride: Exploring the CarPlay Attack Surface ∗∗∗ --------------------------------------------- At the recent DefCon conference, we had the opportunity to present Pwn My Ride, a comprehensive exploration of the Apple CarPlay attack surface. With vehicles becoming increasingly connected, the security of in-car systems like CarPlay is critical. --------------------------------------------- https://www.oligo.security/blog/pwn-my-ride-exploring-the-carplay-attack-su… ∗∗∗ Kerberoasting ∗∗∗ --------------------------------------------- These “Kerberoasting” attacks have been around for ages: the technique and name is credited to Tim Medin who presented it in 2014 (and many popular blogs followed up on it) but the vulnerabilities themselves are much older. [..] I’ll bet most Windows people already know this stuff, but I only happened to learn about it today, after seeing a letter from Senator Wyden to Microsoft, describing how this vulnerability was used in the May 2024 ransomware attack on the Ascension Health hospital system. --------------------------------------------- https://blog.cryptographyengineering.com/2025/09/10/kerberoasting/ ∗∗∗ New Linux Botnet Combines Cryptomining and DDoS Attacks ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have identified a sophisticated Linux botnet built for cryptocurrency mining, remote command execution, and dozens of DDoS attack types. Cyble Research and Intelligence Labs (CRIL) researchers have dubbed the campaign “Luno.” --------------------------------------------- https://thecyberexpress.com/linux-botnet-combines-cryptomining-and-ddos/ ∗∗∗ Apple Introduces Memory Integrity Enforcement in iPhone 17 to Fight Spyware Exploits ∗∗∗ --------------------------------------------- Apple has introduced Memory Integrity Enforcement (MIE), a system-wide security feature designed to crush one of the most persistent threats to iPhone users—that of Spyware. The company describes MIE as “the most significant upgrade to memory safety in the history of consumer operating systems.” --------------------------------------------- https://thecyberexpress.com/memory-integrity-enforcement-in-iphone-17/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft September 2025 Patch Tuesday fixes 81 flaws, two zero-days ∗∗∗ --------------------------------------------- Today is Microsofts September 2025 Patch Tuesday, which includes security updates for 81 flaws, including two publicly disclosed zero-day vulnerabilities. [..] The two publicly disclosed zero-days are: CVE-2025-55234 - Windows SMB Elevation of Privilege Vulnerability [..] CVE-2024-21907 - VulnCheck: CVE-2024-21907 Improper Handling of Exceptional Conditions in Newtonsoft.Json --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-pa… ∗∗∗ Patchday Adobe: Lücken in Acrobat & Co. können Schadcode auf PCs lassen ∗∗∗ --------------------------------------------- Auflistung der Sicherheitspatches: Acrobat and Reader, After Effects, ColdFusion, Commerce, Dreamweaver, Experience Manager, Premiere Pro, Substance 3D Modeler, Substance 3D Viewer --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Luecken-in-Acrobat-Co-koennen-Scha… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/1037471/ ∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-252-01 Rockwell Automation ThinManager, ICSA-25-252-02 ABB Cylon Aspect BMS/BAS, ICSA-25-252-03 Rockwell Automation Stratix IOS, ICSA-25-252-04 Rockwell Automation FactoryTalk Optix, ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager, ICSA-25-252-06 Rockwell Automation CompactLogix® 5480, ICSA-25-252-07 Rockwell Automation ControlLogix 5580, ICSA-25-252-08 Rockwell Automation Analytics LogixAI, ICSA-25-252-09 Rockwell Automation 1783-NATR --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/09/09/cisa-releases-fourteen-i… ∗∗∗ Google Chrome: Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 09.09.2025
by Daily end-of-shift report 09 Sep '25

09 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 08-09-2025 18:00 − Dienstag 09-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ TOR-Based Cryptojacking Attack Expands Through Misconfigured Docker APIs ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs. Akamai, which discovered the latest activity last month, said its designed to block other actors from accessing the Docker API from the internet. --------------------------------------------- https://thehackernews.com/2025/09/tor-based-cryptojacking-attack-expands.ht… ∗∗∗ GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies ∗∗∗ --------------------------------------------- Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. Its currently not known how the digital intruders gained access to the GitHub account. --------------------------------------------- https://thehackernews.com/2025/09/github-account-compromise-led-to.html ∗∗∗ RatOn Android Malware Detected With NFC Relay and ATS Banking Fraud Capabilities ∗∗∗ --------------------------------------------- A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. --------------------------------------------- https://thehackernews.com/2025/09/raton-android-malware-detected-with-nfc.h… ∗∗∗ Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks ∗∗∗ --------------------------------------------- Threat actors are abusing HTTP client tools like Axios in conjunction with Microsofts Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. --------------------------------------------- https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html ∗∗∗ Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data ∗∗∗ --------------------------------------------- Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon, along with some related People’s Republic of China (PRC) state-backed threat actors. --------------------------------------------- https://www.silentpush.com/blog/salt-typhoon-2025/ ∗∗∗ BSI warnt: "Digitale Angriffsflächen im Automobilsektor wachsen rasant" ∗∗∗ --------------------------------------------- Digitale Dienste, Over-the-Air-Updates, KI und vernetzte Steuergeräte prägen Fahrzeugarchitekturen, weiß das BSI. Hersteller und Ausrüster müssten vorsorgen. --------------------------------------------- https://www.heise.de/news/BSI-warnt-Digitale-Angriffsflaechen-im-Automobils… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17). --------------------------------------------- https://lwn.net/Articles/1037308/ ∗∗∗ Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures Revealed ∗∗∗ --------------------------------------------- An analysis of the Gentlemen ransomware group, which employs advanced, adaptive tactics, techniques, and procedure to target critical industries worldwide. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-rans… ∗∗∗ Zero-Day in Sitecore Exploited to Deploy WEEPSTEEL Malware ∗∗∗ --------------------------------------------- Hackers exploit a Sitecore zero-day (CVE-2025-53690) to deploy WEEPSTEEL Malware via ViewState attacks, enabling Remote Code Execution (RCE). --------------------------------------------- https://hackread.com/zero-day-sitecore-exploited-deploy-weepsteel-malware/ ∗∗∗ OpenAI Paper: Halluzinationen offenbar unumgänglich ∗∗∗ --------------------------------------------- In einem neuen, wissenschaftlichen Paper, das OpenAI veröffentlicht hat, geht es um Halluzinationen. Das sind falsche Informationen und Zusammenhänge, die Large Language Models (LLMs) und damit auch KI-Chatbots ausgeben. Alle KI-Unternehmen arbeiten daran, Halluzinationen möglichst gering zu halten. Sie ganz auszuschalten, scheint hingegen unmöglich. Das schreibt nun auch OpenAI selbst. --------------------------------------------- https://heise.de/-10637744 ∗∗∗ LockBit Attempts Comeback with LockBit 5.0 Ransomware Release ∗∗∗ --------------------------------------------- LockBit was once the most feared ransomware group until global law enforcement action sent the group into decline last year. Now the threat group hopes to mount a comeback with LockBit 5.0. --------------------------------------------- https://thecyberexpress.com/lockbit-5-0-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Adobe patches critical SessionReaper flaw in Magento eCommerce platform ∗∗∗ --------------------------------------------- Adobe is warning of a critical vulnerability (CVE-2025-54236) in its Commerce and Magento Open Source platforms that researchers call SessionReaper and describe as one of " the most severe" flaws in the history of the product. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-patches-critical-sessi… ∗∗∗ Populäre JavaScript Pakete manipuliert ∗∗∗ --------------------------------------------- Eine Reihe populärer JavaScript Pakete wurde kürzlich manipuliert um Krypotwährungstransaktionen zu manipulieren. Ursache dieses Supply-Chain-Angriffs scheint eine erfolgreiche Phishing Attacke gegen den Maintainer dieser Pakete und dessen NPM Konto gewesen zu sein. Manipulierte Versionen der betroffenen Pakete wurden bereits zurückgezogen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/9/populare-javascript-pakete-manipuli… ∗∗∗ September 2025 Security Update ∗∗∗ --------------------------------------------- Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager (EPM) and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access. --------------------------------------------- https://www.ivanti.com/blog/september-2025-security-update ∗∗∗ SAP Security Patch Day – September 2025 ∗∗∗ --------------------------------------------- SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One. --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-september-2025/ ∗∗∗ VU#461364: Hiawatha open-source web server has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/461364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.09.2025
by Daily end-of-shift report 08 Sep '25

08 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-09-2025 18:00 − Montag 08-09-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ iCloud Calendar abused to send phishing emails from Apple’s servers ∗∗∗ --------------------------------------------- iCloud Calendar invites are being abused to send callback phishing emails disguised as purchase notifications directly from Apple's email servers, making them more likely to bypass spam filters to land in targets' inboxes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icloud-calendar-abused-to-se… ∗∗∗ Fraunhofer SIT gibt auf: Die Volksverschlüsselung wird eingestellt ∗∗∗ --------------------------------------------- Die Volksverschlüsselung, eine gemeinsame Initiative des Fraunhofer-Instituts für Sichere Informationstechnologie (SIT) und der Deutschen Telekom, wird nach rund zehnjährigem Bestehen zum 31. Januar 2026 eingestellt. Das geht aus einer Mitteilung auf der zugehörigen Webseite(öffnet im neuen Fenster) hervor. Ziel der Volksverschlüsselung war es, Ende-zu-Ende-verschlüsselte Kommunikation benutzerfreundlicher zu machen. Doch das Projekt stieß schon zum Start auf Kritik. --------------------------------------------- https://www.golem.de/news/fraunhofer-sit-gibt-auf-die-volksverschluesselung… ∗∗∗ Noisy Bear Campaign Targeting Kazakhstan Energy Sector Outed as a Planned Phishing Test ∗∗∗ --------------------------------------------- A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan. The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025. --------------------------------------------- https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html ∗∗∗ GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure. --------------------------------------------- https://thehackernews.com/2025/09/gpugate-malware-uses-google-ads-and.html ∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursiert eine E-Mail, die angeblich von Netflix stammt. Darin wird behauptet, eine Aktualisierung der Kontodaten sei erforderlich. Andernfalls würden 8,99 € fällig und der Zugang würde eingeschränkt werden. Vorsicht: Es handelt sich um eine Fälschung! Die Nachricht führt auf eine Phishing-Website, über die Kriminelle versuchen, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf-1/ ∗∗∗ Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs ∗∗∗ --------------------------------------------- The intrusion began in September 2024 with a download of a malicious file mimicking the EarthTime application by DeskSoft. Upon execution, SectopRAT was deployed which opened a connection to its command and control (C2) infrastructure. The threat actor established persistence by relocating the malicious file and placing a shortcut in the Startup folder, configured to trigger on user logon. They further elevated access by creating a new local account and assigning it local administrative privileges. --------------------------------------------- https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-con… ∗∗∗ GhostAction Attack Steals 3,325 Secrets from GitHub Projects ∗∗∗ --------------------------------------------- On September 2, 2025, a GitHub user known as Grommash9 committed a new workflow file to the FastUUID project. The file, labelled “Github Actions Security,” appeared similar to routine automation scripts but was later found to contain malicious code designed to collect CI/CD secrets and send them to an external server. --------------------------------------------- https://hackread.com/ghostaction-attack-steals-github-projects-secrets/ ∗∗∗ Lazarus Group Deploys Malware With ClickFix Scam in Fake Job Interviews ∗∗∗ --------------------------------------------- A recent investigation by SentinelLABS and internet intelligence platform Validin reveals that North Korean threat actors behind the Contagious Interview campaign are actively abusing public cybersecurity platforms like Validin, Maltrail, and VirusTotal to improve their malicious activities. --------------------------------------------- https://hackread.com/lazarus-group-malware-clickfix-scam-fake-job-interview/ ∗∗∗ MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access ∗∗∗ --------------------------------------------- FortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques. These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools to grant attackers complete control over the compromised system. --------------------------------------------- https://feeds.fortinet.com/~/924516446/0/fortinet/blogs~MostereRAT-Deployed… ∗∗∗ Ecovacs Deebot: Angreifer können beliebigen Code einschleusen ∗∗∗ --------------------------------------------- Schwachstellenbeschreibungen vom Wochenende erörtern teils hochriskante Sicherheitslücken in Staubsaugerrobotern aus dem Hause Ecovacs. Für die betroffenen Deebot-Modelle stehen bereits seit einiger Zeit Updates bereit, die die Sicherheitslecks abdichten. Besitzer sollten sicherstellen, die Basisstationen und Saugroboter auf den aktuellen Stand zu bringen. --------------------------------------------- https://heise.de/-10636233 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy). --------------------------------------------- https://lwn.net/Articles/1037157/ ∗∗∗ RICOH Streamline NX vulnerable to tampering with operation history ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN75307484/ ∗∗∗ CVE-2025-8699: NFC Card Vulnerability Exploitation Leading to Free Top-Up in KioSoft "Stored Value" Unattended Payment Solution ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/nfc-card-vulnerability-e… ∗∗∗ Beckhoff Security Advisory 2025-001: CVE-2025-41701 ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 05.09.2025
by Daily end-of-shift report 05 Sep '25

05 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-09-2025 18:00 − Freitag 05-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The number of mis-issued 1.1.1.1 certificates grows. Here’s the latest. ∗∗∗ --------------------------------------------- Everything to know about the mishap that threatened to expose millions of users queries. --------------------------------------------- https://arstechnica.com/information-technology/2025/09/the-number-of-mis-is… ∗∗∗ Max severity Argo CD API flaw leaks repository credentials ∗∗∗ --------------------------------------------- An Argo CD vulnerability allows API tokens with even low project-level get permissions to access API endpoints and retrieve all repository credentials associated with the project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/max-severity-argo-cd-api-fla… ∗∗∗ Seit Mai 2024 bekannt: TP-Link bestätigt Zero-Day-Lücke in Archer-Routern ∗∗∗ --------------------------------------------- Es sind auch hierzulande angebotene TP-Link-Modelle betroffen. Angreifer können unter Umständen aus der Ferne Schadcode einschleusen. --------------------------------------------- https://www.golem.de/news/seit-mai-2024-bekannt-tp-link-bestaetigt-zero-day… ∗∗∗ IT threat evolution in Q2 2025. Mobile statistics ∗∗∗ --------------------------------------------- The report contains statistics on mobile threats (malware, adware, and unwanted software for Android) for Q2 2025, as well as a description of the most notable malware types identified during the reporting period. --------------------------------------------- https://securelist.com/malware-report-q2-2025-mobile-statistics/117349/ ∗∗∗ IT threat evolution in Q2 2025. Non-mobile statistics ∗∗∗ --------------------------------------------- The report presents statistics for Windows, macOS, IoT, and other threats, including ransomware, miners, local and web-based threats, for Q2 2025. --------------------------------------------- https://securelist.com/malware-report-q2-2025-pc-iot-statistics/117421/ ∗∗∗ SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild ∗∗∗ --------------------------------------------- A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of .. --------------------------------------------- https://thehackernews.com/2025/09/sap-s4hana-critical-vulnerability-cve.html ∗∗∗ Schwachstellen: KI- und Netzwerktechnik von Nvidia ist angreifbar ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in unter anderem Nvidias KI-Plattformen DGX und HGX. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Nvidia-KI-und-Netzwerktechnik-… ∗∗∗ Stealerium-Malware macht heimlich Webcam-Fotos für Erpressung ∗∗∗ --------------------------------------------- Die frei verfügbare Malware Stealerium erkennt Pornokonsum und fertigt heimlich Webcam-Aufnahmen an. Cyberkriminelle nutzen die Fotos für Erpressung. --------------------------------------------- https://www.heise.de/news/Malware-fotografiert-Nutzer-heimlich-bei-Porno-Ko… ∗∗∗ Cyberattack forces Jaguar Land Rover to tell staff to stay at home ∗∗∗ --------------------------------------------- Luxury automaker Jaguar Land Rover says employees should stay home through the weekend as it works to mitigate the impact of a cyberattack. --------------------------------------------- https://therecord.media/jaguar-land-rover-cyberattack-workers-stay-home ∗∗∗ SEO fraud-as-a-service scheme hijacks Windows servers to promote gambling websites ∗∗∗ --------------------------------------------- A malware campaign dubbed GhostRedirector by researchers at ESET attempts to compromise websites to drive traffic to gambling sites. --------------------------------------------- https://therecord.media/seo-scheme-windows-malware-gambling-sites-ghostredi… ∗∗∗ Scammers Exploit Grok AI With Video Ad Scam to Push Malware on X ∗∗∗ --------------------------------------------- Researchers at Guardio Labs have uncovered a new “Grokking” scam where attackers trick Grok AI into spreading malicious… --------------------------------------------- https://hackread.com/scammers-exploit-grok-ai-video-ad-scam-x-malware/ ∗∗∗ Microsoft erzwingt mehr Multifaktorauthentifizierung ∗∗∗ --------------------------------------------- Microsoft aktualisiert die Pläne für "Phase 2" der erzwungenen Multifaktorauthentifizierung für Azure. Am 1.10. sind mehr Dienste fällig. --------------------------------------------- https://heise.de/-10633932 ∗∗∗ Czechia Warns of Chinese Data Transfers and Remote Administration for Espionage ∗∗∗ --------------------------------------------- Czechia’s national cybersecurity watchdog has issued a warning about foreign cyber operations, focussed on Chinese data transfers and remote administration, urging both government bodies and private businesses to bolster defenses amid rising espionage campaigns tied to China and Russia. The alert, published this week by the National Cyber and I.. --------------------------------------------- https://thecyberexpress.com/czechia-warns-of-chinese-data-transfer/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin). --------------------------------------------- https://lwn.net/Articles/1036907/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 04.09.2025
by Daily end-of-shift report 04 Sep '25

04 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-09-2025 18:00 − Donnerstag 04-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet ∗∗∗ --------------------------------------------- The three certificates were issued in May but only came to light Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/09/mis-issued-certificates-for-1-1-1-… ∗∗∗ Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn ∗∗∗ --------------------------------------------- A new specimen of “infostealer” malware offers a disturbing feature: It monitors a targets browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim. --------------------------------------------- https://www.wired.com/story/stealerium-infostealer-porn-sextortion/ ∗∗∗ Serientäter bekennen sich zu IT-Angriff auf Jaguar Land Rover ∗∗∗ --------------------------------------------- Drei britische Verbrecherbanden haben sich offenbar zusammengetan. Sie prahlen mit der IT-Attacke auf Jaguar Land Rover. --------------------------------------------- https://www.heise.de/news/Serientaeter-bekennen-sich-zu-IT-Angriff-auf-Jagu… ∗∗∗ Kritische Infrastrukturen: Attacken auf industrielle Kontrollsysteme möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industrielle Kontrollsysteme von unter anderem Hitachi erschienen. Ein Patch steht aber noch aus. --------------------------------------------- https://www.heise.de/news/Kritische-Infrastrukturen-Attacken-auf-industriel… ∗∗∗ TP-Link warns of botnet infecting routers and targeting Microsoft 365 accounts ∗∗∗ --------------------------------------------- The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/09/tp-link-warns-of-botnet-infe… ∗∗∗ Microsoft-Support-Betrug: Phishing-Falle statt Online-Hilfe ∗∗∗ --------------------------------------------- Drängt ein Pop-up-Fenster zu einem Anruf bei der Microsoft-Helpline, ist allerhöchste Vorsicht angesagt! Hinter der Aufforderung warten nämlich keine IT-Expert:innen darauf, bei Computerproblemen weiterzuhelfen. Vielmehr wollen Kriminelle auf diesem Weg Zugriff auf das Konto ihrer Opfer bekommen. --------------------------------------------- https://www.watchlist-internet.at/news/microsoft-support-betrug/ ∗∗∗ Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak ∗∗∗ --------------------------------------------- Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, Austin Larsen of Google’s Threat Intelligence Group and Charles Carmakal of Mandiant, be fired or they will leak alleged stolen Google data. --------------------------------------------- https://hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/ ∗∗∗ 25,000 IPs Scanned Cisco ASA Devices — New Vulnerability Potentially Incoming ∗∗∗ --------------------------------------------- GreyNoise observed two scanning surges against Cisco Adaptive Security Appliance (ASA) devices in late August including more than 25,000 unique IPs in a single burst. This activity represents a significant elevation above baseline, typically registering at less than 500 IPs per day. --------------------------------------------- https://www.greynoise.io/blog/scanning-surge-cisco-asa-devices ∗∗∗ ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) ∗∗∗ --------------------------------------------- In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine keys to perform remote code .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserial… ∗∗∗ Cookie Chaos: How to bypass __Host and __Secure cookie prefixes ∗∗∗ --------------------------------------------- Browsers added cookie prefixes to protect your sessions and stop attackers from setting harmful cookies. In this post, you’ll see how to bypass cookie defenses using discrepancies in browser and .. --------------------------------------------- https://portswigger.net/research/cookie-chaos-how-to-bypass-host-and-secure… ∗∗∗ Linux Kernel SMB 0-Day Vulnerability CVE-2025-37899 Uncovered Using ChatGPT o3 ∗∗∗ --------------------------------------------- For the first time, a zero-day vulnerability in the Linux kernel has been discovered using a large language model, OpenAI’s o3. Discovered by security researcher Sean Heelan and assigned .. --------------------------------------------- https://www.upwind.io/feed/linux-kernel-smb-0-day-vulnerability-cve-2025-37… ∗∗∗ s1ngularitys Aftermath: AI, TTPs, and Impact in the Nx Supply Chain Attack ∗∗∗ --------------------------------------------- A deeper look at the Nx supply chain attack: analyzing the performance of AI-powered malware, calculating incident impact, and sharing novel TTPs for further investigation. --------------------------------------------- https://www.wiz.io/blog/s1ngularitys-aftermath ∗∗∗ Nx Investigation Reveals GitHub Actions Workflow Exploit Led to npm Token Theft, Prompting Switch to Trusted Publishing ∗∗∗ --------------------------------------------- On August 26, 2025, the JavaScript ecosystem witnessed a watershed moment in supply chain security. The popular Nx build system, with over 4.6 million weekly downloads, fell victim to an attack that stole thousands of credentials and pioneered a disturbing new technique: weaponizing AI developer tools for scaling reconnaissance and data theft.The Nx team .. --------------------------------------------- https://socket.dev/blog/nx-supply-chain-attack-investigation-github-actions… ∗∗∗ Exploit development for IBM i ∗∗∗ --------------------------------------------- At TROOPERS24, we demonstrated how IBM i systems – still widely used in enterprise environments – can be compromised in both authenticated and unauthenticated scenarios, using only built-in services and a basic understanding of the underlying mechanisms. Despite being labeled “legacy,” these systems remain active in finance, logistics, and manufacturing, often handling critical workloads with little attention paid to their security posture. --------------------------------------------- https://blog.silentsignal.eu/2025/09/04/Exploit-development-for-IBM-i/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 03.09.2025
by Daily end-of-shift report 03 Sep '25

03 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-09-2025 18:00 − Mittwoch 03-09-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers breach fintech firm in attempted $130M bank heist ∗∗∗ --------------------------------------------- Hackers tried to steal $130 million from Evertecs Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central banks real-time payment system (Pix). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-fintech-firm-… ∗∗∗ What Is a Passkey? Here’s How to Set Up and Use Them (2025) ∗∗∗ --------------------------------------------- Passkeys were built to enable a password-free future. Heres what they are and how you can start using them. --------------------------------------------- https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/ ∗∗∗ Patchday: Kritische Schadcode-Lücke bedroht Android 15 und 16 ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Sicherheitslücken in verschiedenen Android-Versionen. --------------------------------------------- https://www.heise.de/news/Patchday-Kritische-Schadcode-Luecke-bedroht-Andro… ∗∗∗ Phishing-Alarm: FinanzOnline droht nicht mit der Pfändung des Hausrats! ∗∗∗ --------------------------------------------- Eine höchst aktuelle Phishing-Welle im Namen von FinanzOnline sorgt für große Verunsicherung. Die zentrale Drohung: Pfändung des Hausrats durch den Gerichtsvollzieher! Klingt besorgniserregend, ist in Wahrheit aber nichts anderes als ein Betrugsversuch. Wir erklären, .. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-finanzonline-pfaendun… ∗∗∗ Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust ∗∗∗ --------------------------------------------- Model namespace reuse is a potential security risk in the AI supply chain. Attackers can misuse platforms like Hugging Face for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/model-namespace-reuse/ ∗∗∗ Digitale Souveränität: Cloud Edition. ∗∗∗ --------------------------------------------- Das erratische Verhalten der aktuellen US-Regierung hat die Sorgen um die Abhängigkeit Europas von den großen US-Cloudbetreibern verstärkt. In der EU haben sowohl die Kommission als auch das Parlament Dokumente zu diesem Thema vorgelegt, heuer hat die Kommission bereits um Ideen zu einem Cloud and AI Development Act gebeten. Auch in Deutschland .. --------------------------------------------- https://www.cert.at/de/blog/2025/9/digitale-souveranitat-cloud-edition ∗∗∗ Cloudflare, Zscaler among companies impacted by Salesloft Drift incident ∗∗∗ --------------------------------------------- Multiple tech firms have publicly detailed how incidents involving the third-party Salesloft Drift tool have exposed customer data. --------------------------------------------- https://therecord.media/salesloft-drift-breach-cloudflare-zscaler-palo-alto… ∗∗∗ Corruption case against ousted cyber chief is ‘revenge,’ Ukraine’s security service says ∗∗∗ --------------------------------------------- Ukraine’s security service is accusing the country’s anti-corruption agencies of seeking “revenge” by bringing charges against Illia Vitiuk, the former head of the agency’s cybersecurity unit. --------------------------------------------- https://therecord.media/corruption-case-against-ousted-cyber ∗∗∗ Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps ∗∗∗ --------------------------------------------- Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting… --------------------------------------------- https://hackread.com/cloudflare-mitigates-largest-ddos-attack-11-5-tbps/ ∗∗∗ CISA, NSA and 19 International Partners Release Shared Vision of Software Bill of Materials for Cybersecurity Guide ∗∗∗ --------------------------------------------- CISA, NSA, and 19 international partners release a shared vision of Software Bill of Materials (SBOM) highlighting the importance of SBOM in securing global supply chains & enhancing software resilience worldwide. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-and-19-international-partner… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, .. --------------------------------------------- https://lwn.net/Articles/1036567/ ∗∗∗ Vulnerability & Patch Roundup — August 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/08/vulnerability-patch-roundup-august-2025.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 02.09.2025
by Daily end-of-shift report 02 Sep '25

02 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Montag 01-09-2025 18:00 − Dienstag 02-09-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zscaler data breach exposes customer info after Salesloft Drift compromise ∗∗∗ --------------------------------------------- In an advisory, Zscaler says that its Salesforce instance was impacted by this supply-chain attack, exposing customers' information. [..] This warning follows the compromise of Salesloft Drift, an AI chat agent that integrates with Salesforce, in which attackers stole OAuth and refresh tokens, enabling them to gain access to customer Salesforce environments and exfiltrate sensitive data. [..] The company stresses that the data breach only impacts its Salesforce instance and no Zscaler products, services, or infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-… ∗∗∗ Stolen OAuth tokens expose Palo Alto customer data ∗∗∗ --------------------------------------------- Palo Alto Networks is writing to customers that may have had commercially sensitive data exposed after criminals used stolen OAuth credentials lifted from the Salesloft Drift break-in to gain entry to its Salesforce instance. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/09/02/stolen_oauth… ∗∗∗ No, Google did not warn 2.5 billion Gmail users to reset passwords ∗∗∗ --------------------------------------------- This is just the latest such story, which numerous news websites and cybersecurity companies have reported without verification in recent years. [..] However, as the company explained on a Monday blog post addressing these inaccurate stories, "Gmail's protections are strong and effective, and claims of a major Gmail security warning are false." --------------------------------------------- https://www.bleepingcomputer.com/news/technology/no-google-did-not-warn-25-… ∗∗∗ Badges, behavior, and BMS: Why the human perimeter matters in energy cybersecurity ∗∗∗ --------------------------------------------- Over the summer, a hacker brought a 158-year-old European technology company to its knees with a guessed password. By identifying a weak admin credential, the attacker gained access to internal systems and extracted sensitive information, laying the groundwork for a broader ransomware campaign. [..] Energy cybersecurity is not just about software protection —it’s also about managing human interaction and physical access to critical infrastructure. [..] Even the most secure system in the world won’t help if someone holds the door open for the wrong person. --------------------------------------------- https://blog.se.com/digital-transformation/cybersecurity/2025/09/01/badges-… ∗∗∗ Cookies and how to bake them: what they are for, associated risks, and what session hijacking has to do with it ∗∗∗ --------------------------------------------- Kaspersky experts explain the different types of cookies, how to configure them correctly, and how to protect yourself from session hijacking attacks. --------------------------------------------- https://securelist.com/cookies-and-session-hijacking/117390/ ∗∗∗ A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years, (Tue, Sep 2nd) ∗∗∗ --------------------------------------------- What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? [..] The use of specific cryptocurrency addresses in sextortion messages seems to be fairly short-lived. Approximately 46% of the addresses in the dataset were only used for a single day [..] the average requested amount was 1,716 USD, with a median of 1,370 USD [..] Of the 205 cryptocurrency addresses in our dataset, only 57 (~28%) didn’t receive any payment at all, while the remaining addresses did. --------------------------------------------- https://isc.sans.edu/diary/rss/32252 ∗∗∗ Ukrainian Network FDN3 Launches Massive Brute-Force Attacks on SSL VPN and RDP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a Ukrainian IP network for engaging in massive brute-force and password spraying campaigns targeting SSL VPN and RDP devices between June and July 2025. The activity originated from a Ukraine-based autonomous system FDN3 (AS211736), per French cybersecurity company Intrinsec. --------------------------------------------- https://thehackernews.com/2025/09/ukrainian-network-fdn3-launches-massive.h… ∗∗∗ Achtung, Bitpanda-Phishing: Krypto-Guthaben in Gefahr! ∗∗∗ --------------------------------------------- Kriminelle versenden SMS-Nachrichten und warnen vor einem angeblichen Login auf das Bitpanda-Konto des Opfers. Sie liefern außerdem eine Telefonnummer mit, bei der man sich zur Klärung melden solle. Am anderen warten allerdings die Betrüger:innen – und die haben es auf Krypto-Assets abgesehen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-bitpanda-phishing-krypto/ ===================== = Vulnerabilities = ===================== ∗∗∗ Heimautomatisierung: ESPHome-Lücke erlaubt volle Kompromittierung ∗∗∗ --------------------------------------------- In der ESP-IDF-Plattform der ESPHome-Firmwarebasis führt eine nun entdeckte Sicherheitslücke dazu, dass Angreifer eine Authentifizierung umgehen können. Das ermöglicht ihnen sogar, eigene Firmware auf verwundbare Controller zu verfrachten. [..] Ein neuer Schwachstelleneintrag vom Montag dieser Woche erörtert die Sicherheitslücke in der Firmware. [..] (CVE-2025-57808 / noch kein EUVD, CVSS 8.1, Risiko "hoch") --------------------------------------------- https://www.heise.de/news/Heimautomatisierung-ESPHome-Luecke-erlaubt-volle-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1036369/ ∗∗∗ TYPO3-EXT-SA-2025-011: Command Injection in extension "TYPO3 Backup Plus" (ns_backup) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-011 ∗∗∗ Delta Electronics EIP Builder ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-01 ∗∗∗ SunPower PVS6 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-03 ∗∗∗ Fuji Electric FRENIC-Loader 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-245-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 01.09.2025
by Daily end-of-shift report 01 Sep '25

01 Sep '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-08-2025 18:00 − Montag 01-09-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Transparenz und Kommunikation: BSI rät indirekt von weiterer Paypal-Nutzung ab ∗∗∗ --------------------------------------------- Was passiert mit den Daten, werden bei Ausfällen Gründe genannt? Ohne Paypal zu nennen, ruft das BSI auf, nicht nur nach der Usability auszuwählen. --------------------------------------------- https://www.golem.de/news/transparenz-und-kommunikation-bsi-raet-indirekt-v… ∗∗∗ AWS warnt: Russische Hacker bei Attacken auf Microsoft-Nutzer erwischt ∗∗∗ --------------------------------------------- Die berüchtigte Hackergruppe APT29 soll bestehende Webseiten mit Schadcode verseucht haben, um an die Microsoft-Konten der Besucher zu gelangen. --------------------------------------------- https://www.golem.de/news/aws-warnt-russische-hacker-bei-attacken-auf-micro… ∗∗∗ Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes. --------------------------------------------- https://thehackernews.com/2025/08/attackers-abuse-velociraptor-forensic.html ∗∗∗ Traffic to government domains often crosses national borders, or flows through risky bottlenecks ∗∗∗ --------------------------------------------- Sites at yourcountry.gov may also not bother with HTTPs Internet traffic to government domains often flows across borders, relies on a worryingly small number of network connections, or does not require encryption, according to new research. --------------------------------------------- https://www.theregister.com/2025/09/01/isoc_government_domain_traffic_measu… ∗∗∗ SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes ∗∗∗ --------------------------------------------- Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email. --------------------------------------------- https://www.wired.com/story/charles-borges-resignation-email-disappearance/ ∗∗∗ Hintertür-Bericht: Britische Regierung will Vollzugriff auf iCloud ∗∗∗ --------------------------------------------- Noch immer ist nicht final entschieden, ob Apple britischen Strafverfolgern Zugriff auf iCloud geben muss. Nun wurde die ganze Datenbreite bekannt. --------------------------------------------- https://www.heise.de/news/Hintertuer-Bericht-Britische-Regierung-will-Vollz… ∗∗∗ Nach Kritik: Ameos Kliniken wollen proaktiv über Datenleak informieren ∗∗∗ --------------------------------------------- Nach einem erfolgreichen Cyberangriff hatte der Klinikkonzern Ameos ein Auskunftsformular bereitgestellt. Nach Kritik wurde selbiges jetzt geändert. --------------------------------------------- https://www.heise.de/news/Ameos-Kliniken-Nach-IT-Angriff-steht-Auskunftsfor… ∗∗∗ IT-Infrastruktur des Innenministeriums "gezielt und professionell" gehackt ∗∗∗ --------------------------------------------- Polizeiliche Daten oder Anwendungen sollen nach eigenen Angaben nicht betroffen sein. Der Angriff fand vor einigen Wochen statt, wurde aber erst jetzt kommuniziert. --------------------------------------------- https://www.derstandard.at/story/3000000285630/cyberangriff-auf-it-infrastr… ∗∗∗ Sweden scrambles after ransomware attack puts sensitive worker data at risk ∗∗∗ --------------------------------------------- Municipal government organisations across Sweden have found themselves impacted after a ransomware attack at a third-party software service supplier. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/sweden-scrambles-afte… ∗∗∗ Merkwürdige Spam-Mail; Accenture gehackt? ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich vor einigen Tage darauf hingewiesen, dass er eine merkwürdige Spam-Mail bekam, die von einer Accenture-Domain verschickt wurde. Inzwischen ist die Domain nicht mehr erreichbar – was die Frage nach dem Hintergrund aufwirft. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/accenture-gehackt-merkwuerdige-phi… ∗∗∗ Starker Anstieg der Cyberangriffe auf den Bildungssektor ∗∗∗ --------------------------------------------- Sicherheitsanbieter Check Point warnt vor einem starken Anstieg von Cyber-Angriffen im Bildungssektor: Weltweit um 41 Prozent, in Deutschland sogar plus 56 Prozent. Bildungseinrichtungen verzeichnen im Schnitt mehr als 4300 Angriffe pro Woche, getrieben von saisonalen Phishing-Kampagnen zum Schul- und Semesterstart. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/starker-anstieg-der-cyberangriffe-… ∗∗∗ PromptLock: Erste KI-gestützte Malware von ESET entdeckt ∗∗∗ --------------------------------------------- ESET-Sicherheitsforscher haben die ihrer Meinung nach "erste bekannte KI-gestützte Ransomware" mit dem Namen PromptLock entdeckt. --------------------------------------------- https://www.borncity.com/blog/2025/08/31/promptlock-erste-ki-gestuetzte-mal… ∗∗∗ Citrix Netscaler backdoors — Part One — May 2025 activity against governments ∗∗∗ --------------------------------------------- This is a follow up post to the prior one, part of a series looking at different Netscaler vulnerabilities that have been exploited in the wild as zero days. --------------------------------------------- https://doublepulsar.com/citrix-netscaler-backdoors-part-one-may-2025-activ… ∗∗∗ 8 Malicious NPM Packages Stole Chrome User Data on Windows ∗∗∗ --------------------------------------------- JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers. --------------------------------------------- https://hackread.com/malicious-npm-packages-stole-chrome-user-data-windows/ ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Update (August 28) Based on new information identified by GTIG, the scope of this compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ ShadowSilk Data Exfiltration Attack ∗∗∗ --------------------------------------------- Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6190 ∗∗∗ Vishing: So gelingt der Angriff per Telefon selbst auf Großunternehmen ∗∗∗ --------------------------------------------- Auf der Def Con konnte man sich live ansehen, wie Vishing funktioniert. Erstaunlich oft ergattern Angreifer per Telefon selbst wichtigste Firmeninformationen. --------------------------------------------- https://heise.de/-10625451 ∗∗∗ A16-FuseBypass: Debug Logic Enabled on Production Apple Silicon ∗∗∗ --------------------------------------------- This repository documents a critical hardware-level vulnerability in the Apple A16 Bionic chip used in iPhone 14 Pro Max and related devices. --------------------------------------------- https://github.com/JGoyd/A16-FuseBypass ∗∗∗ KernelSnitch: Side-Channel Attacks on Kernel Data Structures ∗∗∗ --------------------------------------------- In this paper, we present a novel generic software side-channel attack, KernelSnitch, targeting kernel data structures such as hash tables and trees. --------------------------------------------- https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf ∗∗∗ Client-side RCE via CSS Injection in Google Web Designer for Windows ∗∗∗ --------------------------------------------- After my recent discovery of two client-side remote code execution vulnerabilities in Google Web Designer (previously disclosed in my articles earlier this year: CVE-2025-1079, CVE-2025-4613), in April 2025 I've found yet another serious issue in the app. --------------------------------------------- https://balintmagyar.com/articles/google-web-designer-css-injection-client-… ∗∗∗ Passkeys are incompatible with open-source software ∗∗∗ --------------------------------------------- After reading more of the spec authors’ comments on open-source Passkey implementations, I cannot support this tech. In addition to what I covered at the bottom of this blog post, I found more instances where the spec authors have expressed positions that are incompatible with open-source software and user freedom. --------------------------------------------- https://www.smokingonabike.com/2025/01/04/passkey-marketing-is-lying-to-you/ ∗∗∗ Wallet-Draining npm Package Impersonates Nodemailer to Hijack Crypto Transactions ∗∗∗ --------------------------------------------- Socket’s Threat Research Team identified a malicious npm package, nodejs-smtp, that impersonates the popular email library nodemailer, which averages roughly 3.9 million weekly downloads, while implanting code into desktop cryptocurrency wallets on Windows. --------------------------------------------- https://socket.dev/blog/wallet-draining-npm-package-impersonates-nodemailer ∗∗∗ The CISO’s Codex – Leo and the Laws of Security ∗∗∗ --------------------------------------------- A a storytelling approach to cybersecurity, where a new CISO named Leo guides his company through foundational security models like Bell-LaPadula, Biba, Clark-Wilson, Brewer-Nash, and Graham-Denning/HRU. --------------------------------------------- https://thecyberthrone.in/2025/08/30/the-cisos-codex-leo-and-the-laws-of-se… ∗∗∗ Nevada Faces Unprecedented Ransomware Attack ∗∗∗ --------------------------------------------- On August 24, 2025, Nevada made headlines as the victim of a historic cyberattack that forced a near-total shutdown of state government operations. --------------------------------------------- https://thecyberthrone.in/2025/08/31/nevada-faces-unprecedented-ransomware-… ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Sicherheitslösung Acronis Cyber Protect Cloud Agent ist verwundbar ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Schwachstelle in Acronis Cyber Protect Cloud Agent. --------------------------------------------- https://www.heise.de/news/IT-Sicherheitsloesung-Acronis-Cyber-Protect-Cloud… ∗∗∗ Qnap: Teils hochriskante Lücken in QTS und QuTS hero geschlossen ∗∗∗ --------------------------------------------- Aktualisierungen für die QTS- und QuTS-hero-Firmwares von Qnap-Geräten schließen als hochriskant eingestuft Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Qnap-Update-schliesst-teils-hochriskante-Luecken-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7). --------------------------------------------- https://lwn.net/Articles/1036084/ ∗∗∗ Authenticated Attackers Could Exploit IBM Watsonx Vulnerability to Access Sensitive Data ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability, tracked as CVE-2025-0165, has been reported, specifically concerning the users of the IBM Watsonx Orchestrate Cartridge within the IBM Cloud Pak for Data platform. --------------------------------------------- https://thecyberexpress.com/decoding-cve-2025-0165-flaw/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 29.08.2025
by Daily end-of-shift report 29 Aug '25

29 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-08-2025 18:00 − Freitag 29-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Polizei warnt vor Anrufen von Fake-Innenminister, der Geld will ∗∗∗ --------------------------------------------- Innenminister Karner soll um Spenden für Lösegeldzahlungen gebeten haben. Die Kontaktaufnahme geschah dabei mit einer echten Nummer des Innenministeriums. --------------------------------------------- https://futurezone.at/digital-life/fake-innenminister-karner-anruf-scam-pol… ∗∗∗ Vorsicht! Ankündigung einer Betriebsprüfung durch das Finanzamt ist eine Falle! ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche im Namen des österreichischen Finanzamts macht aktuell die Runde. Diesmal ist es kein Zugangscode, der abläuft. Keine Rückerstattung, die auf ihre Auszahlung wartet. Im aktuellen Fall versuchen Kriminelle, über die Ankündigung einer Betriebsprüfung für Schaden zu sorgen. --------------------------------------------- https://www.watchlist-internet.at/news/falle-finanzamt-betriebspruefung/ ∗∗∗ Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 ∗∗∗ --------------------------------------------- Netscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working. --------------------------------------------- https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-u… ∗∗∗ Vorzeitige Beendigung des Supports für SonicWall SMA100 ∗∗∗ --------------------------------------------- Am 31. Oktober 2025 soll Schluss mit dem Support sein, wie es in einer Mitteilung eines SonicWall-Partners heißt. --------------------------------------------- https://www.borncity.com/blog/2025/08/29/vorzeitige-beendigung-des-supports… ∗∗∗ How attackers adapt to built-in macOS protection ∗∗∗ --------------------------------------------- We analyze the built-in protection mechanisms in macOS: how they work, how threat actors can attack them or deceive users, and how to detect such attacks. --------------------------------------------- https://securelist.com/macos-security-and-typical-attacks/117367/ ∗∗∗ Passkeys Pwned: Turning WebAuthn Against Itself ∗∗∗ --------------------------------------------- On the DEFCON 33 main stage, SquareX researchers disclosed a major passkey vulnerability that uses malicious extensions/scripts to fake passkey registration and logins, allowing attackers to access enterprise SaaS apps without the user’s device or biometrics. --------------------------------------------- https://labs.sqrx.com/passkeys-pwned-0dbddb7ade1a ∗∗∗ Ransomware gang takedowns causing explosion of new, smaller groups ∗∗∗ --------------------------------------------- The ransomware ecosystem continues to splinter, with new gangs proliferating in the wake of law enforcement takedowns that have scattered affiliates and prompted criminal rebrands. --------------------------------------------- https://therecord.media/ransomware-gang-takedown-proliferation ===================== = Vulnerabilities = ===================== ∗∗∗ Windows: Zero-Day-Lücke bei der LNK-Anzeige ∗∗∗ --------------------------------------------- Laut ZDI stellte Microsoft sich auf den Standpunkt, dass die Sicherheitslücke nicht den Schweregrad für eine Behandlung erreicht. Auch nach etwa einem halben Jahr hin und her änderte Microsoft seine Meinung dazu nicht. Schließlich hat ZDI die Meldung veröffentlicht und jetzt auch einen CVE-Schwachstelleneintrag dazu herausgegeben. [..] "Die Schwachstelle ermöglicht Angreifern aus dem Netz, beliebigen Code auf betroffenen Installationen von Microsoft Windows auszuführen. Benutzerinteraktion ist für den Missbrauch erforderlich, diese müssen eine bösartige Seite besuchen oder eine bösartige Datei öffnen", schlussfolgert die ZDI. [..] (CVE-2025-9491 / noch kein EUVD, CVSS 7.0, Risiko "hoch") --------------------------------------------- https://heise.de/-10625780 ∗∗∗ FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available ∗∗∗ --------------------------------------------- The vulnerability, assigned the CVE identifier CVE-2025-57819, carries a CVSS score of 10.0, indicating maximum severity. "Insufficiently sanitized user-supplied data allows unauthenticated access to FreePBX Administrator, leading to arbitrary database manipulation and remote code execution," the project maintainers said in an advisory. [..] "We are seeing active exploitation of FreePBX in the wild with activity traced back as far as August 21 and backdoors being dropped post-compromise," watchTowr CEO Benjamin Harris said in a statement shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/08/freepbx-servers-targeted-by-zero-day.html ∗∗∗ clickstudios Passwordstate 2025-08-28 ∗∗∗ --------------------------------------------- Fixed a potential authentication bypass issue associated with accessing the core Passwordstate Products' Emergency Access page, by using a carefully crafted URL, which could allow access to the Passwordstate Administration section. --------------------------------------------- https://www.clickstudios.com.au/security/advisories/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2). --------------------------------------------- https://lwn.net/Articles/1035724/ ∗∗∗ QNAP: Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-19 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-21 ∗∗∗ Tenable: [R1] Stand-alone Security Patches Available for Tenable Security Center versions 6.4.x, 6.5.1 and 6.6.0: SC-202508.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-17 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series CPU Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02 ∗∗∗ GE Vernova CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06 ∗∗∗ Delta Electronics CNCSoft-G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04 ∗∗∗ Delta Electronics COMMGR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 28.08.2025
by Daily end-of-shift report 28 Aug '25

28 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-08-2025 18:00 − Donnerstag 28-08-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Experimental PromptLock ransomware uses AI to encrypt, steal data ∗∗∗ --------------------------------------------- Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems. The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/experimental-promptlock-rans… ∗∗∗ ZipLine Phishers Flip Script as Victims Email First ∗∗∗ --------------------------------------------- "ZipLine" appears to be a sophisticated and carefully planned campaign that has already affected dozens of small, medium, and large A financially motivated threat actor is flipping the phishing playbook by getting victims to make the first email contact with the attacker rather than the other way around. The scam involves the adversary hitting up Contact Us forms on company websites under the guise of partnership inquiries or other business pretexts and waiting for the target to respond. Over a couple of weeks, they build credibility with carefully crafted, professional-sounding emails before hitting their mark with a weaponized zip file. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/zipline-phishers-vic… ∗∗∗ AppSuite PDF Editor Backdoor: A Detailed Technical Analysis ∗∗∗ --------------------------------------------- Some threat actors are bold enough to submit their own malware as false positive to antivirus companies and demand removal of the detection. This is exactly what happened with AppSuite PDF Editor. Initially, automation flagged it as a potentially unwanted program—a verdict that is typically reserved for legitimate software with shady features like unwanted advertisement or installation of third-party programs without proper consent. In the case of AppSuite, however, we found a backdoor. --------------------------------------------- https://feeds.feedblitz.com/~/923960972/0/gdatasecurityblog-en~AppSuite-PDF… ∗∗∗ Schweden: Cyberangriff legt Systeme Hunderter Kommunen lahm ∗∗∗ --------------------------------------------- Ein schwedischer IT-Dienstleister namens Miljödata ist offenbar Ziel einer folgenschweren Cyberattacke geworden. Einem Bericht von Bleeping Computer(öffnet im neuen Fenster) zufolge soll der Angriff in mehr als 200 schwedischen Verwaltungen zu Ausfällen führen. Bei dem Nachrichtenportal Sweden Herald(öffnet im neuen Fenster) ist sogar von 250 betroffenen Kunden die Rede, von denen mindestens 164 Kommunalverwaltungen sein sollen. --------------------------------------------- https://www.golem.de/news/schweden-cyberangriff-legt-systeme-hunderter-komm… ∗∗∗ Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery ∗∗∗ --------------------------------------------- During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-s… ∗∗∗ Mehr als 28.000 Netscaler-Instanzen anfällig für Citrix Bleed 3 ∗∗∗ --------------------------------------------- Am Mittwoch wurde bekannt, dass Schwachstellen in den Netscalern (ADC und Gateways) von Citrix angegriffen werden, die bereits als "Citrix Bleed 3" tituliert werden. Die Shadowserver Foundation hat am Mittwoch Zahlen veröffentlicht, denen zufolge weltweit am Dienstag noch mehr als 28.000 Systeme für die Lücke "Citrix Bleed 3" verwundbar sind. Angreifer können darauf vermutlich die Schwachstellen missbrauchen. --------------------------------------------- https://www.heise.de/news/Mehr-als-28-000-Netscaler-Instanzen-anfaellig-fue… ∗∗∗ Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System ∗∗∗ --------------------------------------------- People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a ∗∗∗ Microsoft warnt: Ransomware-Gruppe Storm-0501 greift (Azure) Cloud an, verlangt Zahlungen ∗∗∗ --------------------------------------------- Microsoft warnt vor der finanziell motivierten Gruppe Storm-0501, die kontinuierlich mit Angriffen auf Cloud-Instanzen (Azure) zielt. Bei Erfolg werden Daten abgezogen, dann die Originale verschlüsselt und Backups zerstört. Anschließend wird Lösegeld verlangt. --------------------------------------------- https://www.borncity.com/blog/2025/08/28/microsoft-warnt-ransomware-gruppe-… ∗∗∗ Zip Slip, Path Traversal Vulnerability during File Decompression ∗∗∗ --------------------------------------------- Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for a long time, they are still being discovered in various environments and applications, not just web environments. This article examines Zip Slip, a path traversal vulnerability that occurs during the file decompression process of compression programs, and aims to introduce its main vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/89890/ ∗∗∗ Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack ∗∗∗ --------------------------------------------- A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis. --------------------------------------------- https://hackread.com/developer-credentials-stolen-macos-s1ngularity-attack/ ∗∗∗ Cisco: Mehrere Produkte mit teils hochriskanten Lücken ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat am Mittwoch zehn neue Sicherheitsmeldungen herausgegeben. Sie behandeln teils hochriskante Schwachstellen in mehreren Produkten. --------------------------------------------- https://heise.de/-10623826 ∗∗∗ Referral Beware, Your Rewards are Mine (Part 1) ∗∗∗ --------------------------------------------- Referral rewards programs are nearly ubiquitous today, from consumer tech to SaaS companies, but are rarely given much security oversight. In this blog post we’ll dig into the common technical implementations of rewards programs on web apps, common security issues with each approach, and recommendations for secure development of similar programs. In a subsequent post, we’ll explore real-world examples of these vulnerability classes in detail. --------------------------------------------- https://rhinosecuritylabs.com/research/referral-beware-your-rewards-are-min… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel). --------------------------------------------- https://lwn.net/Articles/1035464/ ∗∗∗ Libbiosig, Tenda, SAIL, PDF XChange, Foxit vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/libbiosig-tenda-sail-pdf-xchange-foxit-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 27.08.2025
by Daily end-of-shift report 27 Aug '25

27 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-08-2025 18:00 − Mittwoch 27-08-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff auf Ameos: Großer Klinikverbund erleidet Datenklau ∗∗∗ --------------------------------------------- Daten von Patienten und Mitarbeitern der Ameos Gruppe sind in die Hände Cyberkrimineller gelangt. Betroffene können jetzt Details anfragen. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-ameos-grosser-klinikverbund-erle… ∗∗∗ Schadcode im Anmarsch: Aktiv ausgenutzte Git-Lücke gefährdet Entwickler ∗∗∗ --------------------------------------------- Wer Git im Einsatz hat, sollte die Software dringend aktualisieren. Angreifer bedienen sich einer Sicherheitslücke, um Schadcode einzuschleusen. --------------------------------------------- https://www.golem.de/news/schadcode-im-anmarsch-aktiv-ausgenutzte-git-lueck… ∗∗∗ Cyber-Dome: Bundesregierung plant stärkere Cyberabwehr ∗∗∗ --------------------------------------------- Die Pläne zu einer besseren Cyberabwehr sind noch sehr vage. Ein Gesetzentwurf von Alexander Dobrindt soll bis Ende 2025 kommen. --------------------------------------------- https://www.golem.de/news/cyber-dome-bundesregierung-plant-staerkere-cybera… ∗∗∗ US-Regierung steigt bei Intel ein: Krypto-Funktionen weiter vertrauenswürdig? ∗∗∗ --------------------------------------------- Der Einstieg der US-Regierung bei Intel unterminiert Funktionen wie Confidential Computing und "souveräne Cloud". --------------------------------------------- https://www.heise.de/news/Intel-Chips-USA-inside-10622136.html ∗∗∗ Google Chrome: Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome haben die Entwickler eine Sicherheitslücke geschlossen, die als kritisches Risiko eingestuft wurde. Wer den Browser einsetzt, sollte sicherstellen, die jüngste Version zu nutzen. --------------------------------------------- https://www.heise.de/news/Google-Chrome-Update-schliesst-kritische-Sicherhe… ∗∗∗ Paypal: Deutsche Banken blockierten offenbar Zahlungen von Milliarden Euro ∗∗∗ --------------------------------------------- Die Süddeutsche Zeitung berichtet, dass Deutsche Banken Zahlungen an Paypal gestoppt hatten. Auslöser war ein Sicherheitsproblem. --------------------------------------------- https://www.heise.de/news/Paypal-Deutsche-Banken-blockierten-offenbar-Zahlu… ∗∗∗ Governments, tech companies meet in Tokyo to share tips on fighting North Korea IT worker scheme ∗∗∗ --------------------------------------------- The U.S. State Department said it worked with the Ministries of Foreign Affairs in Japan and South Korea to organize the forum, which had more than 130 attendees from freelance work platforms, payment service providers, cryptocurrency companies, AI firms and more. --------------------------------------------- https://therecord.media/japan-us-south-korea-forum-north-korea-it-worker-sc… ∗∗∗ Widespread Data Theft Targets Salesforce Instances via Salesloft Drift ∗∗∗ --------------------------------------------- Google Threat Intelligence Group (GTIG) is issuing an advisory to alert organizations about a widespread data theft campaign, carried out by the actor tracked as UNC6395. Beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, the actor targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesfo… ∗∗∗ The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309) ∗∗∗ --------------------------------------------- As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the face of impressively indisputable evidence, and using their status as a CNA to somehow get CVEs with suspiciously similar identifiers to the point that confusion appears almost intentional. --------------------------------------------- https://labs.watchtowr.com/the-one-where-we-just-steal-the-vulnerabilities-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime). --------------------------------------------- https://lwn.net/Articles/1035307/ ∗∗∗ Malicious versions of Nx and some supporting plugins were published ∗∗∗ --------------------------------------------- https://github.com/nrwl/nx/security/advisories/GHSA-cxm3-wv7p-598c -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 26.08.2025
by Daily end-of-shift report 26 Aug '25

26 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 25-08-2025 18:00 − Dienstag 26-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New AI attack hides data-theft prompts in downscaled images ∗∗∗ --------------------------------------------- Researchers have developed a novel attack that steals user data by injecting malicious prompts in images processed by AI systems before delivering them to a large language model. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ai-attack-hides-data-the… ∗∗∗ ShadowCaptcha Exploits WordPress Sites to Spread Ransomware, Info Stealers, and Crypto Miners ∗∗∗ --------------------------------------------- A new large-scale campaign has been observed exploiting over 100 compromised WordPress sites to direct site visitors to fake CAPTCHA verification pages that employ the ClickFix social engineering tactic to deliver information stealers, ransomware, and cryptocurrency miners.The large-scale cybercrime campaign, first detected in August 2025, .. --------------------------------------------- https://thehackernews.com/2025/08/shadowcaptcha-exploits-wordpress-sites.ht… ∗∗∗ Malware-ridden apps made it into Googles Play Store, scored 19 million downloads ∗∗∗ --------------------------------------------- Everythings fine, the ad slinger assures us Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans. --------------------------------------------- https://www.theregister.com/2025/08/26/apps_android_malware/ ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf GitHub Enterprise Server möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht GitHub Enterprise Server. Admins sollten die gepatchte Ausgabe zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Unbefugte-Zugriffe-auf-GitHub-… ∗∗∗ ScreenConnect-Admins im Visier von Spear-Phishing-Angriffen ∗∗∗ --------------------------------------------- Derzeit läuft eine Phishing-Kampagne, die Zugangsdaten zu ScreenConnect abgreift. Die Angreifer wollen Ransomware platzieren. --------------------------------------------- https://www.heise.de/news/ScreenConnect-Admins-im-Visier-von-Spear-Phishing… ∗∗∗ HP Security Manager: Schadcode-Lücke in Druckerverwaltungstool ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in HPs Security Manager erlaubt Angreifern, Schadcode einzuschleusen. Ein Update steht bereit. --------------------------------------------- https://www.heise.de/news/HP-Security-Manager-Schadcode-Luecke-in-Druckerve… ∗∗∗ DSLRoot, Proxies, and the Threat of ‘Legal Botnets’ ∗∗∗ --------------------------------------------- The cybersecurity community on Reddit responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement theyd made with company called DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditors high-speed Internet connection in the United States. This post .. --------------------------------------------- https://krebsonsecurity.com/2025/08/dslroot-proxies-and-the-threat-of-legal… ∗∗∗ Cyberangriff auf die Stadt Nürnberg: Prorussische Hacker im Verdacht ∗∗∗ --------------------------------------------- Haftbefehle wurden gegen russische Staatsangehörige erlassen --------------------------------------------- https://www.derstandard.at/story/3000000285014/cyberangriff-auf-die-stadt-n… ∗∗∗ Ewig ruft das Passwort ∗∗∗ --------------------------------------------- Die Verwendung von Passwörtern hat eine lange Tradition in der IT. Und regelmäßig sind sich alle einig, dass wir sie eigentlich loswerden sollten. Das haben wir das noch immer nicht geschafft, auch wenn Passkeys ein interessanter Ansatz sind. Daher sitzen wir alle auf großen Sammlungen von Passwörtern – die ca. 250 Einträge in .. --------------------------------------------- https://www.cert.at/de/blog/2025/8/ewig-ruft-das-passwort ∗∗∗ Nearly 2,000 Malicious IPs Probe Microsoft Remote Desktop in Single-Day Surge ∗∗∗ --------------------------------------------- On August 21, GreyNoise observed a sharp surge in scanning against Microsoft Remote Desktop (RDP) services. The wave’s aim was clear: test for timing flaws that reveal valid usernames, laying the groundwork for credential-based intrusions. --------------------------------------------- https://www.greynoise.io/blog/surge-malicious-ips-probe-microsoft-remote-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and .. --------------------------------------------- https://lwn.net/Articles/1035110/ ∗∗∗ Mehrere (teils kritische) Schwachstellen in NetScaler ADC and NetScaler Gateway ∗∗∗ --------------------------------------------- 26. August 2025 Beschreibung Citrix hat ein Advisory zu mehreren, zum Teil kritischen, Schwachstellen in den Produkten NetScaler ADC (ehemals Citrix ADC) und NetScaler Gateway (ehemals Citrix Gateway) veröffentlicht. Laut Citrix wurden bereits Angriffsversuche gegen verwundbare Systeme beobachtet, welche zumindest die kritische Schwachstelle CVE-2025-7775 auszunutzen versuchten. CVE-Nummern(n): CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 CVSS v4.0 Base Score(s): 9.2, 8.8, 8.7 .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/citrix-netscaler-adc-schwachstellen… ∗∗∗ Multiple Vulnerabilities in File Station 5 ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-31 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 25.08.2025
by Daily end-of-shift report 25 Aug '25

25 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-08-2025 18:00 − Montag 25-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Android malware poses as antivirus from Russian intelligence agency ∗∗∗ --------------------------------------------- A new Android malware posing as an antivirus tool software created by Russias Federal Security Services agency (FSB) is being used to target executives of Russian businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-malware-poses-as… ∗∗∗ Social Engineering: Krypto-Anleger verliert Bitcoin im Wert von 90 Millionen USD ∗∗∗ --------------------------------------------- Betrüger haben einen Krypto-Anleger um ein Vermögen gebracht. Der Geschädigte ist nun um 783 Bitcoin ärmer. Das Geld sieht er wohl nie wieder. --------------------------------------------- https://www.golem.de/news/social-engineering-krypto-anleger-verliert-bitcoi… ∗∗∗ Criminal background checker APCS faces data breach ∗∗∗ --------------------------------------------- The attack first affected an upstream provider of bespoke software Exclusive A leading UK provider of criminal record checks for employers is handling a data breach stemming from a third-party development company. --------------------------------------------- https://www.theregister.com/2025/08/22/apcs_breach/ ∗∗∗ Botnet-Kampagne "Gayfemboy" auch in Deutschland aktiv ∗∗∗ --------------------------------------------- IT-Forscher von Fortinet beobachten ein IoT-Botnet, das auf "Mirai" basiert und "Gayfemboy" genannt wird. Es versteckt sich gut. --------------------------------------------- https://www.heise.de/news/Mirai-basierte-Botnet-Kampagne-Gayfemboy-auch-in-… ∗∗∗ Kriminelle locken mit angeblichen Kryptoguthaben ∗∗∗ --------------------------------------------- Lukas kann seinen Augen kaum trauen. In seinem Postfach liegt eine E-Mail, die behauptet, dass sich ein hoher Betrag in seinem Kryptowallet befindet. Um wieder Zugriff zu erhalten, soll er lediglich ein paar einfache Schritte befolgen. Doch Vorsicht: Die E-Mail stammt von Kriminellen, die ihn zu hohen Überweisungen bewegen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-locken-mit-angeblichen-kr… ∗∗∗ Beliebte eSIMs für Reisen leiten heimlich Daten über China um ∗∗∗ --------------------------------------------- Eine aktuelle Untersuchung zeigt grobe Sicherheits- und Privatsphärendefizite bei vielen Anbietern auf. --------------------------------------------- https://www.derstandard.at/story/3000000284843/beliebte-esims-fuer-reisen-l… ∗∗∗ Phishing in the Classroom: 115,000 Emails Exploit Google Classroom to Target 13,500 Organizations ∗∗∗ --------------------------------------------- Check Point researchers have uncovered a large-scale active phishing campaign abusing Google Classroom, a platform trusted by millions of students and educators worldwide. Over the course of just one week, attackers launched .. --------------------------------------------- https://blog.checkpoint.com/email-security/phishing-in-the-classroom-115000… ∗∗∗ Chrome-Erweiterung FreeVPN.One zeichnete Screenshots von Seitenbesuchen auf ∗∗∗ --------------------------------------------- Wer bisher glaubte, dass Microsofts Recall in Punkto Überwachung an der Spitze liegt, muss umdenken. Sicherheitsforscher sind auf die Erweiterung FreeVPN.One des Google Chrome-Browsers gestoßen. Diese fertigte Screenshots von allen .. --------------------------------------------- https://www.borncity.com/blog/2025/08/24/chrome-erweiterung-freevpn-one-zei… ∗∗∗ Cybercriminals Exploit Cheap VPS to Launch SaaS Hijacking Attacks ∗∗∗ --------------------------------------------- Darktrace researchers have discovered a new wave of attacks where cybercriminals use cheap Virtual Private Servers (VPS) .. --------------------------------------------- https://hackread.com/cybercriminals-exploit-cheap-vps-saas-hijack-attacks/ ∗∗∗ Phishing Campaign Targeting Companies via UpCrypter ∗∗∗ --------------------------------------------- FortiGuard Labs recently identified a phishing campaign leveraging carefully crafted emails to deliver malicious URLs linked to convincing phishing pages. These pages are designed to entice recipients into downloading JavaScript files that act as droppers for UpCrypter, malware that ultimately deploys various remote access tools (RATs). --------------------------------------------- https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-c… ∗∗∗ Webhosting-Software cPanel: Updates schließen Sicherheitslücke ∗∗∗ --------------------------------------------- Die Verwaltungssoftware cPanel und WHM für Webhosting schließt mit neuen Versionen mindestens eine Sicherheitslücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-10599503 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 22.08.2025
by Daily end-of-shift report 22 Aug '25

22 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-08-2025 18:00 − Freitag 22-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dev gets 4 years for creating kill switch on ex-employers systems ∗∗∗ --------------------------------------------- A software developer has been sentenced to four years in prison for sabotaging his ex-employers Windows network with custom malware and a kill switch that locked out employees when his account was disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-gets-4-years-for-creatin… ∗∗∗ Fake Mac fixes trick users into installing new Shamos infostealer ∗∗∗ --------------------------------------------- A new infostealer malware targeting Mac devices, called Shamos, is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-mac-fixes-trick-users-i… ∗∗∗ Trotz Rolling Code: Inoffizielle Flipper-Zero-Firmware soll Autos knacken ∗∗∗ --------------------------------------------- Ein russischer Akteur verkauft eine eigene Firmware für den Flipper Zero. Selbst neueste Autos gängiger Marken sollen sich damit entriegeln lassen. --------------------------------------------- https://www.golem.de/news/trotz-rolling-code-inoffizielle-flipper-zero-firm… ∗∗∗ Think before you Click(Fix): Analyzing the ClickFix social engineering technique ∗∗∗ --------------------------------------------- The ClickFix social engineering technique has been growing in popularity, with campaigns targeting thousands of enterprise and end-user devices daily. This technique exploits users’ tendency to resolve technical issues by tricking them into running malicious commands. These commands, in turn, deliver payloads that ultimately lead to information theft and .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-c… ∗∗∗ Coinbase Reverses Remote-First Policy After North Korean Infiltration Attempts ∗∗∗ --------------------------------------------- Remote work policies designed to attract top talent are becoming security vulnerabilities as state-sponsored hackers seek employment at cryptocurrency firms. Coinbase has implemented mandatory in-person orientation and US citizenship requirements for sensitive roles after detecting North Korean IT workers attempting to infiltrate the company .. --------------------------------------------- https://slashdot.org/story/25/08/22/1515238/coinbase-reverses-remote-first-… ∗∗∗ Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.The "Linux-specific malware infection chain that starts with a spam email with a malicious .. --------------------------------------------- https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html ∗∗∗ Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa ∗∗∗ --------------------------------------------- Crypto mines, BEC scams, fake passports, and a $300M fraud empire allegedly brought down during Serengeti 2.0 Interpols latest clampdown on cybercrime resulted in 1,209 arrests across the African continent, from ransomware crooks to business .. --------------------------------------------- https://www.theregister.com/2025/08/22/interpol_serengeti_20/ ∗∗∗ KI-Assistent: Microsofts Copilot verfälschte monatelang Zugriffsprotokolle ∗∗∗ --------------------------------------------- Fragte man den virtuellen Copilot etwa nach Dokumenten-Zusammenfassungen, unterschlug er mitunter seine Zugriffe. Microsoft verschwieg das Problem. --------------------------------------------- https://www.heise.de/news/KI-Assistent-Microsofts-Copilot-verfaelschte-mona… ∗∗∗ Electronics manufacturer Data I/O reports ransomware attack to SEC ∗∗∗ --------------------------------------------- The tech manufacturer Data I/O reported a ransomware attack to federal regulators, writing that the incident has taken down critical operational systems. --------------------------------------------- https://therecord.media/electronics-manufacturer-dataio-ransomware ∗∗∗ AI Browsers Can Be Tricked Into Paying Fake Stores in PromptFix Attack ∗∗∗ --------------------------------------------- The PromptFix attack tricks AI browsers with fake CAPTCHAs, leading them to phishing sites and fake stores .. --------------------------------------------- https://hackread.com/ai-browsers-trick-paying-fake-stores-promptfix-attack/ ∗∗∗ AUR Chaos malware: an analysis ∗∗∗ --------------------------------------------- Recently, an incident involving malware in the AUR made the headlines. I read a lot of things around this topic, both right and wrong, and sometimes misleading. I was involved in the incident handling I chose to write this blog post, not only for transparency but also for laying down what I learned both during and .. --------------------------------------------- https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat), Debian (squid), Fedora (matrix-synapse, rust-slab, socat, and webkitgtk), SUSE (firefox-esr, gdk-pixbuf, gdk-pixbuf-devel, govulncheck-vulndb, rust-keylime, and wicked2nm), and Ubuntu (linux-nvidia, linux-oracle, linux-oracle-6.8, php7.0, php7.2, php7.4, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and ruby-webrick). --------------------------------------------- https://lwn.net/Articles/1034755/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 21.08.2025
by Daily end-of-shift report 21 Aug '25

21 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-08-2025 18:00 − Donnerstag 21-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone, iPad und Mac: Aktiv ausgenutzte Sicherheitslücke gefährdet Apple-Nutzer ∗∗∗ --------------------------------------------- Notfallupdates schließen eine aktiv ausgenutzte Sicherheitslücke in iOS, iPadOS und MacOS. Anwender sollten dringend patchen. --------------------------------------------- https://www.golem.de/news/iphone-ipad-und-mac-aktiv-ausgenutzte-sicherheits… ∗∗∗ Airtell Router Scans, and Mislabeled usernames ∗∗∗ --------------------------------------------- Looking at new usernames collected by our Cowrie honeypots, you will first of all notice a number of HTTP headers. It is very common for attackers to scan for web servers on ports that are covered by our Telnet honeypots. The result .. --------------------------------------------- https://isc.sans.edu/forums/diary/Airtell+Router+Scans+and+Mislabeled+usern… ∗∗∗ Neue Tricks mit QR-Codes ∗∗∗ --------------------------------------------- QR-Codes sind beliebte Vehikel für Verbrecher, Hyperlinks an Sicherheitssystemen vorbei zum Opfer zu schleusen. Der Einfallsreichtum ist groß. --------------------------------------------- https://www.heise.de/news/Neue-Tricks-mit-QR-Codes-10559942.html ∗∗∗ Docker Desktop: Kritische Sicherheitslücke erlaubt Host-Zugriff ∗∗∗ --------------------------------------------- In Docker Desktop können bösartige Container auf das Host-System durchgreifen, Schutzmaßnahmen greifen nicht. Ein Update hilft. --------------------------------------------- https://www.heise.de/news/Docker-Desktop-Kritische-Sicherheitsluecke-erlaub… ∗∗∗ Modern Solution: Verurteilter IT-Experte reicht Verfassungsbeschwerde ein ∗∗∗ --------------------------------------------- Das Urteil gegen einen nach dem Hackerparagrafen verurteilten Sicherheitsforscher ist rechtskräftig. Der Verurteilte geht nun nach Karlsruhe. --------------------------------------------- https://www.heise.de/news/Modern-Solution-Verurteilter-IT-Experte-reicht-Ve… ∗∗∗ SIM-Swapper, Scattered Spider Hacker Gets 10 Years ∗∗∗ --------------------------------------------- A 21-year-old Florida man at the center of a prolific cybercrime group known as "Scattered Spider" was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims. Noah Michael Urban of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban .. --------------------------------------------- https://krebsonsecurity.com/2025/08/sim-swapper-scattered-spider-hacker-get… ∗∗∗ Achtung, Phishing-Falle: FinanzOnline will keine Infos zu Krypto-Beständen einholen! ∗∗∗ --------------------------------------------- Aufgrund einer neuen „Steuervorschrift für Kryptowährungen“ verlangt „FinanzOnline“ aktuell via E-Mail vermeintlich die Übermittlung umfassender Informationen rund um Krypto-Vermögen. Natürlich meldet sich hier nicht das echte Finanzportal. Vielmehr versuchen Kriminelle über diese Masche an die Zugangsdaten der Krypto-Wallets ihrer Opfer zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-falle-finanzonline-krypto/ ∗∗∗ Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth ∗∗∗ --------------------------------------------- A campaign leverages CVE-2024-36401 to stealthily monetize victims bandwidth where legitimate software development kits (SDKs) are deployed for passive income. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 20.08.2025
by Daily end-of-shift report 20 Aug '25

20 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-08-2025 18:00 − Mittwoch 20-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPI now blocks domain resurrection attacks used for hijacking accounts ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has introduced new protections against domain resurrection attacks that enable hijacking accounts through password resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-now-blocks-domain-resur… ∗∗∗ Hackers steal Microsoft logins using legitimate ADFS redirects ∗∗∗ --------------------------------------------- Hackers are using a novel technique that combines legitimate office.com links with Active Directory Federation Services (ADFS) to redirect users to a phishing page that steals Microsoft 365 logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-logi… ∗∗∗ Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a .. --------------------------------------------- https://thehackernews.com/2025/08/experts-find-ai-browsers-can-be-tricked.h… ∗∗∗ Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in ∗∗∗ --------------------------------------------- Intruders hoped no one would notice their presence Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers. --------------------------------------------- https://www.theregister.com/2025/08/19/apache_activemq_patch_malware/ ∗∗∗ Commvault: Hochriskante Lücke ermöglicht Einschleusen von Schadcode ∗∗∗ --------------------------------------------- In der Backup-Software Commvault können Angreifer Sicherheitslücken missbrauchen, um etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Commvault-Hochriskante-Luecke-ermoeglicht-Einschl… ∗∗∗ Infoniqa-IT-Vorfall: Cyberbande will umfangreich Daten kopiert haben ∗∗∗ --------------------------------------------- Vergangene Woche wurde ein IT-Vorfall bei HR-Softwareanbieter Infoniqa bekannt. Nun behauptet eine Cybergang Daten kopiert zu haben. --------------------------------------------- https://www.heise.de/news/Infoniqa-IT-Vorfall-Cyberbande-will-umfangreich-D… ∗∗∗ Impressumsdiebstahl und funktionierende Links: Vorsicht vor besonders ausgeklügelten Fake-Shops! ∗∗∗ --------------------------------------------- Je mehr Aufwand Kriminelle bei der Nachahmung eines Online-Shops betreiben, desto schwieriger ist es, den Betrug zu erkennen. In einem aktuellen Fall nutzen sie nicht nur reale Impressumsdaten, sondern verlinken von ihren Fake-Shops aus zusätzlich zur echten Website und auf die echten Social-Media-Profile des Unternehmens. Woran sich die Falle dennoch relativ einfach erkennen lässt. --------------------------------------------- https://www.watchlist-internet.at/news/besonders-ausgekluegelte-fake-shops/ ∗∗∗ Major Belgian telecom firm says cyberattack compromised data on 850,000 accounts ∗∗∗ --------------------------------------------- The company said no critical data was accessed, but the hacker "gained access to one of our IT systems that contains the following data: name, first name, telephone number, SIM card number, PUK code, tariff plan.” --------------------------------------------- https://therecord.media/belgian-telecom-says-cyberattack-compromised-data-o… ∗∗∗ Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet ∗∗∗ --------------------------------------------- A 22-year-old Oregon man has been charged with running a powerful botnet-for-hire service used to launch hundreds of thousands of cyberattacks worldwide, the U.S. Justice Department said. --------------------------------------------- https://therecord.media/feds-charge-botnet-admin ∗∗∗ Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices ∗∗∗ --------------------------------------------- A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering. --------------------------------------------- https://blog.talosintelligence.com/static-tundra/ ∗∗∗ Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware ∗∗∗ --------------------------------------------- Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html ∗∗∗ A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor ∗∗∗ --------------------------------------------- Straight from Mandiant Threat Defense, the "Frontline Bulletin" series brings you the latest on the most intriguing compromises we are seeing in the wild right now, equipping our community to understand and respond to the most compelling threats we observe. This edition dissects an infection involving two threat groups, UNC5518 and UNC5774, leading to the deployment of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflak… ∗∗∗ Guess Who Would Be Stupid Enough To Rob The Same Vault Twice? Pre-Auth RCE Chains in Commvault ∗∗∗ --------------------------------------------- We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds.Today, were back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, weve continued to spend .. --------------------------------------------- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same… ∗∗∗ Researcher Exposes Zero-Day Clickjacking Vulnerabilities in Major Password Managers ∗∗∗ --------------------------------------------- At DEF CON 33, Czech Republic based security researcher Marek Tóth, unveiled a series of unpatched zero-day clickjacking security vulnerabilities impacting the browser-based plugins for a wide range of password managers including: 1Password, Bitwarden, Dashlane, Enpass, iCloud Passwords, Keeper, LastPass, LogMeOnce, NordPass, ProtonPass, and .. --------------------------------------------- https://socket.dev/blog/password-manager-clickjacking ∗∗∗ Marshal madness: A brief history of Ruby deserialization exploits ∗∗∗ --------------------------------------------- This post traces the decade-long evolution of Ruby Marshal deserialization exploits, demonstrating how security researchers have repeatedly bypassed patches and why fundamental changes to the Ruby ecosystem are needed rather than continued patch-and-hope approaches. --------------------------------------------- https://blog.trailofbits.com/2025/08/20/marshal-madness-a-brief-history-of-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, .. --------------------------------------------- https://lwn.net/Articles/1034546/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 19.08.2025
by Daily end-of-shift report 19 Aug '25

19 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 18-08-2025 18:00 − Dienstag 19-08-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In mehreren Webportalen: Reihenweise fest kodierte Zugangsdaten bei Intel entdeckt ∗∗∗ --------------------------------------------- Ein Forscher hat in Webportalen von Intel gravierende Sicherheitslücken gefunden. Teilweise standen Passwörter clientseitig im Code. --------------------------------------------- https://www.golem.de/news/in-mehreren-webportalen-reihenweise-fest-kodierte… ∗∗∗ GodRAT – New RAT targeting financial institutions ∗∗∗ --------------------------------------------- Kaspersky experts analyze GodRAT, a new Gh0st RAT-based tool attacking financial firms. It is likely a successor of the AwesomePuppet RAT connected to the Winnti group. --------------------------------------------- https://securelist.com/godrat/117119/ ∗∗∗ The State of Ransomware in Retail 2025 ∗∗∗ --------------------------------------------- 361 IT and cybersecurity leaders reveal the ransomware realities for retail businesses today. --------------------------------------------- https://news.sophos.com/en-us/2025/08/19/the-state-of-ransomware-in-retail-… ∗∗∗ 493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds ∗∗∗ --------------------------------------------- Scam compounds in Cambodia, Myanmar, and Laos have conned people out of billions. New research shows they may be linked to child sextortion crimes too. --------------------------------------------- https://www.wired.com/story/child-sextorition-scam-compounds-southeast-asia/ ∗∗∗ Marokko zerrt deutsche Zeitungen wegen Spyware-Berichten vor den BGH ∗∗∗ --------------------------------------------- Marokko steht unter Verdacht, die Spyware Pegasus gegen Anwälte, Journalisten und Politiker eingesetzt zu haben. Deutsche Medien berichteten, Marokko ist sauer. --------------------------------------------- https://www.heise.de/news/Marokko-zieht-gegen-deutsche-Spyware-Berichtersta… ∗∗∗ Angriffe auf N-able N-central laufen, mehr als 1000 Systeme ungepatcht ∗∗∗ --------------------------------------------- Noch mehr als tausend Instanzen von des RMM N-able N-central sind für kritische Lücken anfällig. Die werden bereits attackiert. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-N-able-N-central-laufen-mehr-als-100… ∗∗∗ Kostenlos 10.000.000 Robux bekommen? Achtung, Fake-Angebot! ∗∗∗ --------------------------------------------- Die Online-Spieleplattform „Roblox“ ist besonders bei Kindern und Jugendlichen beliebt – und grundsätzlich kostenlos. Um bestimmte Funktionen und Inhalte freizuschalten, braucht es aber eine In-Game-Währung namens „Robux“. Und die ist wiederum nur gegen echtes Geld erhältlich. Kriminelle versuchen deshalb, User mit dem Versprechen von kostenlosen „Robux“ in die Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/robux-fake-angebot/ ∗∗∗ Fashionable Phishing Bait: GenAI on the Hook ∗∗∗ --------------------------------------------- GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/genai-phishing-bait/ ∗∗∗ Ransomware gang masking PipeMagic backdoor as ChatGPT desktop app: Microsoft ∗∗∗ --------------------------------------------- Hackers are disguising a powerful strain of malware as a ChatGPT desktop application in preparation for ransomware attacks, Microsoft said. --------------------------------------------- https://therecord.media/ransomware-gang-masking-pipemagic-backdoor ∗∗∗ UK ‘agrees to drop’ demand over Apple iCloud encryption, US intelligence head claims ∗∗∗ --------------------------------------------- The United Kingdom is backing down from a controversial legal demand targeting Apple, U.S. Director of National Intelligence Tulsi Gabbard claimed on social media. --------------------------------------------- https://therecord.media/uk-agrees-drop-apple-encryption ∗∗∗ Trend Micro Unmasks Global "Task Scam" Industry ∗∗∗ --------------------------------------------- Trend Micro today released new research revealing the mechanics and scale of a rapidly growing fraud model known as "task scams": sophisticated online job scams that lure victims into repetitive digital tasks and systematically strip them of funds through escalating deposit demands. --------------------------------------------- https://newsroom.trendmicro.com/2025-08-19-Trend-Micro-Unmasks-Global-Task-… ∗∗∗ Fake Copyright Notices Drop New Noodlophile Stealer Variant ∗∗∗ --------------------------------------------- Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links .. --------------------------------------------- https://hackread.com/phishing-scam-fake-copyright-notice-noodlophile-steale… ∗∗∗ How Indirect Prompt Injections Exploit Context, Format, and Salience ∗∗∗ --------------------------------------------- A breakdown of indirect prompt injection attacks using real-world cases (emails, code comments, diagrams). Introduces the CFS model (Context, Format, Salience) to explain what makes some payloads more likely to succeed. --------------------------------------------- https://www.fogel.dev/prompt_injection_cfs_framework ∗∗∗ Trivial C# Random Exploitation ∗∗∗ --------------------------------------------- Exploiting random number generators requires math, right? Thanks to C#’sRandom, that is not necessarily the case! I ran into an HTTP 2.0 web serviceissuing password reset tokens from a custom encoding of (new Random()).Next(min, max) output. This led to a critical account takeover.Exploitation did not require scripting, math or libraries. Just several clicksin Burp. While I .. --------------------------------------------- https://blog.doyensec.com/2025/08/19/trivial-exploit-on-C-random.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 142 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-64/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 18.08.2025
by Daily end-of-shift report 18 Aug '25

18 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-08-2025 18:00 − Montag 18-08-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Attacken auf Fortinet-IT-Sicherheitslösungen können bevorstehen ∗∗∗ --------------------------------------------- Beide Schwachstellen (FortiSIEM CVE-2025-25256 "kritisch", FortiWeb CVE-2025-52970 "hoch") haben die Fortinet-Entwickler am vergangenen Patchday geschlossen. Kurz darauf warnten sie davor, dass Exploitcode zum Ausnutzen der Lücke in FortiSIEM in Umlauf ist. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-Fortinet-IT-Sicherheit… ∗∗∗ Should Security Solutions Be Secure? Maybe Were All Wrong - Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) ∗∗∗ --------------------------------------------- Today we’re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization’s SIEM (!!!). [..] It’s the kind of “one platform to rule your SOC” solution that we believe (suspect, hope, imagine, guess, pray) might feel impressively safety-first. Except, obviously, this time it didn't because the bar remains so incredibly low. --------------------------------------------- https://labs.watchtowr.com/should-security-solutions-be-secure-maybe-were-a… ∗∗∗ Gefälschtes Gewinnspiel für Wiener Linien Jahreskarte im Umlauf ∗∗∗ --------------------------------------------- Derzeit kursieren auf Facebook gefälschte Postings, die im Namen der Wiener Linien ein Gewinnspiel für eine Halbjahreskarte bewerben. Bei Teilnahme wird suggeriert, dass man automatisch gewonnen habe. Achtung: Es handelt sich um einen Betrugsversuch, der darauf abzielt, an Bankdaten zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-wiener… ∗∗∗ Verbesserung von nur 1,7 Prozent: Phishing-Training fast immer wirkungslos ∗∗∗ --------------------------------------------- Eine große Studie in einem US-Gesundheitsunternehmen zeigt, dass gängige Phishing-Trainings das Risiko kaum senken – egal wie intensiv oder interaktiv sie sind. --------------------------------------------- https://www.heise.de/news/Verbesserung-von-nur-1-7-Prozent-Phishing-Trainin… ∗∗∗ MadeYouReset: Neue DDoS-Angriffstechnik legt Webserver lahm ∗∗∗ --------------------------------------------- Forscher haben eine neue Sicherheitslücke entdeckt, die viele gängige HTTP/2-Implementierungen betrifft. Server lassen sich mit wenig Aufwand überlasten. [..] Als anfällig gelten mehrere weitverbreitete HTTP/2-Serverimplementierungen wie Netty, Apache Tomcat, H2O, SwiftNIO und F5 BIG-IP. Weitere betroffene Implementierungen sowie etwaige Reaktionen der Anbieter sind in einer Meldung des CERT Coordination Center der Carnegie Mellon University zu finden. --------------------------------------------- https://www.golem.de/news/madeyoureset-neue-ddos-angriffstechnik-legt-webse… ∗∗∗ Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824 ∗∗∗ --------------------------------------------- We examine the evolution of the PipeMagic backdoor and the TTPs of its operators – from the RansomExx incident in 2022 to attacks in Brazil and Saudi Arabia, and the exploitation of CVE-2025-29824 in 2025. --------------------------------------------- https://securelist.com/pipemagic/117270/ ∗∗∗ How Researchers Collect Indicators of Compromise ∗∗∗ --------------------------------------------- Today, we'll demonstrate a simple workflow showing how researchers use various tools to collect indicators of compromise (IOCs) and develop appropriate signatures from detonated malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/how-researc… ∗∗∗ ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure ∗∗∗ --------------------------------------------- "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. --------------------------------------------- https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html ∗∗∗ Mobile Phishers Target Brokerage Accounts in ‘Ramp and Dump’ Cashout Scheme ∗∗∗ --------------------------------------------- Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks. --------------------------------------------- https://krebsonsecurity.com/2025/08/mobile-phishers-target-brokerage-accoun… ∗∗∗ Scammers turn to ‘ghost-tapping’ retail fraud to launder funds ∗∗∗ --------------------------------------------- In a report released Thursday, researchers at Recorded Future’s Insikt Group detailed what they call “ghost-tapping” — when stolen payment card details are uploaded onto a burner phone and used in-person to purchase goods. --------------------------------------------- https://therecord.media/scammers-ghost-tapping-retail-fraud-launder-cash ∗∗∗ Cyberattack on Dutch prosecution service is keeping speed cameras offline ∗∗∗ --------------------------------------------- Who knew zero-days could be so useful to highway speedsters? The lingering effects of a cyberattack on the Public Prosecution Service of the Netherlands are preventing it from reactivating speed cameras across the country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/15/cyberattack_… ∗∗∗ KI-gestützte Cyberangriffe: Experten beobachten zunehmenden LLM-Einsatz ∗∗∗ --------------------------------------------- Sicherheitsforscher sehen aktuell eine Zunahme KI-unterstützter Angriffe und damit einen Wendepunkt im Cyberwettrüsten. [..] Ukrainische Behörden und mehrere Cybersicherheitsunternehmen konnten die Schadsoftware im Juli erstmals nachweisen. [..] Mit dem zunehmenden Einsatz von KI-Agenten sehen Experten ein neues Risiko für die Zukunft. --------------------------------------------- https://www.heise.de/news/KI-gestuetzte-Cyberangriffe-Experten-beobachten-z… ∗∗∗ Terraform Cloud token abuse turns speculative plan into remote code execution ∗∗∗ --------------------------------------------- Platforms like Terraform are great for making cloud management easier, but that same convenience can work in an attacker’s favour. Increasingly, we’re seeing Terraform used as a pivot point, letting attackers sidestep the usual security roadblocks of MFA and conditional access via token abuse, which remain one of the weaker links in the chain. --------------------------------------------- https://www.pentestpartners.com/security-blog/terraform-token-abuse-specula… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- The lone volunteer maintainer of libxml2, one of the open source ecosystem’s most widely used XML parsing libraries, has announced a policy shift that drops support for embargoed security vulnerability reports. This change highlights growing frustration among unpaid maintainers bearing the brunt of big tech’s security demands without compensation or support. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ∗∗∗ Technical Analysis of SAP Exploit Script (Visual Composer “Metadata Uploader” Exploit)… ∗∗∗ --------------------------------------------- This script targets a critical zero-day vulnerability (now identified as CVE-2025–31324) in SAP NetWeaver’s Visual Composer Metadata Uploader component. The vulnerability is a missing authorization check on the HTTP endpoint /developmentserver/metadatauploader, allowing unauthenticated file uploads to the server’s filesystem. [..] The blog contains further pseudo code for detection and examples for another way to exploit the vulnerability. --------------------------------------------- https://detect.fyi/technical-analysis-of-sap-exploit-script-visual-composer… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide). --------------------------------------------- https://lwn.net/Articles/1033901/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11). --------------------------------------------- https://lwn.net/Articles/1034267/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 14.08.2025
by Daily end-of-shift report 14 Aug '25

14 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-08-2025 18:00 − Donnerstag 14-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spike in Fortinet VPN brute-force attacks raises zero-day concerns ∗∗∗ --------------------------------------------- A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spike-in-fortinet-vpn-brute-… ∗∗∗ New downgrade attack can bypass FIDO auth in Microsoft Entra ID ∗∗∗ --------------------------------------------- Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-byp… ∗∗∗ When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub’s Expanding Arsenal ∗∗∗ --------------------------------------------- Trustwave SpiderLabs researchers have recently identified an EncryptHub campaign that combines social engineering with abuse of the Brave Support platform to deliver malicious payloads via the CVE-2025-26633 vulnerability. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hacker… ∗∗∗ A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode ∗∗∗ --------------------------------------------- The motivation behind writing this post is that we want to provide the kind of resource that we wouldve liked to have seen more of when starting our own careers in malware research. --------------------------------------------- https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Info… ∗∗∗ Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks ∗∗∗ --------------------------------------------- Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-… ===================== = Vulnerabilities = ===================== ∗∗∗ N-central 2025.3.1 ∗∗∗ --------------------------------------------- This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit. --------------------------------------------- https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq). --------------------------------------------- https://lwn.net/Articles/1033737/ ∗∗∗ Rockwell Automation Security Advisories 14.08.2025 ∗∗∗ --------------------------------------------- Rockwell Automation has released 6 new security advisories (3x Critical, 3x High) --------------------------------------------- https://www.rockwellautomation.com/en-us/trust-center/security-advisories.h… ∗∗∗ Sicherheitspatches: Angreifer können Schadcode auf GitLab-Servern verankern ∗∗∗ --------------------------------------------- Die GitLab-Entwickler haben insgesamt zwölf Sicherheitslücken geschlossen. Angreifer können Systeme kompromittieren. [..] In einer Warnmeldung versichern die Verantwortlichen, dass GitLab.com bereits abgesichert sei. Sie empfehlen, dass Admins von On-premise-Instanzen die reparierten Ausgaben 18.0.6, 18.1.4 oder 18.2.2 zeitnah installieren sollten. Noch gibt es keine Informationen, ob bereits Attacken laufen. --------------------------------------------- https://heise.de/-10523017 ∗∗∗ Nvidia stopft Sicherheitslücken in KI-Software ∗∗∗ --------------------------------------------- In diverser KI-Software von Nvidia haben die Entwickler Sicherheitslücken gefunden. Diese stellen teils ein hohes Risiko dar. [..] Betroffen sind die Nvidia-Projekte Apex, Isaac-GR00T, Megatron LM, Merlin Transformers4Rec, NeMo Framework sowie WebDataset. --------------------------------------------- https://heise.de/-10524310 ∗∗∗ Foxit PDF Reader: Präparierte PDFs können Schadcode auf PCs schleusen ∗∗∗ --------------------------------------------- Sicherheitsupdates für Foxit PDF Reader und Editor schließen mehrere Sicherheitslücken. [..] Im schlimmsten Fall kann Schadcode auf Systeme gelangen und diese vollständig kompromittieren. Das kann etwa über mit JavaScript präparierte PDFs erfolgen (etwa CVE-2025-55313 "hoch"). Dabei ist aber davon auszugehen, dass Opfer mitspielen und so eine Datei öffnen müssen, damit eine Attacke eingeleitet werden kann. --------------------------------------------- https://heise.de/-10524778 ∗∗∗ Drupal: Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-097 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-096 ∗∗∗ ABB: 2025-08-12: Cyber Security Advisory -ABB AbilityTM zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002743&Language… ∗∗∗ ABB: 2025-08-11: Cyber Security Advisory -ELSB/BLBA ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462&Lan… ∗∗∗ TYPO3-PSA-2025-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2025-001 ∗∗∗ Siemens: SSA-395458 V1.0: Account Hijacking Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-395458.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Bosch: Vulnerabilities in ctrlX OS - Setup ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-129652.html ∗∗∗ Bosch: Denial of Service on Rexroth Fieldbus Couplers ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-757244.html ∗∗∗ Kubernetes: CVE-2025-5187 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133471 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 13.08.2025
by Daily end-of-shift report 13 Aug '25

13 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-08-2025 18:00 − Mittwoch 13-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Docker Hub still hosts dozens of Linux images with the XZ backdoor ∗∗∗ --------------------------------------------- The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-hub-still-hosts-dozen… ∗∗∗ New trends in phishing and scams: how AI and social media are changing the game ∗∗∗ --------------------------------------------- Common tactics in phishing and scams in 2025: learn about the use of AI and deepfakes, phishing via Telegram, Google Translate and Blob URLs, biometric data theft, and more. --------------------------------------------- https://securelist.com/new-phishing-and-scam-trends-in-2025/117217/ ∗∗∗ Geld zurück nach Krypto-Betrug? Vorsicht vor Recovery Scam! ∗∗∗ --------------------------------------------- Was einmal geklappt hat, kann wieder funktionieren. Darauf hoffen Kriminelle und kontaktieren jene Menschen, denen sie in der Vergangenheit durch Krypto- bzw. Investmentbetrug geschadet haben. Sie geben sich als Agentur, Behörde etc. aus, die dabei helfen kann, das verlorene Geld zurückzuholen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-recovery-scam/ ∗∗∗ The MedusaLocker ransomware gang is hiring penetration testers ∗∗∗ --------------------------------------------- MedusaLocker, the ransomware-as-a-service group that has been active since 2019 is openly recruiting for penetration testers to help it compromise more businesses. --------------------------------------------- https://www.fortra.com/blog/medusalocker-ransomware-gang-hiring-penetration… ∗∗∗ Malvertising campaign leads to PS1Bot, a multi-stage malware framework ∗∗∗ --------------------------------------------- Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.” --------------------------------------------- https://blog.talosintelligence.com/ps1bot-malvertising-campaign/ ∗∗∗ Microsoft Patchday August 2025: Sicherheitseinschätzungen von Tenable ∗∗∗ --------------------------------------------- Zum 12. August 2025 hat Microsoft zum Patchday Sicherheitsupdates für die noch im Support befindlichen Produkte veröffentlich und Schwachstellen geschlossen. [..] Inzwischen liegt mir eine Einschätzung seitens Tenable im Hinblick auf die Auswirkungen der Schwachstellen vor, die ich hier einfach zur Information in den Blog einstelle. --------------------------------------------- https://www.borncity.com/blog/2025/08/13/microsoft-patchday-august-2025-sic… ===================== = Vulnerabilities = ===================== ∗∗∗ Exchange Server Sicherheitsupdates August 2025 ∗∗∗ --------------------------------------------- Microsoft hat zum 12. August 2025 das "August 2025" Sicherheitsupdate für Exchange Server freigegeben. Das Sicherheitsupdate gilt Exchange Server 2016, Exchange Server 2019, und erstmals für Exchange Server Subscription Edition (SE). --------------------------------------------- https://www.borncity.com/blog/2025/08/12/exchange-server-sicherheitsupdates… ∗∗∗ Microsoft Security Update Summary (12. August 2025) ∗∗∗ --------------------------------------------- Microsoft hat am 12. August 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 107 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert und war öffentlich bekannt. --------------------------------------------- https://www.borncity.com/blog/2025/08/12/microsoft-security-update-summary-… ∗∗∗ Angriff über Websites: Kritische Grafik-Schwachstellen gefährden Windows-Nutzer ∗∗∗ --------------------------------------------- Während sich CVE-2025-50165 nur auf Windows 11 24H2 und Windows Server 2025 bezieht, ist die Zahl der anfälligen Systeme im Falle von CVE-2025-53766 deutlich höher. [..] Beide lassen sich demnach über das Netzwerk ausnutzen und erfordern vorab keinerlei Authentifizierung oder Nutzerinteraktion. Die Angriffskomplexität ist laut Microsoft jeweils gering. --------------------------------------------- https://www.golem.de/news/angriff-ueber-websites-kritische-grafik-schwachst… ∗∗∗ AMD und Intel stopfen zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- AMD und Intel haben im August Updates herausgegeben, die zahlreiche Sicherheitslücken in VGA- sowie Netzwerktreibern und Prozessoren schließen. --------------------------------------------- https://heise.de/-10520732 ∗∗∗ Patchday: Mehrere Fortinet-Produkte sind angreifbar ∗∗∗ --------------------------------------------- Am gefährlichsten gilt einer Warnmeldung zufolge eine "kritische" Sicherheitslücke (CVE-2025-25256) in der IT-Sicherheitslösung FortiSIEM. An dieser Stelle können Angreifer ohne Authentifizierung mit präparierten CLI-Anfragen ansetzen, um Schadcode auszuführen. [..] Wie ein Sicherheitsforscher in einem Beitrag schreibt, können Angreifer die Authentifizierung von FortiWeb-Firewalls umgehen. --------------------------------------------- https://heise.de/-10519770 ∗∗∗ Zoom: Windows-Clients ermöglichen Angriffe aus dem Netz ∗∗∗ --------------------------------------------- Zwei Sicherheitslücken meldet Zoom in den Windows-Clients. Sie ermöglicht Angreifern aus dem Netz ohne vorherige Anmeldung, ihre Rechte auszuweiten. [..] Details dazu, wie Angriffe aussehen könnten, nennen sie hingegen nicht. --------------------------------------------- https://heise.de/-10520206 ∗∗∗ Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products ∗∗∗ --------------------------------------------- Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cycle, includes critical fixes for applications ranging from Adobe Commerce and Illustrator to its Substance 3D suite. --------------------------------------------- https://thecyberexpress.com/adobe-security-update-2/ ∗∗∗ VU#767506: HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames ∗∗∗ --------------------------------------------- OverviewA vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. [..] Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. --------------------------------------------- https://kb.cert.org/vuls/id/767506 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle). --------------------------------------------- https://lwn.net/Articles/1033588/ ∗∗∗ Palo Alto Networks Security Advisories 2025-08-13 ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ f5: K000152635: Quarterly Security Notification (August 2025) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152635 ∗∗∗ Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, iSTAR Edge G2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-02 ∗∗∗ Santesoft Sante PACS Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-224-01 ∗∗∗ AVEVA PI Integrator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-04 ∗∗∗ Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-01 ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-224-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 12.08.2025
by Daily end-of-shift report 12 Aug '25

12 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 11-08-2025 18:00 − Dienstag 12-08-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs ∗∗∗ --------------------------------------------- The Netherlands National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler… ∗∗∗ Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug ∗∗∗ --------------------------------------------- Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-3-000-netscaler-devices… ∗∗∗ Scam hunter scammed by tax office impersonators ∗∗∗ --------------------------------------------- Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/08/scam-hunter-scammed-by-tax-o… ∗∗∗ Russian-Linked Curly COMrades Deploy MucorAgent Malware in Europe ∗∗∗ --------------------------------------------- A new report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with a new backdoor called MucorAgent. Learn how they’re using advanced tactics to steal data. --------------------------------------------- https://hackread.com/russian-curly-comrades-mucoragent-malware-europe/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (Multiple CVEs) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Connect Secure which addresses medium, high, and critical vulnerabilities. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Connect… ∗∗∗ August Security Advisory Ivanti Virtual Application Delivery Controller (vADC previously vTM) (CVE-2025-8310) ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Virtual Application Delivery Controller (vADC), previously Virtual Traffic Manager (vTM), which addresses one medium severity vulnerability. Successful exploitation could lead to account takeover. At the time of disclosure, there have been no reports of customers being exploited by this vulnerability. --------------------------------------------- https://forums.ivanti.com/s/article/August-Security-Advisory-Ivanti-Virtual… ∗∗∗ 40,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in UiCore Elements WordPress Plugin ∗∗∗ --------------------------------------------- On June 13th, 2025, we received a submission for an Arbitrary File Read vulnerability in UiCore Elements, a WordPress plugin with more than 40,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to read arbitrary files on the server, which can contain sensitive information. During the disclosure process, our investigation revealed that the vulnerability leveraged an underlying issue in Elementor’s import functionality. --------------------------------------------- https://www.wordfence.com/blog/2025/08/40000-wordpress-sites-affected-by-ar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17). --------------------------------------------- https://lwn.net/Articles/1033445/ ∗∗∗ Vtenext 25.02: A three-way path to RCE ∗∗∗ --------------------------------------------- Multiple vulnerabilities in vtenext 25.02 and prior versions allow unauthenticated attackers to bypass authentication through three separate vectors, ultimately leading to remote code execution on the underlying server. --------------------------------------------- https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/ ∗∗∗ OMSA-2025-0004: Omnissa Workspace ONE UEM addresses multiple vulnerabilities (CVE-2025-25229, CVE-2025-25231) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0004/ ∗∗∗ OMSA-2025-0003: Omnissa Secure Email Gateway (SEG) updates address Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-25235) ∗∗∗ --------------------------------------------- https://www.omnissa.com/omsa-2025-0003/ ∗∗∗ Matrix protocol vulnerabilities fixed in room version 12 ∗∗∗ --------------------------------------------- https://matrix.org/blog/2025/08/security-release/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 11.08.2025
by Daily end-of-shift report 11 Aug '25

11 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-08-2025 18:00 − Montag 11-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ WinRAR zero-day flaw exploited by RomCom hackers in phishing attacks ∗∗∗ --------------------------------------------- A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware. [..] The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploit… ∗∗∗ Command Injection in Jenkins via Git Parameter (CVE-2025-53652) ∗∗∗ --------------------------------------------- On July 9, Jenkins disclosed CVE-2025-53652 (aka SECURITY-34191), one of 31 plugin vulnerabilities announced that day. [..] was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin. [..] Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild. [..] The patch can be disabled, so detection remains important even after upgrading. --------------------------------------------- https://www.vulncheck.com/blog/git-parameter-rce ∗∗∗ EU law to protect journalists from spyware takes effect ∗∗∗ --------------------------------------------- Critics from press freedom groups say member states have not taken steps to give the law any teeth. --------------------------------------------- https://therecord.media/eu-law-to-protect-journalists-from-spyware-takes-ef… ∗∗∗ Sicherheitslücken: Hacker knackt Auto über Webportal des Herstellers ∗∗∗ --------------------------------------------- Er konnte nicht nur aus der Ferne unzählige fremde Autos orten, entriegeln und starten, sondern auch nach Belieben die Halterdaten abfragen. [..] Zveare stellte seine Entdeckungen am vergangenen Sonntag auf der Def Con in Las Vegas vor. Den Angaben zufolge konnte er sich in dem besagten Händlerportal ein "nationales Administratorkonto" erstellen und erhielt damit einen weitreichenden Zugriff, der "nur wenigen ausgewählten Unternehmensnutzern vorbehalten ist" und "eine Vielzahl von lustigen Exploits" ermöglichte. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-hacker-knackt-auto-ueber-webpo… ∗∗∗ Spionage: Rauchwarnmelder in Abhörwanzen verwandelt ∗∗∗ --------------------------------------------- Zwei junge Sicherheitsforscher haben im Rahmen der Def Con in Las Vegas Sicherheitslücken in smarten Rauchwarnmeldern des Typs Halo 3C aufgedeckt. [..] Der Hersteller der Halo-3C-Warnmelder hört auf den Namen IPVideo und ist laut der Webseite seit 2023 Teil von Motorola Solutions. Das Unternehmen hat dem Wired-Bericht zufolge bereits ein Firmwareupdate bereitgestellt, um die von Garcia und seinem Kollegen entdeckten Sicherheitslücken zu schließen. Mit der Cloud verbundene Geräte sollen das Update automatisch erhalten. --------------------------------------------- https://www.golem.de/news/spionage-smarte-rauchwarnmelder-in-abhoerwanzen-v… ∗∗∗ Researchers Reveal ReVault Attack Targeting Dell ControlVault3 Firmware in 100+ Laptop Models ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered multiple security flaws in Dells ControlVault3 firmware and its associated Windows APIs that could have been abused by attackers to bypass Windows login, extract cryptographic keys, as well as maintain access even after a fresh operating system install by deploying undetectable malicious implants into the firmware. [..] Attackers can chain the vulnerabilities, which were presented at the Black Hat USA security conference, to escalate their privileges after initial access, bypass authentication controls, and maintain persistence on compromised systems that survive operating system updates or reinstallations. --------------------------------------------- https://thehackernews.com/2025/08/researchers-reveal-revault-attack.html ∗∗∗ DEF CON hackers plug security holes in US water systems amid tsunami of threats ∗∗∗ --------------------------------------------- A DEF CON hacker walks into a small-town water facility … no, this is not the setup for a joke or a (super-geeky) odd-couple rom-com. It's a true story that happened at five utilities across four states. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/10/def_con_hack… ∗∗∗ libarchive: Sicherheitslücke entpuppt sich als kritisch ∗∗∗ --------------------------------------------- In der Open-Source-Kompressionsbibliothek libarchive klafft eine Sicherheitslücke, die zunächst als lediglich niedriges Risiko eingestuft wurde. [..] Die ursprüngliche Meldung der Lücke an das libarchive-Projekt durch Tobias Stöckmann mitsamt eines Proof-of-Concept-Exploits fand bereits am 10. Mai dieses Jahres statt. Am 20. Mai haben die Entwickler die Version 3.8.0 von libarchive herausgegeben. Die öffentliche Schwachstellenmeldung erfolgte am 9. Juni ebenfalls auf Github. Dort wurde auch die CVE-Nummer CVE-2025-5914 zugewiesen, jedoch zunächst mit dem Schweregrad CVSS 3.9, Risiko "niedrig", wie Red Hat die Lücke einordnete. --------------------------------------------- https://www.heise.de/news/libarchive-Sicherheitsluecke-entpuppt-sich-als-kr… ∗∗∗ Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild ∗∗∗ --------------------------------------------- CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/ ∗∗∗ BadCam Attack Turns Trusted Linux Webcams into Stealthy USB Weapons ∗∗∗ --------------------------------------------- A new class of USB-based attacks has come to light. [..] Attackers can now exploit vulnerabilities in commonly used USB webcams running embedded Linux, transforming them into BadUSB devices capable of injecting keystrokes and executing covert operations independently of the host operating system. --------------------------------------------- https://thecyberexpress.com/badcam-linux-webcam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix). --------------------------------------------- https://lwn.net/Articles/1033328/ ∗∗∗ SQUID-2025:1 Buffer Overflow in URN Handling ∗∗∗ --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-w4gv-vw3f-29g3 ∗∗∗ Xerox® FreeFlow® Core v8.0.5 ∗∗∗ --------------------------------------------- https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Se… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/mailman3/postorius/lists/daily.lists.cert.at/

1 0

Tageszusammenfassung - 08.08.2025
by Daily end-of-shift report 08 Aug '25

08 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-08-2025 18:00 − Freitag 08-08-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New EDR killer tool used by eight different ransomware groups ∗∗∗ --------------------------------------------- A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of 'EDRKillShifter,' developed by RansomHub, has been observed in attacks by eight different ransomware gangs. Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-edr-killer-tool-used-by-… ∗∗∗ Why blow up satellites when you can just hack them? ∗∗∗ --------------------------------------------- Four countries have now tested anti-satellite missiles (the US, China, Russia, and India), but it's much easier and cheaper just to hack them. In a briefing at the Black Hat conference in Las Vegas, Milenko Starcik and Andrzej Olchawa from German biz VisionSpace Technologies demonstrated how easy it is by exploiting software vulnerabilities in the software used in the satellites themselves, as well as the ground stations that control them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/07/balck_hat_sa… ∗∗∗ US confirms takedown of BlackSuit ransomware gang that racked up $370 million in ransoms ∗∗∗ --------------------------------------------- U.S. law enforcement agencies provided new details on an operation that dismantled critical infrastructure used by the BlackSuit ransomware gang after the organization’s leak site was replaced with a takedown banner nearly two weeks ago. The group — which rebranded from its Royal name after a devastating 2023 attack that shut down the city of Dallas — successfully attacked more than 450 entities in the U.S. Since emerging in 2022, the gang secured more than $370 million in ransom payments, according to U.S. investigators. --------------------------------------------- https://therecord.media/us-confirms-blacksuit-takedown ∗∗∗ Abusing Ubuntu 24.04 features for root privilege escalation ∗∗∗ --------------------------------------------- With the recent release of Ubuntu 24.04, we at Snyk Security Labs thought it would be interesting to examine the latest version of this Linux distribution to see if we could find any interesting privilege escalation vulnerabilities. In this post, we have seen that it only takes the leveraging of one small vulnerability, combined with a number of features, to achieve a chain of exploitation resulting in a full privilege escalation. Even where security controls are in place preventing the direct exploitation of a small vulnerability it may still be possible to finesse limited exploitation potential into a much greater impact. --------------------------------------------- https://labs.snyk.io/resources/abusing-ubuntu-root-privilege-escalation/ ∗∗∗ Oops Safari, I think You Spilled Something ∗∗∗ --------------------------------------------- In February 2023, researchers at Exodus Intelligence discovered a bug in the Data Flow Graph (DFG) compiler of WebKit, the browser engine used by Safari. This bug, CVE-2024-44308, was patched by Apple in November 2024. While it was alive, its exploit was chained with PAC and APRR bypasses on Apple Silicon to yield renderer remote code execution capabilities on macOS and iOS. Such capabilities, and many others including LPEs and RCEs on Windows and Linux, are available to Exodus’ customers. --------------------------------------------- https://blog.exodusintel.com/2025/08/04/oops-safari-i-think-you-spilled-som… ∗∗∗ 60 Malicious Ruby Gems Used in Targeted Credential Theft Campaign ∗∗∗ --------------------------------------------- Socket’s Threat Research Team has uncovered a long-running supply chain attack in the RubyGems ecosystem. Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver. These gems deliver their advertised functionality, such as bulk posting or engagement, but covertly exfiltrate credentials (usernames and passwords) to threat actor-controlled infrastructure, which classifies them as infostealer malware. --------------------------------------------- https://socket.dev/blog/60-malicious-ruby-gems-used-in-targeted-credential-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2). --------------------------------------------- https://lwn.net/Articles/1033009/ ∗∗∗ CISA Issues ED 25-02: Mitigate Microsoft Exchange Vulnerability ∗∗∗ --------------------------------------------- Today, CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE-2025-53786, a vulnerability in Microsoft Exchange server hybrid deployments. ED 25-02 directs all Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-issues-ed-25-02-mit… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/08/07/cisa-releases-ten-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2025
by Daily end-of-shift report 07 Aug '25

07 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-08-2025 18:00 − Donnerstag 07-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations ∗∗∗ --------------------------------------------- A new post-exploitation command-and-control (C2) evasion method called Ghost Calls abuses TURN servers used by conferencing apps like Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuse… ∗∗∗ Wave of 150 crypto-draining extensions hits Firefox add-on store ∗∗∗ --------------------------------------------- A malicious campaign dubbed GreedyBear has snuck onto the Mozilla add-ons store, targeting Firefox users with 150 malicious extensions and stealing an estimated $1,000,000 from unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-150-crypto-draining-… ∗∗∗ Critical Zero-Day Bugs Crack Open CyberArk, HashiCorp Password Vaults ∗∗∗ --------------------------------------------- Secrets managers hold all the keys to an enterprises kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/critical-zero-day-bugs… ∗∗∗ Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment. --------------------------------------------- https://thehackernews.com/2025/08/researchers-uncover-ecscape-flaw-in.html ∗∗∗ How To Find SQL Injection Vulnerabilities in WordPress Plugins and Themes ∗∗∗ --------------------------------------------- SQL Injection (SQLi), a vulnerability almost as old as database-driven web applications themselves (CWE-89), persists as a classic example of failing to neutralize user-supplied input before its used in a SQL query. So why does this well-understood vulnerability type continue to exist? --------------------------------------------- https://www.wordfence.com/blog/2025/08/how-to-find-sql-injection-vulnerabil… ∗∗∗ New Promptware Attack Hijacks User’s Gemini AI Via Google Calendar Invite ∗∗∗ --------------------------------------------- Cybersecurity researchers demonstrate a new attack on Google Gemini AI for Workspace. Discover how a simple calendar invite can be used to perform phishing, steal emails, and even control home appliances. --------------------------------------------- https://hackread.com/promptware-attack-hijack-gemini-ai-google-calendar-inv… ∗∗∗ Unveiling a New Variant of the DarkCloud Campaign ∗∗∗ --------------------------------------------- In early July 2025, a new DarkCloud campaign was observed in the wild by Fortinet’s FortiGuard Labs team. It began with a phishing email containing an attached RAR archive. I subsequently investigated this campaign and conducted a step-by-step analysis. --------------------------------------------- https://feeds.fortinet.com/~/922857380/0/fortinet/blogs~Unveiling-a-New-Var… ∗∗∗ HTTP/1.1 must die: the desync endgame ∗∗∗ --------------------------------------------- Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This paper introduces several novel classes of HTTP desync attack capable of mass compromise of user credentials. --------------------------------------------- https://portswigger.net/research/http1-must-die ∗∗∗ Malicious npm Packages Target WhatsApp Developers with Remote Kill Switch ∗∗∗ --------------------------------------------- Two npm packages masquerading as WhatsApp developer libraries include a kill switch that deletes all files if the phone number isn’t whitelisted. --------------------------------------------- https://socket.dev/blog/malicious-npm-packages-target-whatsapp-developers-w… ===================== = Vulnerabilities = ===================== ∗∗∗ 6,500 Axis Servers Expose Remoting Protocol, 4,000 in U.S. Vulnerable to Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. --------------------------------------------- https://thehackernews.com/2025/08/6500-axis-servers-expose-remoting.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler). --------------------------------------------- https://lwn.net/Articles/1032861/ ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- Update: 07. August 2025 Ergänzung von technischen Indikatoren für eine forensische Untersuchung möglicherweise betroffener Geräte sowie Informationen zu der angeblich relevanten Schwachstelle. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ Sicherheitslücken: Angreifer können IBM Tivoli Monitoring crashen lassen ∗∗∗ --------------------------------------------- IBMs IT-Verwaltungssoftware Tivoli Monitoring ist verwundbar und Angreifer können an zwei Sicherheitslücken ansetzen. Ein Update zum Schließen der Lücken steht zum Download bereit. --------------------------------------------- https://heise.de/-10513072 ∗∗∗ EG4 Electronics EG4 Inverters ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07 ∗∗∗ Dreame Technology iOS and Android Mobile Applications ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-06 ∗∗∗ Packet Power EMX and EG ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-04 ∗∗∗ Burk Technology ARC Solo ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-03 ∗∗∗ Johnson Controls FX80 and FX90 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-02 ∗∗∗ Delta Electronics DIAView ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2025
by Daily end-of-shift report 06 Aug '25

06 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-08-2025 18:00 − Mittwoch 06-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Driver of destruction: How a legitimate driver is being used to take down AV processes ∗∗∗ --------------------------------------------- In an incident response case, Kaspersky experts discovered new malware that terminates AV processes by abusing the legitimate ThrottleStop driver. --------------------------------------------- https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/ ∗∗∗ CISA Adds 3 D-Link Router Flaws to KEV Catalog After Active Exploitation Reports ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three old security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/08/cisa-adds-3-d-link-router-flaws-to-kev.ht… ∗∗∗ CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks carried out by a threat actor called UAC-0099 targeting government agencies, the defense forces, and enterprises of the defense-industrial complex in the country. --------------------------------------------- https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html ∗∗∗ GenAI Used For Phishing Websites Impersonating Brazil’s Government ∗∗∗ --------------------------------------------- In this blog post, ThreatLabz explores a campaign that uses generative AI tools like DeepSite AI and BlackBox AI to create malicious replicas of Brazil's State Department of Traffic and Ministry of Education. --------------------------------------------- https://www.zscaler.com/blogs/security-research/genai-used-phishing-website… ∗∗∗ Kriminelle versenden gefälschte Zahlungsaufforderungen im Namen der WKO ∗∗∗ --------------------------------------------- Die Wirtschatfskammer Österreich (WKO) ist erneut Ziel einer Phishing-Attacke geworden. Aktuell kursiert eine betrügerische E-Mail, die vorgibt, von der WKO zu stammen. In der E-Mail wird der Eindruck erweckt, dass eine ausstehende Mitgliedsrechnung bezahlt werden müsse. Das Ziel der Attacke ist es, an persönliche Informationen und Log-in-Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versenden-gefaelschte-zah… ∗∗∗ Makop Ransomware Identified in Attacks in South Korea ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified cases of Makop ransomware attacks targeting South Korean users. The Makop ransomware has been distributed to South Korean users by disguising as resumes or emails related to copyrights for several years. Recently, it has been reported that the ransomware is exploiting RDP for attacks. --------------------------------------------- https://asec.ahnlab.com/en/89397/ ∗∗∗ The Cost of a Call: From Voice Phishing to Data Extortion ∗∗∗ --------------------------------------------- In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Experience Manager: Adobe patcht 90 Tage nicht und bringt nun Notfallupdate ∗∗∗ --------------------------------------------- Da Proof-of-Concept-Code im Umlauf ist, könnten Angriffe auf Adobe Experience Manager bevorstehen. Angreifer können an zwei Sicherheitslücken [..] ansetzen, um Systeme zu attackieren. Die Schwachstellen sind seit April dieses Jahres bekannt, Sicherheitspatches gibt es aber erst jetzt. --------------------------------------------- https://www.heise.de/news/Experience-Manager-Adobe-patcht-90-Tage-nicht-und… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/1032700/ ∗∗∗ Docker: Sicherheitsalptraum MCP – sechs Lücken identifiziert ∗∗∗ --------------------------------------------- Die Containerplattform Docker warnt vor Sicherheitsrisiken, die sich durch die Nutzung von MCP-Quellen ergeben und Angreifern leichten Zugriff auf Dateien, Datenbanken, Netzwerk und Secrets eröffnen. Außerdem können die Täter weitreichend Befehle absetzen und schädlichen Code einschleusen. --------------------------------------------- https://heise.de/-10510262 ∗∗∗ Sicherheitsupdates: Root-Attacken auf Dell PowerProtect und Unity möglich ∗∗∗ --------------------------------------------- Um möglichen Attacken vorzubeugen, sollten Admins Dell PowerProtect Data Domain und Unity, UnityVSA sowie Unity XT auf den aktuellen Stand bringen. Geschieht das nicht, können Angreifer unter anderem mit Root-Rechten auf Instanzen zugreifen und diese kompromittieren. --------------------------------------------- https://heise.de/-10511706 ∗∗∗ JVN: Multiple vulnerabilities in Sato label printers CL4/6NX Plus and CL4/6NX-J Plus series ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN16547726/ ∗∗∗ ZDI-25-771: Trend Micro Apex One Console Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-771/ ∗∗∗ ZDI-25-807: (0Day) AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-807/ ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desk… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2025
by Daily end-of-shift report 05 Aug '25

05 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Montag 04-08-2025 18:00 − Dienstag 05-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Android gets patches for Qualcomm flaws exploited in attacks ∗∗∗ --------------------------------------------- Google has released security patches for six vulnerabilities in Androids August 2025 security update, including two Qualcomm flaws exploited in targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-gets-patches-for-qua… ∗∗∗ Stealing Machine Keys for fun and profit (or riding the SharePoint wave) ∗∗∗ --------------------------------------------- About 10 days ago exploits for Microsoft SharePoint (CVE-2025-53770, CVE-2025-53771) started being publicly abused .. --------------------------------------------- https://isc.sans.edu/diary/Stealing+Machine+Keys+for+fun+and+profit+or+ridi… ∗∗∗ Antivirus vendors fail to spot persistent, nasty, stealthy Linux backdoor ∗∗∗ --------------------------------------------- Plague malware has been around for months without tripping alarms Updated Researchers at German infosec services company Nextron Threat have spotted malware that creates a highly-persistent Linux backdoor and say antivirus engines do not flag the code as malicious. --------------------------------------------- https://www.theregister.com/2025/08/05/plague_linux_backdoor/ ∗∗∗ CrowdStrike investigated 320 North Korean IT worker cases in the past year ∗∗∗ --------------------------------------------- Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report. --------------------------------------------- https://cyberscoop.com/crowdstrike-north-korean-operatives/ ∗∗∗ Mozilla: Phishing-Attacken auf Add-on-Entwickler beobachtet ∗∗∗ --------------------------------------------- Zurzeit haben es Kriminelle auf Add-on-Entwickler abgesehen, die Erweiterungen für Firefox erstellen. --------------------------------------------- https://www.heise.de/news/Mozilla-warnt-vor-Phishing-Attacken-auf-Add-on-En… ∗∗∗ From code to stolen wallets: How hackers are trapping AI development tools ∗∗∗ --------------------------------------------- When AI becomes a target At a time when AI technology is developing rapidly, AI has been increasingly integrated into our daily lives. However, due .. --------------------------------------------- https://blog.360totalsecurity.com/en/from-code-to-stolen-wallets-how-hacker… ∗∗∗ Achtung Fake-Shop: vorwerk-deutschland.de ∗∗∗ --------------------------------------------- Auf vorwerk-deutschland.de freuen sich viele Kund:innen über ein Schnäppchen. Der neue Thermomix TM7 wird dort zu einem günstigeren Preis angeboten. Doch Vorsicht: Es handelt sich um einen Fake-Shop, der nur Zahlung per Vorkasse akzeptiert. Wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vorwerk-deutschlan… ∗∗∗ Ukrainische Hacker erbeuteten Geheimdokumente über das neueste russische Atom-U-Boot ∗∗∗ --------------------------------------------- Die erbeuteten Daten umfassen Besatzungslisten, Einsatzdaten und Baupläne. Laut dem ukrainischen Geheimdienst wurden auch die Schwächen des U-Boots offengelegt --------------------------------------------- https://www.derstandard.at/story/3000000282244/ukrainische-hacker-erbeutete… ∗∗∗ Erhöhte Bedrohungsaktivität gegen SonicWall Gen 7 Firewalls mit SSLVPN - Sofortmaßnahmen empfohlen ∗∗∗ --------------------------------------------- SonicWall berichtet über eine deutliche Zunahme von Sicherheitsvorfällen in den letzten 96 Stunden, die Gen 7 SonicWall Firewalls mit aktiviertem SSLVPN betreffen. Die Bedrohungsaktivität wurde sowohl intern als auch von externen Organisationen und Unternehmen wie Arctic Wolf, Google Mandiant und Huntress gemeldet. Es ist noch nicht .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-s… ∗∗∗ From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira ∗∗∗ --------------------------------------------- Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery .. --------------------------------------------- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumbleb… ∗∗∗ Cursor IDE: Persistent Code Execution via MCP Trust Bypass ∗∗∗ --------------------------------------------- Check Point Research uncovered a persistent remote code execution vulnerability in Cursor, a fast-growing AI-powered coding platform trusted by developers worldwide. MCP Vulnerability Cursor allows attackers to gain long-term, silent access to .. --------------------------------------------- https://blog.checkpoint.com/research/cursor-ide-persistent-code-execution-v… ∗∗∗ Vietnamese-speaking hackers appear to be running global data theft operation through Telegram ∗∗∗ --------------------------------------------- A combination of phishing lures, a previously spotted infostealer and Telegram bots are fueling a campaign by apparent Vietnamese-speaking hackers to capture and sell sensitive data globally. --------------------------------------------- https://therecord.media/pxa-infostealer-telegram-bots-vietnamese-speaking-h… ∗∗∗ Neue Insights zum SharePoint-Gate: Mitarbeiter aus China für die Wartung ∗∗∗ --------------------------------------------- Seit dem SharePoint-Desaster im Juli 2025, bei dem Schwachstellen angegriffen wurden, gibt es fast jeden Tag neue Enthüllungen. Es wurde spekuliert, dass mutmaßlich chinesische Hacker vorab auf interne .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/neue-insights-zum-sharepoint-gate-… ∗∗∗ Microsoft Recall erfasst weiterhin (Juli 2025) Kreditkartendaten und Passwörter ∗∗∗ --------------------------------------------- Ist es eine Überraschung? Nein, keine Überraschung, sondern zu erwarten. Die Spionagefunktion Recall, die Microsoft auf die Windows-Systeme drückt, erfasst weiterhin Sensitives wie Kreditkartendaten und Passwörter. Und dies, .. --------------------------------------------- https://www.borncity.com/blog/2025/08/05/microsoft-recall-erfasst-weiterhin… ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Validation – Part 3 ∗∗∗ --------------------------------------------- In this part, we focus on implementing validation checks to improve consistency and ensure a minimum level of quality within the detection repository. Setting up validation pipelines is a key step, as it helps enforce the defined standards, reduce errors, and ensure that detections are reliable and consistent. --------------------------------------------- https://blog.nviso.eu/2025/08/05/detection-engineering-practicing-detection… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2025
by Daily end-of-shift report 04 Aug '25

04 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-08-2025 18:00 − Montag 04-08-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Pi-hole discloses data breach triggered by WordPress plugin flaw ∗∗∗ --------------------------------------------- Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breac… ∗∗∗ Mozilla warns of phishing attacks targeting add-on developers ∗∗∗ --------------------------------------------- Mozilla has warned browser extension developers of an active phishing campaign targeting accounts on its official AMO (addons.mozilla.org) repository. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mozilla-warns-of-phishing-at… ∗∗∗ New Plague Linux malware stealthily maintains SSH access ∗∗∗ --------------------------------------------- A newly discovered Linux malware, which has evaded detection for over a year, allows attackers to gain persistent SSH access and bypass authentication on compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-plague-malware-backdoors… ∗∗∗ Exchange: China wirft den USA Militär-Hacking vor ∗∗∗ --------------------------------------------- China beschuldigt US-Geheimdienste, über ein Jahr lang Microsoft Exchange-Schwachstellen ausgenutzt zu haben, um Militärdaten zu stehlen. --------------------------------------------- https://www.golem.de/news/exchange-china-wirft-den-usa-militaer-hacking-vor… ∗∗∗ CISA roasts unnamed critical national infrastructure body for shoddy security hygiene ∗∗∗ --------------------------------------------- Plaintext passwords, shared admin accounts, and insufficient logging rampant at mystery org CISA is using the findings from a recent probe of an unidentified critical infrastructure organization to warn about the dangers of getting cybersecurity seriously wrong. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/02/cisa_coast_g… ∗∗∗ Lazarus Group rises again, this time with malware-laden fake FOSS ∗∗∗ --------------------------------------------- Software supply chain management vendor Sonatype last week published research in which it claimed that Lazarus Group has created hundreds of “shadow downloads” that appear to be popular open source software development tools but are full of malware. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/08/04/infosec_in_b… ∗∗∗ Gefälschte Rückerstattungs-Mails im Namen der WKO ∗∗∗ --------------------------------------------- Derzeit werden E-Mails mit dem Betreff „Ihr möglicher Erstattungsbetrag von bis zu 476 Euro“ an zahlreiche Mitglieder der Wirtschaftskammer Österreich (WKO) versendet. Darin wird behauptet, dass möglicherweise ein Rückerstattungsanspruch der Mitgliederbeiträge besteht, den man über einen Link prüfen kann. Achtung: Der Link führt zu einer betrügerischen Website, auf der persönliche Daten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-e-mails-zu-rueckersta… ∗∗∗ Akira Ransomware Exploiting Potential Zero-Day in SonicWall SSL VPN ∗∗∗ --------------------------------------------- Artic Wolf also suggest that the attacks could be exploiting an undetermined security flaw in the appliances, meaning a Zero-Day vulnerability, given that some of the incidents affected SonicWall devices which were fully patched. --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-exploiting-potential-zero… ∗∗∗ Doch Sicherheitsvorfall bei Logitech-Partnerliste ∗∗∗ --------------------------------------------- Es hat einen Sicherheitsvorfall bei einem Dienstleister gegeben, der für die Firma Logitech die Logitech-Partner betreut. Logitech-Partner erhielten die Tage eine Betrugs-Mail, die vor dem Risiko eines Angriffs auf eine MetaMask-Wallet warnte, aber einen Phishing-Link enthielt. --------------------------------------------- https://www.borncity.com/blog/2025/08/03/doch-sicherheitsvorfall-bei-logite… ∗∗∗ New Attack Uses Windows Shortcut Files to Install REMCOS Backdoor ∗∗∗ --------------------------------------------- Security firm Point Wild has exposed a new malware campaign using malicious LNK files to install the REMCOS backdoor. This report details how attackers disguise files to gain full system control. --------------------------------------------- https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/ ∗∗∗ When Flatpak’s Sandbox Cracks: Real‑Life Security Issues Beyond the Ideal ∗∗∗ --------------------------------------------- Flatpak’s sandbox model is robust in design, but imperfect in deployment. Sandboxes dissolved through misconfiguration, vulnerabilities like CVE‑2024‑32462, and symlink exploits illustrate the friction between ideal and actual protection. --------------------------------------------- https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Phishingangriffe auf IBM Operational Decision Manager möglich ∗∗∗ --------------------------------------------- IBMs Businesstool Operational Decision Manager ist verwundbar. In aktuellen Versionen haben die Entwickler zwei Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Phishingangriffe-auf-IBM-Operat… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot). --------------------------------------------- https://lwn.net/Articles/1032371/ ∗∗∗ Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover ∗∗∗ --------------------------------------------- Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIAs Triton Inference Server. --------------------------------------------- https://www.wiz.io/blog/nvidia-triton-cve-2025-23319-vuln-chain-to-ai-server ∗∗∗ Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape ∗∗∗ --------------------------------------------- A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE). --------------------------------------------- https://socket.dev/blog/nestjs-rce-vuln ∗∗∗ VU#317469: Partner Software/Partner Web does not sanitize Report files and Note content, allowing for XSS and RCE ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/317469 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0005 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2025
by Daily end-of-shift report 01 Aug '25

01 Aug '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-07-2025 18:00 − Freitag 01-08-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft to disable Excel workbook links to blocked file types ∗∗∗ --------------------------------------------- Microsoft has announced that it will start disabling external workbook links to blocked file types by default between October 2025 and July 2026. [..] After the rollout, Excel workbooks referencing blocked file types will display a #BLOCKED error or fail to refresh, eliminating security risks associated with accessing unsupported or high-risk file types, including, but not limited to, phishing attacks that utilize workbooks to redirect targets to malicious payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-extern… ∗∗∗ Kali Linux can now run in Apple containers on macOS systems ∗∗∗ --------------------------------------------- Cybersecurity professionals and researchers can now launch Kali Linux in a virtualized container on macOS Sequoia using Apples new containerization framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-can-now-run-in-ap… ∗∗∗ Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses. --------------------------------------------- https://thehackernews.com/2025/07/experts-detect-multi-layer-redirect.html ∗∗∗ Attackers Use Fake OAuth Apps with Tycoon Kit to Breach Microsoft 365 Accounts ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report. --------------------------------------------- https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html ∗∗∗ Huawei, at the heart of the Post outage ∗∗∗ --------------------------------------------- The cyberattack that hit Post (and Luxembourg) last week is believed to have targeted Huawei routers and their operating software. The presence of the Chinese giant at the heart of the infrastructure raises questions. The public company says it is reserving its answers for the MPs and ministers who will meet this Thursday at 10am in parliament. --------------------------------------------- https://en.paperjam.lu/article/huawei-at-the-heart-of-the-post-outage ∗∗∗ CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response ∗∗∗ --------------------------------------------- “How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, Associate Director for Threat Hunting, CISA. “This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans.” --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-open-source-eviction-st… ∗∗∗ CISA and USCG Issue Joint Advisory to Strengthen Cyber Hygiene in Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. [..] CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/31/cisa-and-uscg-issue-join… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8). --------------------------------------------- https://lwn.net/Articles/1032174/ ∗∗∗ WordPress Vulnerability & Patch Roundup — July 2025 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ Rockwell Automation Lifecycle Services with VMware ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-212-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2025
by Daily end-of-shift report 31 Jul '25

31 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-07-2025 18:00 − Donnerstag 31-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install ∗∗∗ --------------------------------------------- The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-critical-wordpress.html ∗∗∗ N. Korean Hackers Used Job Lures, Cloud Account Access, and Malware to Steal Millions in Crypto ∗∗∗ --------------------------------------------- The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram. --------------------------------------------- https://thehackernews.com/2025/07/n-korean-hackers-used-job-lures-cloud.html ∗∗∗ Scammers Unleash Flood of Slick Online Gaming Sites ∗∗∗ --------------------------------------------- Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here’s a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites. --------------------------------------------- https://krebsonsecurity.com/2025/07/scammers-unleash-flood-of-slick-online-… ∗∗∗ Vorsicht vor dieser iCloud Phishing-Mail ∗∗∗ --------------------------------------------- „Letzte Mitteilung: Ihre Fotos und Videos werden gelöscht – ergreifen Sie Maßnahmen!“ Mit diesem Betreff versenden Kriminelle aktuell Phishing-Mails, die scheinbar von iCloud stammen. Unter dem Vorwand, das Speicherabonnement müsse verlängert werden, versuchen sie, an Zahlungsdaten zu gelangen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-icloud-phishing-… ∗∗∗ Patents by Silk Typhoon-linked company shed light on Beijing’s offensive hacking capabilities ∗∗∗ --------------------------------------------- SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government. --------------------------------------------- https://therecord.media/patents-silk-typhoon-company-beijing ∗∗∗ GreyNoise Uncovers Early Warning Signals for Emerging Vulnerabilities ∗∗∗ --------------------------------------------- It’s well known that the window between CVE disclosure and active exploitation has narrowed. But what happens before a CVE is even disclosed? In our latest research “Early Warning Signals: When Attacker Behavior Precedes New Vulnerabilities,” GreyNoise analyzed hundreds of spikes in malicious activity — scanning, brute forcing, exploit attempts, and more — targeting edge technologies. We discovered a consistent and actionable trend: in the vast majority of cases, these spikes were followed by the disclosure of a new CVE affecting the same technology within six weeks. --------------------------------------------- https://www.greynoise.io/blog/greynoise-uncovers-early-warning-signals-emer… ∗∗∗ In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network ∗∗∗ --------------------------------------------- Hackers planted a Raspberry Pi equipped with a 4G modem in the network of an unnamed bank in an attempt to siphon money out of the financial institution's ATM system, researchers reported Wednesday. --------------------------------------------- https://arstechnica.com/security/2025/07/in-search-of-riches-hackers-plant-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1032083/ ∗∗∗ Schnell installieren: Apple fixt Zero-Day-Angriff in WebKit ∗∗∗ --------------------------------------------- Apples in der Nacht zum Mittwoch erschienene Updates für iOS, iPadOS und macOS sollten dringend schnell eingespielt werden: Wie nun erst bekannt wurde, wird damit auch ein WebKit-Bug gefixt, für den es bereits einen Exploit gibt. Dieser wird allerdings bislang nur verwendet, um Chrome-Nutzer anzugreifen, wie es in der zugehörigen NIST-Meldung heißt (CVE-2025-6558). Der Fehler wird mit "Severity: High" bewertet. Verwirrend: Apple warnt in seinen Sicherheitsunterlagen nicht vor bekannten aktiven Angriffen – offenbar, weil es für den Apple-Browser Safari noch keine entsprechenden Berichte gibt. --------------------------------------------- https://heise.de/-10505297 ∗∗∗ Sicherheitsupdate: Schwachstellen gefährden HCL BigFix Remote Control ∗∗∗ --------------------------------------------- Die Endpoint-Management-Plattform HCL BigFix ist verwundbar (CVE-2025-31965 "hoch"), und Angreifer können unbefugt Daten einsehen oder mit viel Aufwand und richtigem Timing sogar auf einen privaten Schlüssel zugreifen. Die Schwachstellen finden sich konkret in HCL BigFix Remote Control. Eine abgesicherte Version steht zum Download bereit. --------------------------------------------- https://heise.de/-10505415 ∗∗∗ CVE-2025-8292 - DSA-5968-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00132.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2025
by Daily end-of-shift report 30 Jul '25

30 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-07-2025 18:00 − Mittwoch 30-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Attackers Can Use Browser Extensions to Inject AI Prompts ∗∗∗ --------------------------------------------- A brand-new cyberattack vector allows threat actors to use a poisoned browser extension to inject malicious prompts into all of the top generative AI tools on the market, including ChatGPT, Gemini, and others. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/attackers-use-browser-e… ∗∗∗ PyPI Warns of Ongoing Phishing Campaign Using Fake Verification Emails and Lookalike Domain ∗∗∗ --------------------------------------------- The maintainers of the Python Package Index (PyPI) repository have issued a warning about an ongoing phishing attack thats targeting users in an attempt to redirect them to fake PyPI sites. The attack involves sending email messages bearing the subject line "[PyPI] Email verification" that are sent from the email address noreply(a)pypj[.]org (note that the domain is not "pypi[.]org"). --------------------------------------------- https://thehackernews.com/2025/07/pypi-warns-of-ongoing-phishing-campaign.h… ∗∗∗ 2025 Unit 42 Global Incident Response Report: Social Engineering Edition ∗∗∗ --------------------------------------------- Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why its surging. We detail eight critical countermeasures. --------------------------------------------- https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-r… ∗∗∗ Google Project Zero to publicly announce bugs within a week of reporting them ∗∗∗ --------------------------------------------- The vulnerability hunters at Google Project Zero want to address what they call the "upstream patch gap," when a vendor has a fix available but the downstream product providers havent integrated it yet. --------------------------------------------- https://therecord.media/google-project-zero-publicly-announce-vulnerabiliti… ∗∗∗ Decryptor released for FunkSec ransomware; Avast works with law enforcement to help victims ∗∗∗ --------------------------------------------- Cybersecurity company Avast released a decryptor for the short-lived FunkSec ransomware and said it is assisting dozens of the gangs targets with the process. --------------------------------------------- https://therecord.media/funksec-ransomware-decryptor-avast ∗∗∗ New Choicejacking Attack Steals Data from Phones via Public Chargers ∗∗∗ --------------------------------------------- Choicejacking is a new USB attack that tricks phones into sharing data at public charging stations, bypassing security prompts in milliseconds. --------------------------------------------- https://hackread.com/choicejacking-attack-steals-data-phones-public-charger… ∗∗∗ CISA Releases Part One of Zero Trust Microsegmentation Guidance ∗∗∗ --------------------------------------------- This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/29/cisa-releases-part-one-z… ===================== = Vulnerabilities = ===================== ∗∗∗ New Lenovo UEFI firmware updates fix Secure Boot bypass flaws ∗∗∗ --------------------------------------------- Lenovo is warning about high-severity BIOS flaws that could allow attackers to potentially bypass Secure Boot in all-in-one desktop PC models that use customized Insyde UEFI (Unified Extensible Firmware Interface). --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lenovo-uefi-firmware-upd… ∗∗∗ Apple Patches Safari Vulnerability Also Exploited as Zero-Day in Google Chrome ∗∗∗ --------------------------------------------- Apple on Tuesday released security updates for its entire software portfolio, including a fix for a vulnerability that Google said was exploited as a zero-day in the Chrome web browser earlier this month. The vulnerability, tracked as CVE-2025-6558 (CVSS score: 8.8), is an incorrect validation of untrusted input in the browser's ANGLE and GPU components that could result in a sandbox escape via a crafted HTML page. --------------------------------------------- https://thehackernews.com/2025/07/apple-patches-safari-vulnerability-also.h… ∗∗∗ Critical Dahua Camera Flaws Enable Remote Hijack via ONVIF and File Upload Exploits ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed now-patched critical security flaws in the firmware of Dahua smart cameras that, if left unaddressed, could allow attackers to hijack control of susceptible devices. --------------------------------------------- https://thehackernews.com/2025/07/critical-dahua-camera-flaws-enable.html ∗∗∗ Autodesk Security Advisory 29.07.2025 ∗∗∗ --------------------------------------------- Certain Autodesk products use a shared component that is affected by multiple vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0015 ∗∗∗ Sicherheitsupdates: Angreifer können auf Dell ECS und ObjectScale zugreifen ∗∗∗ --------------------------------------------- Angreifer können mit vergleichsweise wenig Aufwand auf Dell Elastic Cloud Storage (ECS) und ObjectScale zugreifen. Damit setzten Firmen unter anderem Cloudspeicher auf. Liegen dort wichtige Daten, können unbefugte Zugriffe weitreichende Folgen haben. Sicherheitsupdates schließen die Schwachstelle. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-auf-Dell-ECS… ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable channel has been updated to 138.0.7204.183/.184 for Windows, Mac and 138.0.7204.183 for Linux which will roll out over the coming days/weeks. This update includes 4 security fixes. --------------------------------------------- http://chromereleases.googleblog.com/2025/07/stable-channel-update-for-desk… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl). --------------------------------------------- https://lwn.net/Articles/1031919/ ∗∗∗ Zahnarzt Praxis-Verwaltung-System (PVS): Sicherheitslücken beim CGM Z1 – Teil 1 ∗∗∗ --------------------------------------------- Von der Firma CompuGroup Medical (CGM) wird auch ein Praxis-Verwaltungssystem (PVS) für Zahnärzte vertrieben. Das System ist laut Firmenaussage bei über 7.000 Zahnärzten im Einsatz. Eine anonym bleiben wollende Quelle informierte mich Anfang des Jahres über potentielle Sicherheitsprobleme in dieser Software. Inzwischen hat es ein Software-Update gegeben, mit dem diese Probleme ausgeräumt sein sollten. Ich fasse mal den Sachverhalt in einigen Blog-Beiträgen zusammen. --------------------------------------------- https://www.borncity.com/blog/2025/07/30/sicherheit-beim-zahnarzt-pvs-z1/ ∗∗∗ Delta Electronics DTN Soft ∗∗∗ --------------------------------------------- According to Delta Electronics, if a version of DTN Soft prior to v2.1.0 is installed, it should be updated to v2.1.0 or later. If DTM Soft is also installed, it should be updated to v1.6.0.0 (released on March 25, 2025) or later. Successful exploitation of this vulnerability could allow an attacker to use a specially crafted project file to execute arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-03 ∗∗∗ TP-Link Archer C50 router is vulnerable to configuration-file decryption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/554637 ∗∗∗ Security update for Tenable Patch Management Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-15 ∗∗∗ CISA: Security update for National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-01 ∗∗∗ CISA: Security update for Samsung HVAC DMS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-210-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2025
by Daily end-of-shift report 29 Jul '25

29 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 28-07-2025 18:00 − Dienstag 29-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test ∗∗∗ --------------------------------------------- On Friday, OpenAI's new ChatGPT Agent, which can perform multistep tasks for users, proved it can pass through one of the Internet's most common security checkpoints by clicking Cloudflare's anti-bot verification—the same checkbox that's supposed to keep automated programs like itself at bay. --------------------------------------------- https://arstechnica.com/information-technology/2025/07/openais-chatgpt-agen… ∗∗∗ Exploit available for critical Cisco ISE bug exploited in attacks ∗∗∗ --------------------------------------------- Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-critic… ∗∗∗ Endgame Gear mouse config tool infected users with malware ∗∗∗ --------------------------------------------- Gaming peripherals maker Endgame Gear is warning that malware was hidden in its configuration tool for the OP1w 4k v2 mouse hosted on the official website between June 26 and July 9, 2025. The infected file was hosted on 'endgamegear.com/gaming-mice/op1w-4k-v2,' so users downloading the tool from that page during this period were infected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/endgame-gear-mouse-config-to… ∗∗∗ Critical Flaw in Vibe-Coding Platform Base44 Exposed Apps ∗∗∗ --------------------------------------------- The rise of "vibe coding" platforms that enable developers to build software with minimal traditional coding could create a slew of new security risks for organizations. A recent example is a now-patched vulnerability in the Base44 AI-powered development platform that allowed unauthorized users to gain complete access to private enterprise applications hosted on the service. --------------------------------------------- https://www.darkreading.com/application-security/critical-flaw-vibe-coding-… ∗∗∗ Parasitic Sharepoint Exploits ∗∗∗ --------------------------------------------- Last week, newly exploited SharePoint vulnerabilities took a lot of our attention. It is fair to assume that last Monday (July 21st), all exposed vulnerable SharePoint installs were exploited. Of course, there is nothing to prevent multiple exploitation of the same instance, and a lot of that certainly happened. But why exploit it yourself if you can just take advantage of backdoors left behind by prior exploits? A number of these backdoors were widely publicised. The initial backdoor "spinstall0.aspx", was frequently observed and Microsoft listed various variations of this filename [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/32148 ∗∗∗ Windows auf veraltete libcurl-Bibliotheken in Programmen überprüfen ∗∗∗ --------------------------------------------- Microsoft liefert die cURL-Bibliothek häufiger mit veralteten Versionen, die Sicherheitslücken aufweisen, aus. Auch Software-Pakete kommen mit uralten libcurl-Dateien daher. Wie kann ich prüfen, ob da irgendwelche Altlasten auf meinen Systemen schlummern? --------------------------------------------- https://www.borncity.com/blog/2025/07/29/software-und-die-veralteten-libcur… ∗∗∗ Gunra Ransomware Group Unveils Efficient Linux Variant ∗∗∗ --------------------------------------------- Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Our monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/gunra-ransomware-linux-varia… ∗∗∗ SAP NetWeaver Vulnerability Used in Auto-Color Malware Attack on US Firm ∗∗∗ --------------------------------------------- Darktrace uncovers the first exploit of a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy Auto-Color backdoor malware. Learn how this evasive Linux RAT targets systems for remote code execution and how AI-powered defence thwarts multi-stage attacks. --------------------------------------------- https://hackread.com/sap-netweaver-vulnerability-auto-color-malware-us-firm/ ∗∗∗ Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) ∗∗∗ --------------------------------------------- Our initial journey started with analyzing SonicWall N-days that were receiving coveted attention from our friendly APT groups. But somewhere along the way - deep in a fog of malformed headers and reverse proxy schenanigans - we stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming. --------------------------------------------- https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-d… ∗∗∗ Security: CERT@VDE wird erste deutsche Schaltzentrale für Sicherheitslücken ∗∗∗ --------------------------------------------- Das Sicherheits- und Computer-Notfallteam des Elektrotechnik- und IT-Verbands VDE spielt international seit wenigen Tagen eine wichtigere Rolle. Die Branchenvereinigung teilte am Freitag mit, dass das eigene Computer Emergency Response Team CERT@VDE zur zentralen Stelle im Kampf gegen IT-Sicherheitslücken im Bereich der Industrieautomation mit Fokus auf kleine und mittlere Unternehmen aufgestiegen sei. Dessen Arbeit zur Koordination von Security-Problemen in diesem Sektor erhält damit eine weltweite Bedeutung. --------------------------------------------- https://heise.de/-10502241 ∗∗∗ Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely! ∗∗∗ --------------------------------------------- Generative AI and LLM technologies have shown great potential in recent years, and for this reason, an increasing number of applications are starting to integrate them for multiple purposes. These applications are becoming increasingly complex, adopting approaches that involve multiple specialized agents, each focused on one or more tasks, interacting with one another and using external tools to access information, perform operations, or carry out tasks that LLMs are not capable of handling directly (e.g., mathematical computations). --------------------------------------------- https://security.humanativaspa.it/attacking-genai-applications-and-llms-som… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2025-26397 - ZDI-25-654: SolarWinds TFTP Server Deserialization of Untrusted Data Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds TFTP Server. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the internal TFTP communications endpoint, which listens on the localhost interface on TCP port 8099 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-654/ ∗∗∗ Jetzt patchen! Attacken auf PaperCut NG/MF beobachtet ∗∗∗ --------------------------------------------- Aufgrund derzeit laufender Angriffe sollten Admins sicherstellen, dass sie eine aktuelle Ausgabe der Druckermanagementsoftware PaperCut NG/MF installiert haben. Sind Attacken erfolgreich, können Angreifer im schlimmsten Fall Schadcode auf Systeme schieben und ausführen. Sicherheitsupdates sind schon länger verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Attacken-auf-PaperCut-NG-MF-beobach… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freerdp, git-lfs, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, icu, ipa, iputils, krb5, libvpx, nodejs:22, osbuild-composer, perl, python-tornado, qt6-qtbase, sqlite, unbound, valkey, wireshark, and yggdrasil), Debian (libfastjson and php8.2), Fedora (glibc), Oracle (firefox, icu, perl, and unbound), Red Hat (389-ds-base, glib2, icu, libtpms, redis:6, redis:7, and yelp), SUSE (boost, forgejo-longterm, java-11-openj9, java-17-openj9, java-1_8_0-openj9, kernel, nginx, and salt), and Ubuntu (linux-xilinx-zynqmp, openjdk-8, openjdk-lts, poppler, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1031812/ ∗∗∗ Samsung Security Updates for Smart TV, Audio and Displays ∗∗∗ --------------------------------------------- https://security.samsungtv.com/securityUpdates ∗∗∗ CVE-2025-2179 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-2179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2025
by Daily end-of-shift report 28 Jul '25

28 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-07-2025 18:00 − Montag 28-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Supply-chain attacks on open source software are getting out of hand ∗∗∗ --------------------------------------------- It has been a busy week for supply-chain attacks targeting open source software available in public repositories, with successful breaches of multiple developer accounts that resulted in malicious packages being pushed to unsuspecting users. --------------------------------------------- https://arstechnica.com/security/2025/07/open-source-repositories-are-seein… ∗∗∗ Amazon AI coding agent hacked to inject data wiping commands ∗∗∗ --------------------------------------------- As reported by 404 Media, on July 13, a hacker using the alias ‘lkmanka58’ added unapproved code on Amazon Q’s GitHub to inject a defective wiper that wouldn’t cause any harm, but rather sent a message about AI coding security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ai-coding-agent-hacke… ∗∗∗ Sophisticated Shuyal Stealer Targets 19 Browsers, Demonstrates Advanced Evasion ∗∗∗ --------------------------------------------- A new infostealing malware making the rounds can exfiltrate credentials and other system data even from browsing software considered more privacy-focused than mainstream options. --------------------------------------------- https://www.darkreading.com/endpoint-security/shuyal-stealer-targets-19-bro… ∗∗∗ French submarine secrets surface after cyber attack ∗∗∗ --------------------------------------------- European defence giant Naval Group has confirmed that it is investigating an alleged cyber attack which has seen what purports to be sensitive internal data published on the internet by hackers. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/french-submarine-secr… ∗∗∗ The Homograph Illusion: Not Everything Is As It Seems ∗∗∗ --------------------------------------------- A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. --------------------------------------------- https://unit42.paloaltonetworks.com/homograph-attacks/ ∗∗∗ ToxicPanda: The Android Banking Trojan Targeting Europe ∗∗∗ --------------------------------------------- What is ToxicPanda? Bitsight Trace dives into detail on the banking malware, from impact breadth, delivery, technical analysis, and more. --------------------------------------------- https://www.bitsight.com/blog/toxicpanda-android-banking-malware-2025-study ∗∗∗ EU-Satelliteninternet: UK, Norwegen und Ukraine können sich IRIS2 anschließen ∗∗∗ --------------------------------------------- EU-Raumfahrtkommissar Kubiliius hat europäische Drittstaaten eingeladen, bei dem als Starlink-Alternative gedachten Satellitennetzwerk IRIS2 voll einzusteigen. --------------------------------------------- https://www.heise.de/news/EU-Satelliteninternet-UK-Norwegen-und-Ukraine-koe… ∗∗∗ How I hacked my washing machine ∗∗∗ --------------------------------------------- If you've known me for some amount of time you knew this was something that was bound to happen eventually. Yesterday (and technically today), me and a friend went on an endeavor to hack our washing machine, partially for the fun of it, and partially because there's actually a practical use for it. --------------------------------------------- https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine/ ∗∗∗ Protecting the Evidence in Real-Time with KQL Queries ∗∗∗ --------------------------------------------- A few weeks ago, I published a post titled Detecting Ransomware Final Stage Activities with KQL Queries where I shared different phases and detections during the last phase of a ransomware attack. Every time I read it, I realize just how broad and complex this topic truly is. --------------------------------------------- https://detect.fyi/protecting-the-evidence-in-real-time-with-kql-queries-ac… ∗∗∗ Lionishackers: Analyzing a corporate database seller ∗∗∗ --------------------------------------------- Outpost24’s threat intelligence researchers have been analyzing a corporate database seller known as "Lionishackers". They’re a financially motivated threat actor focused on exfiltrating and selling corporate databases. This post explores how they operate, where their attacks are taking place, and the current level of threat they pose. --------------------------------------------- https://outpost24.com/blog/lionishackers-corporate-database-seller/ ===================== = Vulnerabilities = ===================== ∗∗∗ Post SMTP plugin flaw exposes 200K WordPress sites to hijacking attacks ∗∗∗ --------------------------------------------- More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-expose… ∗∗∗ Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridiums Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. --------------------------------------------- https://thehackernews.com/2025/07/critical-flaws-in-niagara-framework.html ∗∗∗ Support ausgelaufen: Admin-Attacke auf LG Netzwerkkamera LNV5110R möglich ∗∗∗ --------------------------------------------- Die Netzwerkkamera LNV5110R von LG Innotek sollte nicht mehr benutzt werden: Die US-Sicherheitsbehörde CISA (Cybersecurity & Infrastructure Security Agency) warnt vor einer Sicherheitslücke, für die es kein Sicherheitsupdate mehr geben wird. --------------------------------------------- https://www.heise.de/news/Support-ausgelaufen-Admin-Attacke-auf-LG-Netzwerk… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac). --------------------------------------------- https://lwn.net/Articles/1031667/ ∗∗∗ Sicherheitsproblem: Hartkodierte Zugangsdaten gefährden PCs mit MyASUS ∗∗∗ --------------------------------------------- Die MyASUS-App kann zum Einfallstor für Angreifer werden. Schuld sind zwei Sicherheitslücken, die aber mittlerweile geschlossen sind. Wer das Tool nicht aktualisiert, riskiert unbefugte Zugriffe auf bestimmte Services. --------------------------------------------- https://www.heise.de/news/Sicherheitsproblem-Hartkodierte-Zugangsdaten-gefa… ∗∗∗ SyStrack LsiAgent.exe contains an improper DLL search order, allowing an attacker to execute arbitrary code and priv esc ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/335798 ∗∗∗ Mehrere Stored Cross-Site Scripting Schwachstellen im Optimizely Episerver Content Management System ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-stored-cross-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2025
by Daily end-of-shift report 25 Jul '25

25 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-07-2025 18:00 − Freitag 25-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker sneaks infostealer malware into early access Steam game ∗∗∗ --------------------------------------------- A threat actor called EncryptHub has compromised a game on Steam to distribute info-stealing malware to unsuspecting users downloading the title. A few days ago, the hacker (also tracked as Larva-208), injected malicious binaries into the Chemia game files hosted on Steam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-sneaks-infostealer-ma… ∗∗∗ New Koske Linux malware hides in cute panda images ∗∗∗ --------------------------------------------- A new Linux malware named Koske may have been developed with artificial intelligence and is using seemingly benign JPEG images of panda bears to deploy malware directly into system memory. Researchers from cybersecurity company AquaSec analyzed Koske and described it as "a sophhisticated Linux threat." Based on the observed adaptive behavior, the researchers believe that the malware was developed using large language models (LLMs) or automation frameworks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-koske-linux-malware-hide… ∗∗∗ CastleLoader Malware Infects 469 Devices Using Fake GitHub Repos and ClickFix Phishing ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new versatile malware loader called CastleLoader that has been put to use in campaigns distributing various information stealers and remote access trojans (RATs). The activity employs Cloudflare-themed ClickFix phishing attacks and fake GitHub repositories opened under the names of legitimate applications, Swiss cybersecurity company PRODAFT said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2025/07/castleloader-malware-infects-469.html ∗∗∗ Phishers Target Aviation Execs to Scam Customers ∗∗∗ --------------------------------------------- KrebsOnSecurity recently heard from a reader whose boss’s email account got phished and was used to trick one of the company’s customers into sending a large payment to scammers. An investigation into the attacker’s infrastructure points to a long-running Nigerian cybercrime ring that is actively targeting established companies in the transportation and aviation industries. --------------------------------------------- https://krebsonsecurity.com/2025/07/phishers-target-aviation-execs-to-scam-… ∗∗∗ From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944 ∗∗∗ --------------------------------------------- In mid 2025, Google Threat Intelligence Group (GITG) identified a sophisticated and aggressive cyber campaign targeting multiple industries, including retail, airline, and insurance. This was the work of UNC3944, a financially motivated threat group that has exhibited overlaps with public reporting of "0ktapus," "Octo Tempest," and "Scattered Spider." Following public alerts from the Federal Bureau of Investigation (FBI), the group's targeting became clear. GTIG observed that the group was suspected of turning its ransomware and extortion operations to the U.S. retail sector. The campaign soon broadened further, with airline and transportation organizations in North America having also become targets. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24). --------------------------------------------- https://lwn.net/Articles/1031426/ ∗∗∗ Angriffe gegen Citrix Netscaler CVE-2025-6543 ∗∗∗ --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/angriffe-gegen-citrix-netscaler-cve… ∗∗∗ CVE-2025-38350 - ZDI-25-651: (Pwn2Own) Red Hat Enterprise Linux CBS Packet Scheduling Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-651/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/24/cisa-releases-six-indust… ∗∗∗ Medtronic MyCareLink Patient Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-205-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2025
by Daily end-of-shift report 24 Jul '25

24 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-07-2025 18:00 − Donnerstag 24-07-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Microsoft: SharePoint servers also targeted in ransomware attacks ∗∗∗ --------------------------------------------- A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers… ∗∗∗ Hackers breach Toptal GitHub account, publish malicious npm packages ∗∗∗ --------------------------------------------- Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github… ∗∗∗ Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware ∗∗∗ --------------------------------------------- The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html ∗∗∗ Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions. --------------------------------------------- https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html ∗∗∗ China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community ∗∗∗ --------------------------------------------- The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.h… ∗∗∗ Stealthy cyber spies linked to China compromising virtualization software globally ∗∗∗ --------------------------------------------- A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia. --------------------------------------------- https://therecord.media/stealthy-china-spies-fire-ant-virtualization-softwa… ∗∗∗ Unmasking the new Chaos RaaS group attacks ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. --------------------------------------------- https://blog.talosintelligence.com/new-chaos-ransomware/ ∗∗∗ Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen ∗∗∗ --------------------------------------------- Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen. --------------------------------------------- https://heise.de/-10498191 ∗∗∗ Mitel warns of critical MiVoice MX-ONE authentication bypass flaw ∗∗∗ --------------------------------------------- Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivo… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall urges admins to patch critical RCE flaw in SMA 100 devices ∗∗∗ --------------------------------------------- SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack). --------------------------------------------- https://lwn.net/Articles/1031274/ ∗∗∗ K000152680: BusyBox vulnerability CVE-2024-58251 ∗∗∗ --------------------------------------------- Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command. --------------------------------------------- https://my.f5.com/manage/s/article/K000152680 ∗∗∗ K000152678: BusyBox vulnerability CVE-2025-46394 ∗∗∗ --------------------------------------------- An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files. --------------------------------------------- https://my.f5.com/manage/s/article/K000152678 ∗∗∗ DSA-5964-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00128.html ∗∗∗ DSA-5965-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00129.html ∗∗∗ CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39913189/ ∗∗∗ CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-092 ∗∗∗ CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&Language… ∗∗∗ CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation ∗∗∗ --------------------------------------------- https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/ ∗∗∗ CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products ∗∗∗ --------------------------------------------- http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html ∗∗∗ [R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2025
by Daily end-of-shift report 23 Jul '25

23 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-07-2025 18:00 − Mittwoch 23-07-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Major European healthcare network discloses security breach ∗∗∗ --------------------------------------------- AMEOS Group, an operator of a massive healthcare network in Central Europe, has announced it has suffered a security breach that may have exposed customer, employee, and partner information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/major-european-healthcare-ne… ∗∗∗ CISA warns of hackers exploiting SysAid vulnerabilities in attacks ∗∗∗ --------------------------------------------- CISA has warned that attackers are actively exploiting two security vulnerabilities in the SysAid IT service management (ITSM) software to hijack administrator accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ US nuclear weapons agency reportedly hacked in SharePoint attacks ∗∗∗ --------------------------------------------- Unknown threat actors have reportedly breached the National Nuclear Security Administrations (NNSA) network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-nuclear-weapons-agency-re… ∗∗∗ Mehr als 700 Modelle: Unzählige Drucker werden über Sicherheitslücken attackiert ∗∗∗ --------------------------------------------- Hunderte Druckermodelle von Brother, Fujifilm, Konica Minolta, Ricoh und Toshiba sind angreifbar. Angreifer nutzen die Sicherheitslücken nun aus. --------------------------------------------- https://www.golem.de/news/mehr-als-700-modelle-unzaehlige-drucker-werden-ue… ∗∗∗ CCC und GFF: Verfassungsbeschwerde gegen Polizeisoftware von Palantir ∗∗∗ --------------------------------------------- Die bayerische Polizei ist begeistert von der Palantir-Software. Doch Bürgerrechtlern und Hackern geht der Einsatz zu weit. --------------------------------------------- https://www.golem.de/news/ccc-und-gff-verfassungsbeschwerde-gegen-polizeiso… ∗∗∗ Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages ∗∗∗ --------------------------------------------- Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers" Matthew Suozzo, Google Open Source Security. --------------------------------------------- https://thehackernews.com/2025/07/google-launches-oss-rebuild-to-expose.html ∗∗∗ Malware Injected into 7 npm Packages After Maintainer Tokens Stolen in Phishing Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. --------------------------------------------- https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html ∗∗∗ New Coyote Malware Variant Exploits Windows UI Automation to Steal Banking Credentials ∗∗∗ --------------------------------------------- The Windows banking trojan known as Coyote has become the first known malware strain to exploit the Windows accessibility framework called UI Automation (UIA) to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2025/07/new-coyote-malware-variant-exploits.html ∗∗∗ Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine ∗∗∗ --------------------------------------------- Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations. --------------------------------------------- https://hackread.com/suspected-xss-is-admin-cybercrime-forum-arrest-ukraine/ ∗∗∗ Soco404: Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload ∗∗∗ --------------------------------------------- Wiz Research has identified a new iteration of a broader malicious cryptomining campaign, which we’ve dubbed Soco404. --------------------------------------------- https://www.wiz.io/blog/soco404-multiplatform-cryptomining-campaign-uses-fa… ∗∗∗ Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects. The vulnerability, classified as "Use of Insufficiently Random Values" affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. --------------------------------------------- https://socket.dev/blog/critical-vulnerability-in-popular-npm-form-data-pac… ===================== = Vulnerabilities = ===================== ∗∗∗ Chrome, Firefox & Thunderbird: Neue Versionen beheben Schwachstellen ∗∗∗ --------------------------------------------- Frische Browser- und Mailclient-Releases von Google und Mozilla beseitigen Lücken mit teils hohem Schweregrad. --------------------------------------------- https://www.heise.de/news/Chrome-Firefox-Thunderbird-Neue-Versionen-beheben… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound). --------------------------------------------- https://lwn.net/Articles/1031104/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on July 22, 2025: DuraComm DP-10iN-100-MU, Lantronix Provisioning Manager, Schneider Electric EcoStruxure, Schneider Electric EcoStruxure Power Operation, Schneider Electric System Monitor Application, Schneider Electric EcoStruxture IT Data Center Expert, ICSA-25-175-03 Schneider Electric Modicon Controllers (Update A), ICSA-25-175-04 Schneider Electric EVLink WallBox (Update A), ICSA-25-014-02 Schneider Electric Vijeo Designer (Update A). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/07/22/cisa-releases-nine-indus… ∗∗∗ [CVE-2025-48932] Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m757kw/cve202548932_invision_comm… ∗∗∗ [CVE-2025-48933] Invision Community <= 5.0.7 (oauth/callback) Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://www.reddit.com/r/netsec/comments/1m7578r/cve202548933_invision_comm… ∗∗∗ ZDI-25-629: (0Day) Ashlar-Vellum Cobalt LI File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-629/ ∗∗∗ ZDI-25-640: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-640/ ∗∗∗ ZDI-25-639: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-639/ ∗∗∗ ZDI-25-638: (0Day) Ashlar-Vellum Cobalt VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-638/ ∗∗∗ Firefox 141.0 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030971/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2025
by Daily end-of-shift report 22 Jul '25

22 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 21-07-2025 18:00 − Dienstag 22-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ring denies breach after users report suspicious logins ∗∗∗ --------------------------------------------- Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ring-denies-breach-after-use… ∗∗∗ Cisco: Maximum-severity ISE RCE flaws now exploited in attacks ∗∗∗ --------------------------------------------- Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-r… ∗∗∗ Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX. --------------------------------------------- https://thehackernews.com/2025/07/iran-linked-dchspy-android-malware.html ∗∗∗ Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access ∗∗∗ --------------------------------------------- The recently disclosed critical Microsoft SharePoint vulnerability has been under exploitation as early as July 7, 2025, according to findings from Check Point Research. The cybersecurity company said it observed first exploitation attempts targeting an unnamed major Western government, with the activity intensifying on July 18 and 19, spanning government, telecommunications, and software sectors in North America and Western Europe. --------------------------------------------- https://thehackernews.com/2025/07/hackers-exploit-sharepoint-zero-day.html ∗∗∗ Disrupting active exploitation of on-premises SharePoint vulnerabilities ∗∗∗ --------------------------------------------- As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-… ∗∗∗ Back to Business: Lumma Stealer Returns with Stealthier Methods ∗∗∗ --------------------------------------------- Lumma Stealer has re-emerged shortly after its takedown. This time, the cybergroup behind this malware appears to be intent on employing more covert tactics while steadily expanding its reach. This article shares the latest methods used to propagate this threat. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates for Firefox ∗∗∗ --------------------------------------------- Firefox released Security Updates for Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1 and Firefox for iOS 141. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ ExpressVPN bug leaked user IPs in Remote Desktop sessions ∗∗∗ --------------------------------------------- ExpressVPN has fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the virtual private network (VPN) tunnel, exposing the users real IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/expressvpn-bug-leaked-user-i… ∗∗∗ HPE Aruba Instant On Access Points: Update schließt teils kritische Lücken ∗∗∗ --------------------------------------------- HPE Aruba Networking hat eine Sicherheitswarnung für seine "Instant On" Access Points veröffentlicht. Das Unternehmen warnt darin vor zwei Schwachstellen, von denen eine als kritisch eingestuft wurde. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Instant-On-Access-Points-Update-schlies… ∗∗∗ Sophos Firewall: Hotfixes beseitigen Remote-Angriffsgefahr ∗∗∗ --------------------------------------------- Frische Hotfixes für die Sophos Firewall schließen insgesamt fünf Sicherheitslücken, von denen zwei als "kritisch", zwei mit einem hohen und eine mit mittlerem Schweregrad bewertet wurden. Sie könnten unter bestimmten Bedingungen zur Codeausführung aus der Ferne missbraucht werden – in zwei Fällen ohne vorherige Authentifizierung. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-Hotfixes-beseitigen-Remote-Angrif… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri). --------------------------------------------- https://lwn.net/Articles/1030930/ ∗∗∗ Synology-SA-25:08 BeeDrive for desktop ∗∗∗ --------------------------------------------- Synology has released a security update for the BeeDrive desktop tool on Windows to address multiple vulnerabilities. Please refer to the Affected Products table for the corresponding updates. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_08 ∗∗∗ Vulnerability Summary for the Week of July 14, 2025 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb25-202 ∗∗∗ Vulnerability in Kubernetes: CVE-2025-7342, CVSS Rating High 8.1 ∗∗∗ --------------------------------------------- A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/133115 ∗∗∗ VDE: MB connect line, Multiple vulnerabilities in mbNET.mini ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-058/ ∗∗∗ VDE: Helmholz, Multiple vulnerabilities in REX 100 ∗∗∗ --------------------------------------------- https://certvde.com/en/advisories/VDE-2025-059/ ∗∗∗ TYPO3-EXT-SA-2025-010: Insecure Direct Object Reference in extension "femanager" (femanager) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-010 ∗∗∗ TYPO3-EXT-SA-2025-009: Insecure Direct Object Reference in extension "powermail" (powermail) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-009 ∗∗∗ F5: K000152658, Golang vulnerability CVE-2024-45341 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152658 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2025
by Daily end-of-shift report 21 Jul '25

21 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-07-2025 18:00 − Montag 21-07-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat actors downgrade FIDO2 MFA auth in PoisonSeed phishing attack ∗∗∗ --------------------------------------------- A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido… ∗∗∗ The SOC files: APT41’s new target in Africa ∗∗∗ --------------------------------------------- Some time ago, Kaspersky MDR analysts detected a targeted attack against government IT services in the African region. The attackers used hardcoded names of internal services, IP addresses, and proxy servers embedded within their malware. One of the C2s was a captive SharePoint server within the victim’s infrastructure. --------------------------------------------- https://securelist.com/apt41-in-africa/116986/ ∗∗∗ UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns ∗∗∗ --------------------------------------------- Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. --------------------------------------------- https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html ∗∗∗ Ivanti Zero-Days Exploited to Drop MDifyLoader and Launch In-Memory Cobalt Strike Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. --------------------------------------------- https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html ∗∗∗ EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware ∗∗∗ --------------------------------------------- The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. --------------------------------------------- https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html ∗∗∗ Neue Betrugsmasche mit manipulierten Rechnungen ∗∗∗ --------------------------------------------- Mir ist eine merkwürdige Information zu einer neuen Betrugsmasche zugegangen. Ein Verkäufer und ein Käufer vereinbaren einen Handel. Der Verkäufer schickt eine Rechnung, die der Käufer auch bezahlt. Das Geld landet aber auf einem fremden Konto, weil die Rechnung auf dem Versandweg manipuliert wurde. --------------------------------------------- https://www.borncity.com/blog/2025/07/19/neue-betrugsmasche-mit-manipuliert… ∗∗∗ SquidLoader Malware Campaign Hits Hong Kong Financial Firms ∗∗∗ --------------------------------------------- Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia. --------------------------------------------- https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/ ∗∗∗ New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia ∗∗∗ --------------------------------------------- Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration. --------------------------------------------- https://hackread.com/new-ghostcontainer-malware-ms-exchange-servers-asia/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SharePoint - aktiv ausgenützt, Updates verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des regulären Patchzyklus Informationen zu, sowie Sicherheitsaktualisierungen für eine kritische Zero-Day-Schwachstelle in Microsoft SharePoint veröffentlicht. Die Sicherheitslücke CVE-2025-53770 wird seit zumindest 18.07.2025 durch Bedrohungsakteure ausgenutzt. Bei der Lücke handelt es sich um eine Variante eines bereits bekannten und behobenen Problems, CVE-2025-49706. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-in-micro… ∗∗∗ CrushFTP: Ältere Versionen können unbefugten Admin-Zugriff gewähren ∗∗∗ --------------------------------------------- CVE-2025-54309: Wer CrushFTP für den Datentransfer nutzt, sollte die verwendete Version auf Aktualität prüfen. Das Entwicklerteam hat am vergangenen Freitag Angriffe in freier Wildbahn auf ältere Ausgaben entdeckt, die schlimmstenfalls zu einer Übernahme des Admin-Accounts durch Angreifer führen könnten. --------------------------------------------- https://www.heise.de/news/CrushFTP-Aeltere-Versionen-koennen-unbefugten-Adm… ∗∗∗ Admin-Zugriff für alle: Fest kodierte Zugangsdaten in HPE-Geräten entdeckt ∗∗∗ --------------------------------------------- Der US-amerikanische IT-Konzern Hewlett Packard Enterprise (HPE) hat zwei Sicherheitslücken in seinen Instant-On-Access-Points geschlossen. Eine davon basiert auf fest kodierten Zugangsdaten und verleiht Angreifern auf anfälligen Systemen einen Admin-Zugriff. Die zweite Lücke ermöglicht eine unrechtmäßige Befehlsausführung auf dem Betriebssystem der HPE-Geräte. Administratoren sollten dringend die verfügbaren Patches einspielen. --------------------------------------------- https://www.golem.de/news/admin-zugriff-fuer-alle-fest-kodierte-zugangsdate… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/1030774/ ∗∗∗ Customer guidance for SharePoint vulnerability CVE-2025-53770 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vu… ∗∗∗ Malicious packages uploaded to the Arch Linux AUR ∗∗∗ --------------------------------------------- https://lwn.net/Articles/1030603/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2025
by Daily end-of-shift report 18 Jul '25

18 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-07-2025 18:00 − Freitag 18-07-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ GitHub abused to distribute payloads on behalf of malware-as-a-service ∗∗∗ --------------------------------------------- Researchers from Cisco’s Talos security team have uncovered a malware-as-a-service operator that used public GitHub accounts as a channel for distributing an assortment of malicious software to targets. The use of GitHub gave the malware-as-a-service (MaaS) a reliable and easy-to-use platform that’s greenlit in many enterprise networks that rely on the code repository for the software they develop. --------------------------------------------- https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-… ∗∗∗ Microsoft Teams voice calls abused to push Matanbuchus malware ∗∗∗ --------------------------------------------- The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-voice-calls-… ∗∗∗ New Phobos ransomware decryptor lets victims recover files for free ∗∗∗ --------------------------------------------- The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryp… ∗∗∗ Unmasking Malicious APKs: Android Malware Blending Click Fraud and Credential Theft ∗∗∗ --------------------------------------------- Malicious APKs (Android Package Kit files) continue to serve as one of the most persistent and adaptable delivery mechanisms in mobile threat campaigns. Threat actors routinely exploit social engineering and off-market distribution to bypass conventional security controls and capitalize on user trust to steal a variety of data, such as log in credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/unmasking-m… ∗∗∗ WordPress Redirect Malware Hidden in Google Tag Manager Code ∗∗∗ --------------------------------------------- Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. This blog post details our full investigation into this campaign, how it was injected, how it worked, and how we removed it. --------------------------------------------- https://blog.sucuri.net/2025/07/wordpress-redirect-malware-hidden-in-google… ∗∗∗ LLMs in Applications – Understanding and Scoping Attack Surface ∗∗∗ --------------------------------------------- In this post we consider how to think about the attack surface of applications leveraging LLMs and how that impacts the scoping process when assessing those applications. We discuss why scoping matters, important points to consider when mapping out the LLM-associated attack surface, and conclude with architectural tips for developers implementing LLMs within their applications. --------------------------------------------- https://blog.includesecurity.com/2025/07/llms-in-applications-understanding… ∗∗∗ Scanception Exposed: New QR Code Attack Campaign Exploits Unmonitored Mobile Access ∗∗∗ --------------------------------------------- Cyble’s Research and Intelligence Lab (CRIL) has analyzed a new quishing campaign that leverages QR codes embedded in PDF files to deliver malicious payloads. The campaign, dubbed Scanception, bypasses security controls, harvests user credentials, and evades detection by traditional systems. Unlike conventional phishing attacks, which rely on malicious links within emails or attachments, Scanception leverages user curiosity by embedding QR codes within legitimate PDF documents. --------------------------------------------- https://thecyberexpress.com/scanception-qr-code-quishing-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Keycloak identity and access management system CVE-2025-7784 ∗∗∗ --------------------------------------------- A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. --------------------------------------------- https://access.redhat.com/security/cve/CVE-2025-7784 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails). --------------------------------------------- https://lwn.net/Articles/1030479/ ∗∗∗ Trend Micro Worry Free Business 10.0 SP 1 – Patch 2518 veröffentlicht ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat zum 15.7.2025 Trend Micro Worry Free Business (WFBS) 10.0 SP 1 – Patch 2518 veröffentlicht. Der Patch enthält diverse Sicherheitsfixes und soll auch verschiedene Bugs beheben. So wird OpenSSL 3.0.15 im Apache-Webserver aktualisiert, um die Produktsicherheit zu verbessern. --------------------------------------------- https://www.borncity.com/blog/2025/07/18/trend-micro-worry-free-business-10… ∗∗∗ K000152614: Apache Commons vulnerability CVE-2025-48976 ∗∗∗ --------------------------------------------- Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. --------------------------------------------- https://my.f5.com/manage/s/article/K000152614 ∗∗∗ NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape in NVIDIA Container Toolkit (CVE-2025-23266) ∗∗∗ --------------------------------------------- New critical vulnerability with 9.0 CVSS presents systemic risk to the AI ecosystem, carries widespread implications for AI infrastructure. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape ∗∗∗ SOLIDWORKS eDrawings: Use After Free vulnerability CVE-2025-7042 ∗∗∗ --------------------------------------------- https://www.3ds.com/trust-center/security/security-advisories/cve-2025-7042 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2025
by Daily end-of-shift report 17 Jul '25

17 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-07-2025 18:00 − Donnerstag 17-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KAWA4096’s Ransomware Tide: Rising Threat With Borrowed Styles ∗∗∗ --------------------------------------------- KAWA4096, a ransomware whose name includes "Kawa", the Japanese word for "river", first emerged in June 2025. This new threat features a leak site that follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility. In this blog .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/kawa4096s-r… ∗∗∗ Oracle: 309 Sicherheitsupdates für alle möglichen Produkte ∗∗∗ --------------------------------------------- Oracle hat zum Critical Patch Update genannten Patchday im Juli 309 Sicherheitsupdates angekündigt. Zig Produkte sind verwundbar. --------------------------------------------- https://www.heise.de/news/Oracle-309-Sicherheitsupdates-fuer-alle-moegliche… ∗∗∗ Cisco: Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In Ciscos ISE klafft eine weitere Lücke mit maximalem Bedrohungsgrad. Zudem warnt Cisco vor weiteren Lücken in mehr Produkten. --------------------------------------------- https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.h… ∗∗∗ Trump gibt eine Milliarde Dollar für offensive Cyberoperationen frei ∗∗∗ --------------------------------------------- Wie genau das Geld eingesetzt werden soll, ist nicht bekannt. Der Blick dürfte sich aber vor allem nach China richten --------------------------------------------- https://www.derstandard.at/story/3000000279549/trump-gibt-eine-milliarde-do… ∗∗∗ Google spots tailored backdoor malware aimed at SonicWall appliances ∗∗∗ --------------------------------------------- Google researchers reported on a malware campaign against end-of-life SonicWall appliances, noting that the attackers were good at covering their tracks. --------------------------------------------- https://therecord.media/sonicwall-sma-100-series-overstep-malware-unc6148 ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Repository – Part 2 ∗∗∗ --------------------------------------------- This is the second part of the Practicing Detection-as-Code series, where we will cover some basic elements of designing a repository to develop, store, and deploy detections from. Well go through several different aspects of the setup like the Git platform, branch strategy, repository structure, detections structure, taxonomies, and content packs. --------------------------------------------- https://blog.nviso.eu/2025/07/17/detection-engineering-practicing-detection… ∗∗∗ Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public ∗∗∗ --------------------------------------------- GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 - nearly two weeks before a public proof-of-concept was released on July 4. --------------------------------------------- https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-befo… ∗∗∗ Flaw in Signal App Clone Could Leak Passwords — GreyNoise Identifies Active Reconnaissance and Exploit Attempts ∗∗∗ --------------------------------------------- A vulnerability disclosed in May 2025, CVE-2025-48927, affects certain deployments of TeleMessageTM SGNL. If exposed, this endpoint can return a full snapshot of heap memory which may include plaintext usernames, passwords, and other sensitive data. --------------------------------------------- https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messagin… ∗∗∗ How to catch GitHub Actions workflow injections before attackers do ∗∗∗ --------------------------------------------- Strengthen your repositories against actions workflow injections - one of the most common vulnerabilities. --------------------------------------------- https://github.blog/security/vulnerability-research/how-to-catch-github-act… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/1030256/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2025
by Daily end-of-shift report 16 Jul '25

16 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-07-2025 18:00 − Mittwoch 16-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit a blind spot by hiding malware inside DNS records ∗∗∗ --------------------------------------------- Technique transforms the Internet DNS into an unconventional file storage system. --------------------------------------------- https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hi… ∗∗∗ Dringend patchen: Zero-Day-Lücke lässt Hacker aus Chrome-Sandbox ausbrechen ∗∗∗ --------------------------------------------- Google hat per Update mehrere Sicherheitslücken in Chrome geschlossen. Eine wird schon aktiv ausgenutzt und ermöglicht einen Sandbox-Escape. --------------------------------------------- https://www.golem.de/news/google-warnt-zero-day-luecke-in-chrome-laesst-hac… ∗∗∗ Botnetz abgeschaltet: BKA geht gegen prorussische Hackergruppe vor ∗∗∗ --------------------------------------------- Die russische Hackergruppe NoName057(16) koordinierte DDoS-Angriffe mit 100 eigenen Servern und mehr als 1.000 Unterstützern auf Telegram. --------------------------------------------- https://www.golem.de/news/botnetz-abgeschaltet-bka-geht-gegen-prorussische-… ∗∗∗ Curl Creator Mulls Nixing Bug Bounty Awards To Stop AI Slop ∗∗∗ --------------------------------------------- Daniel Stenberg, creator of the curl utility, is considering ending its bug bounty program due to a surge in low-quality, AI-generated reports that are overwhelming the small volunteer team. Despite attempts to .. --------------------------------------------- https://it.slashdot.org/story/25/07/16/0618255/curl-creator-mulls-nixing-bu… ∗∗∗ VMware stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In VMware ESXi, Workstation, Fusion und Tools klaffen zum Teil kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/VMware-stopft-teils-kritische-Sicherheitsluecken-… ∗∗∗ Police dismantle DiskStation ransomware gang targeting NAS devices, arrest suspected ringleader ∗∗∗ --------------------------------------------- Police have struck a blow against the DiskStation ransomware gang which targets Synology NAS devices, and arresting its suspected ringleader. Make sure that you have properly hardened the security of your Network Access .. --------------------------------------------- https://www.fortra.com/blog/police-dismantle-diskstation-ransomware-gang ∗∗∗ NSA: Volt Typhoon was ‘not successful’ at persisting in critical infrastructure ∗∗∗ --------------------------------------------- “The good news" is that Chinas Volt Typhoon hacking campaign "really failed," an NSA official said at a cyber conference in New York. An FBI official also described an incident of "true cyberwarfare" with the Flax Typhoon group. --------------------------------------------- https://therecord.media/china-typhoon-hackers-nsa-fbi-response ∗∗∗ Old Miner, New Tricks ∗∗∗ --------------------------------------------- The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019. --------------------------------------------- https://www.fortinet.com/blog/threat-research/old-miner-new-tricks ∗∗∗ I SPy: Escalating to Entra IDs Global Admin with a first-party app ∗∗∗ --------------------------------------------- Backdooring Microsofts applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation .. --------------------------------------------- https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-gl… ∗∗∗ ControlPlane Local Privilege Escalation Vulnerability on macOS ∗∗∗ --------------------------------------------- ControlPlane, originally a fork of MarcoPolo, is a powerful open-source context-aware automation tool for macOS. Developed initially by Dustin Rue, the project is no longer maintained and does not function on the latest versions of macOS. Despite this, it remains in use by a number of users and serves as an interesting target for application security research on Apple's platform. ControlPlane leverages inputs such as WiFi networks, Bluetooth devices, location, .. --------------------------------------------- http://blog.quarkslab.com/controlplane_lpe_macos.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ∗∗∗ Tracking Protestware Spread: 28 npm Packages Affected by Payload Targeting Russian-Language Users ∗∗∗ --------------------------------------------- Socket’s Threat Research Team recently reported on two npm packages with hidden functionality for Russian-language users visiting Russian domains in a browser. In the last few weeks, the team has found the .. --------------------------------------------- https://socket.dev/blog/protestware-update-28-npm-packages-affected-by-payl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (cloud-init, emacs, firefox, glib2, go-toolset:rhel8, kernel, lz4, python-setuptools, python3.11-setuptools, python3.12-setuptools, and socat), Red Hat (fence-agents, glib2, glibc, java-17-openjdk, kernel, kernel-rt, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Slackware (libxml2), SUSE (glib2, gpg2, kernel, libxml2, poppler, rmt-server, runc, stalld, and xen), and Ubuntu (jpeg-xl). --------------------------------------------- https://lwn.net/Articles/1030106/ ∗∗∗ CVE-2025-4919: Corruption via Math Space in Mozilla Firefox ∗∗∗ --------------------------------------------- In recent years, there has been an increase interest in the JavaScript engine vulnerabilities in order to compromise web browsers. Notably, vulnerabilities in JIT engines are among the most favorite ones as it provides strong primitives and well-known techniques are already available to facilitate compromise. At Pwn2Own Berlin 2025, Manfred Paul compromised the Mozilla .. --------------------------------------------- https://www.thezdi.com/blog/2025/7/14/cve-2025-4919-corruption-via-math-spa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2025
by Daily end-of-shift report 15 Jul '25

15 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-07-2025 18:00 − Dienstag 15-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE Launches AADAPT Framework for Financial Systems ∗∗∗ --------------------------------------------- The new framework is modeled after and meant to complement the MITRE ATT&CK framework, and it is aimed at detecting and responding to cyberattacks on cryptocurrency assets and other financial targets. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/mitre-aadapt-framework-… ∗∗∗ US-Schienenverkehr gefährdet: Hacker können Züge seit Jahren aus der Ferne stoppen ∗∗∗ --------------------------------------------- Das Problem ist seit 13 Jahren bekannt, aber noch immer nicht behoben. Züge in den USA lassen sich per Funksignal anhalten - etwa mit einem Flipper Zero. --------------------------------------------- https://www.golem.de/news/us-schienenverkehr-gefaehrdet-hacker-koennen-zueg… ∗∗∗ North Korean Hackers Flood npm Registry with XORIndex Malware in Ongoing Attack Campaign ∗∗∗ --------------------------------------------- The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks --------------------------------------------- https://thehackernews.com/2025/07/north-korean-hackers-flood-npm-registry.h… ∗∗∗ Securing Agentic AI: How to Protect the Invisible Identity Access ∗∗∗ --------------------------------------------- AI agents promise to automate everything from financial reconciliations to incident response. Yet every time an AI agent spins up a workflow, it has to authenticate somewhere, often with a high-privilege API key, OAuth token, or service account that defenders can’t easily see. These "invisible" non-human identities (NHIs) now outnumber human accounts in most cloud environments, and they have become one of the ripest targets for attackers. --------------------------------------------- https://thehackernews.com/2025/07/securing-agentic-ai-how-to-protect.html ∗∗∗ AsyncRATs Open-Source Code Sparks Surge in Dangerous Malware Variants Across the Globe ∗∗∗ --------------------------------------------- Cybersecurity researchers have charted the evolution of a widely used remote access trojan called AsyncRAT, which was first released on GitHub in January 2019 and has since served as the foundation for several other variants. --------------------------------------------- https://thehackernews.com/2025/07/asyncrats-open-source-code-sparks-surge.h… ∗∗∗ Framework 13. Press here to pwn ∗∗∗ --------------------------------------------- BIOS protection is the digital equivalent of a locked front door, but what if the doorbell doubled as a reset button? The Framework 13 laptop has a chassis intrusion detection switch. It’s designed to notify the BIOS when the laptop body has been opened. However, the same switch can be manipulated to reset the BIOS. This wipes critical protections like the BIOS administrator password, along with important security options such as secure boot and even the chassis intrusion lockout itself! --------------------------------------------- https://www.pentestpartners.com/security-blog/framework-13-press-here-to-pw… ∗∗∗ Windows 10: Solange bekommen Microsoft 365-Apps noch Updates ∗∗∗ --------------------------------------------- Microsoft hat nun Fristen genannt, ab denen die Versorgung mit Sicherheitsupdates für Microsoft 365-Apps unter Windows 10 nach dem 14. Oktober 2025 enden wird, stellt aber überraschenderweise sogar noch Funktionsupdates (bis Version 2608) bereit. Das Gleiche gilt auch für Windows Server 2016/2019, falls dort MS 365-Apps unter Terminal-Server laufen. Es gibt gestufte Termine für das Rollout der Microsoft 365 Version 2608 und damit für die Freigabe der Funktions-Updates geben. Sicherheitsupdates gibt es dann noch bis Oktober 2025. --------------------------------------------- https://www.borncity.com/blog/2025/07/15/windows-10-solange-bekommen-micros… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (gnutls, linux-firmware, mingw-djvulibre, mingw-python-requests, and salt), Mageia (qtimageformats6), Oracle (gnome-remote-desktop, golang, kernel, libxml2, and perl-File-Find-Rule), SUSE (gstreamer-plugins-base, gstreamer-plugins-good, kernel, and protobuf), and Ubuntu (apport, glibc, gnutls28, and roundcube). --------------------------------------------- https://lwn.net/Articles/1029919/ ∗∗∗ Zyxel security advisory for path traversal vulnerability in APs ∗∗∗ --------------------------------------------- Zyxel has released patches to address a path traversal vulnerability in the file_upload-cgi CGI program of certain access point (AP) firmware versions. Users are advised to install these patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2025
by Daily end-of-shift report 14 Jul '25

14 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-07-2025 18:00 − Montag 14-07-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Gravity Forms developer hacked to push backdoored plugins ∗∗∗ --------------------------------------------- The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-deve… ∗∗∗ Google Gemini flaw hijacks email summaries for phishing ∗∗∗ --------------------------------------------- Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-e… ∗∗∗ Nach Cyberangriff: Ministerium bestätigt möglichen Datenabfluss bei der Polizei ∗∗∗ --------------------------------------------- Hacker haben ein System zur Verwaltung der Diensthandys der Landespolizei Mecklenburg-Vorpommern attackiert. Ein Datenabfluss kann nicht mehr ausgeschlossen werden. --------------------------------------------- https://www.golem.de/news/mecklenburg-vorpommern-moeglicher-datenabfluss-be… ∗∗∗ GPUHammer: New RowHammer Attack Variant Degrades AI Models on NVIDIA GPUs ∗∗∗ --------------------------------------------- NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs). --------------------------------------------- https://thehackernews.com/2025/07/gpuhammer-new-rowhammer-attack-variant.ht… ∗∗∗ eSIM Vulnerability in Kigens eUICC Cards Exposes Billions of IoT Devices to Malicious Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks. The issues impact the Kigen eUICC card. According to the Irish companys website, more than two billion SIMs in IoT devices have been enabled as of December 2020. --------------------------------------------- https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html ∗∗∗ Cyberangriff auf nius.de: mutmaßlich Nutzerdaten veröffentlicht ∗∗∗ --------------------------------------------- Am Samstag traf ein Cyberangriff das Portal nius.de. Titel von Artikeln wurden manipuliert, anscheinend auch Abonnentendaten veröffentlicht. --------------------------------------------- https://www.heise.de/news/Cyberangriff-auf-nius-de-mutmasslich-Nutzerdaten-… ∗∗∗ willhaben & PayLivery: Wie Kriminelle ein eigentlich sicheres Service ausnutzen ∗∗∗ --------------------------------------------- Sie sind „sehr stark interessiert“ und wollen „nicht nochmal leer ausgehen“. Kriminelle geben sich auf willhaben als potenzielle Käufer:innen aus und versuchen ihre Opfer aus der sicheren Umgebung der Plattform in einen Messenger zu locken. Der Sinn dahinter ist die Umgehung der internen Sicherheitsmechanismen. Wir erklären, was PayLivery eigentlich ist, wie es funktioniert und worauf man bei der Nutzung achten sollte. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-paylivery-sicheres-service/ ∗∗∗ KongTuke FileFix Leads to New Interlock RAT Variant ∗∗∗ --------------------------------------------- Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). --------------------------------------------- https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interloc… ===================== = Vulnerabilities = ===================== ∗∗∗ CERT warnt vor UEFI-Sicherheitslücken in Gigabyte-Firmware ∗∗∗ --------------------------------------------- In der UEFI-Firmware zahlreicher Gigabyte-Mainboards klaffen Sicherheitslücken, durch die Angreifer ihre Rechte im System sehr weitreichend ausweiten können. Gigabyte stellt für zahlreiche Mainboards BIOS-Updates bereit, die die Lücken schließen. --------------------------------------------- https://www.heise.de/news/CERT-warnt-vor-UEFI-Sicherheitsluecken-in-Gigabyt… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis and thunderbird), Fedora (cef, git, gnutls, httpd, linux-firmware, luajit, mingw-djvulibre, mingw-python-requests, perl, php, python-requests, python3.6, salt, and selenium-manager), Mageia (dpkg, firefox, gnupg2, and golang), Slackware (httpd and kernel), SUSE (afterburn, cmctl, git, go1.23, go1.24, k9s, liboqs-devel, libxml2, php8, python36, trivy, and xen), and Ubuntu (linux-xilinx-zynqmp and nix). --------------------------------------------- https://lwn.net/Articles/1029764/ ∗∗∗ COPADATA: CD_SVA_2025_01: zenon Remote Transport Vulnerability ∗∗∗ --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-10-7-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2025
by Daily end-of-shift report 11 Jul '25

11 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-07-2025 18:00 − Freitag 11-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In Paris verhaftet: Russischer Basketballprofi soll Cyberbande unterstützt haben ∗∗∗ --------------------------------------------- Ein Spieler des MBA Moskau ist in Frankreich festgenommen worden. Die US-Justiz wirft ihm vor, für eine Ransomwarebande Lösegeldzahlungen ausgehandelt zu haben. --------------------------------------------- https://www.golem.de/news/in-paris-verhaftet-russischer-basketballprofi-sol… ∗∗∗ PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a set of four security flaws in OpenSynergys BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.The vulnerabilities, .. --------------------------------------------- https://thehackernews.com/2025/07/perfektblue-bluetooth-vulnerabilities.html ∗∗∗ Now everybody but Citrix agrees that CitrixBleed 2 is under exploit ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions. --------------------------------------------- https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/ ∗∗∗ Trend Micro: Mehrere Produkte mit hochriskanten Lücken ∗∗∗ --------------------------------------------- Trend Micro hat Schwachstellenbeschreibungen veröffentlicht, die Lücken in mehreren Produkten erörtern. Updates sind verfügbar. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Mehrere-Produkte-mit-hochriskanten-Lu… ∗∗∗ Hackergruppe soll 170 Cyberangriffe verübt haben ∗∗∗ --------------------------------------------- Mindestens 170 Angriffe mit Millionenschaden: Ermittler nehmen eine internationale Hackergruppe ins Visier. --------------------------------------------- https://www.heise.de/news/Hackergruppe-soll-170-Cyberangriffe-veruebt-haben… ∗∗∗ Kritische Codeschmuggel-Lücke in Wing FTP wird angegriffen ∗∗∗ --------------------------------------------- In der Datentransfersoftware Wing FTP attackieren Angreifer eine Sicherheitslücke, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-Wing-FTP-wird-angegriffen… ∗∗∗ UK Arrests Four in ‘Scattered Spider’ Ransom Group ∗∗∗ --------------------------------------------- Authorities in the United Kingdom this week arrested four alleged members of "Scattered Spider," a prolific data theft and extortion group whose recent victims include multiple airlines and the U.K. retail chain Marks & Spencer. --------------------------------------------- https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ran… ∗∗∗ Sil3ncer Deployed – RCE, Porn Diversion, and Ransomware on an SFTP-only Server ∗∗∗ --------------------------------------------- We investigated a ransomware incident on a Windows Server 2012 host running in an SFTP-only role. The attacker delivered an attack that combined remote code execution, persistence, tunnelling, and a diversionary visit to Pornhub, before launching a ransomware payload. Background & scope An easy way in The compromised server was .. --------------------------------------------- https://www.pentestpartners.com/security-blog/sil3ncer-deployed-rce-porn-di… ∗∗∗ Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques ∗∗∗ --------------------------------------------- SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. --------------------------------------------- https://unit42.paloaltonetworks.com/slow-tempest-malware-obfuscation/ ∗∗∗ Former Mexican president investigated over allegedly taking bribes from spyware industry ∗∗∗ --------------------------------------------- The investigation comes in response to an account in the Israeli business publication TheMarker, which reported that the contracts included a deal to buy Pegasus — the powerful spyware manufactured by Israel-based NSO Group. --------------------------------------------- https://therecord.media/former-mexican-president-investigated-spyware-bribes ∗∗∗ Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257) ∗∗∗ --------------------------------------------- Welcome back to yet another day in this parallel universe of security.This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. Thats a great question; no one .. --------------------------------------------- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2025
by Daily end-of-shift report 10 Jul '25

10 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-07-2025 18:00 − Donnerstag 10-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IT-Ausfall bei Ameos: Cyberangriff trifft großen Klinikverbund ∗∗∗ --------------------------------------------- Die Ameos Gruppe hat infolge eines Cyberangriffs ihre Dienste vom Netz genommen. Die Folge: Ausfälle in zahlreichen Kliniken und Pflegeeinrichtungen. --------------------------------------------- https://www.golem.de/news/it-ausfall-bei-ameos-cyberangriff-trifft-grossen-… ∗∗∗ Plötzlich Vollzugriff: Angriffstechnik trickst Android-Nutzer mit Animationen aus ∗∗∗ --------------------------------------------- Durch eine Angriffstechnik namens Taptrap erlangen Angreifer völlig unbemerkt weitreichende Zugriffsrechte. Selbst Android 16 bietet davor keinen Schutz. --------------------------------------------- https://www.golem.de/news/ploetzlich-vollzugriff-angriffstechnik-trickst-an… ∗∗∗ InfoFlood: KI-Sicherheit mit ausschweifender Prosa umgangen ∗∗∗ --------------------------------------------- Flutet man KI-Chatbots mit Informationen und Fachjargon, erstellen sie auch Anleitungen zum Hacken von Geldautomaten. --------------------------------------------- https://www.golem.de/news/infoflood-ki-sicherheit-mit-ausschweifender-prosa… ∗∗∗ Code highlighting with Cursor AI for $500,000 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts uncover malicious extensions for Cursor AI that download the Quasar backdoor and a crypto stealer. --------------------------------------------- https://securelist.com/open-source-package-for-cursor-ai-turned-into-a-cryp… ∗∗∗ Attackers Inject Code into WordPress Theme to Redirect Visitors ∗∗∗ --------------------------------------------- In a recent article we discussed some of the reasons sites are frequently attacked. That article covered browser redirects, and we’ll explore an example of such a case here.Website themes are a common attack vector for many reasons. The theme is guaranteed to load on every page, that is the core design of any site, and themes can easily be .. --------------------------------------------- https://blog.sucuri.net/2025/07/attackers-inject-code-into-wordpress-theme-… ∗∗∗ At last, a use case for AI agents with sky-high ROI: Stealing crypto ∗∗∗ --------------------------------------------- Boffins outsmart smart contracts with evil automation Using AI models to generate exploits for cryptocurrency contract flaws appears to be a promising business model, though not necessarily a legal one. --------------------------------------------- https://www.theregister.com/2025/07/10/ai_agents_automatically_steal_crypto… ∗∗∗ 200.000 Webseiten durch Sicherheitsleck in WordPress-Plug-in SureForms gefährdet ∗∗∗ --------------------------------------------- Wer in den eigenen WordPress-Instanzen das Plug-in SureForms einsetzt, sollte updaten: Eine Sicherheitslücke erlaubt die Übernahme. --------------------------------------------- https://www.heise.de/news/WordPress-Plug-in-SureForms-Sicherheitsluecke-gef… ∗∗∗ Cyberangriff per Telefonkonferenz: Fünf junge Männer unter Verdacht ∗∗∗ --------------------------------------------- Fünf junge Männer blockierten die Telefonleitungen von rund 800 Polizeidienststellen. Der verwendete Trick war simpel, sorgte aber für viel Ärger. --------------------------------------------- https://www.heise.de/news/Cyberangriff-per-Telefonkonferenz-Fuenf-junge-Mae… ∗∗∗ McDonald’s AI bot spills data on job applicants ∗∗∗ --------------------------------------------- The job applicants personal information could be accessed by simply guessing a username and using the password “12345.” --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/07/mcdonalds-ai-bot-spills-data… ∗∗∗ FinanzOnline – „Dringende Sicherheitswarnung wegen Anmeldeversuchs“ ist Phishing-Falle ∗∗∗ --------------------------------------------- Eine neue Phishing-Welle im Namen von FinanzOnline hat es auf die Login-Daten der Nutzer:innen abgesehen. Kriminelle versenden E-Mails, in denen vor angeblich „unbekannten Anmeldeversuchen“ gewarnt wird. Wer auf den Link zur vermeintlichen Überprüfung der Sicherheitseinstellungen klickt, landet auf einem Fake-Portal. --------------------------------------------- https://www.watchlist-internet.at/news/finanzonline-sicherheitswarnung-phis… ∗∗∗ Fix the Click: Preventing the ClickFix Attack Vector ∗∗∗ --------------------------------------------- ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware. --------------------------------------------- https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/ ∗∗∗ Russian basketball player arrested in France over alleged ransomware ties ∗∗∗ --------------------------------------------- Daniil Kasatkin, 26, was detained in June at Paris’s Charles de Gaulle Airport shortly after arriving in the country with his fiancée, according to local media reports. --------------------------------------------- https://therecord.media/russian-basketball-player-arrested-in-france-ransom… ∗∗∗ Österreichs Nationalrat genehmigt Malware zur Gefährderüberwachung ∗∗∗ --------------------------------------------- Handys und Computer sollen mit Malware infiziert werden, damit Österreichs Ermittler Einsicht nehmen können. Nur 2 Abgeordnete der Regierung wagten Widerspruch. --------------------------------------------- https://heise.de/-10481818 ∗∗∗ Laravel: APP_KEY leakage analysis ∗∗∗ --------------------------------------------- This blog post sums up our journey, from identifying vulnerabilities related to Laravel encryption to scaling this knowledge for a massive internet facing applications compromise. We will talk about the methodology we used in order to collect data over the internet as well as how we analyzed it to get the most relevant results. --------------------------------------------- https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html ∗∗∗ Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5 ∗∗∗ --------------------------------------------- This article delves into vulnerability research on the Thermomix TM5, leading to the discovery of multiple vulnerabilities, which allow firmware downgrade and arbitrary code execution on some firmware versions. We provide an in-depth analysis of the system and its attack surface, detailing the vulnerabilities found and steps for exploitation. --------------------------------------------- https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Mail Login - Critical - Access bypass - SA-CONTRIB-2025-088 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-088 ∗∗∗ Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-087 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2025
by Daily end-of-shift report 09 Jul '25

09 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-07-2025 18:00 − Mittwoch 09-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Android TapTrap attack fools users with invisible UI trick ∗∗∗ --------------------------------------------- A novel tapjacking technique can exploit user interface animations to bypass Androids permission system and allow access to sensitive data or trick users into performing destructive actions, such as wiping the device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-taptrap-attack-f… ∗∗∗ Update nicht verteilt: Mainboard-Hersteller laut AMD schuld an ungefixtem TPM-Bug ∗∗∗ --------------------------------------------- Schon seit 2022 hat AMD einen Fix für einen Bug, der Windows-Nutzer mit aktivem Bitlocker aussperren kann. Doch die Mainboard-Hersteller liefern nicht. --------------------------------------------- https://www.golem.de/news/fix-nicht-ausgeliefert-amd-kritisiert-mainboard-h… ∗∗∗ Massive browser hijacking campaign infects 2.3M Chrome, Edge users ∗∗∗ --------------------------------------------- These extensions werent malware-laced from the start, researcher says A Chrome and Edge extension with more than 100,000 downloads that displays Googles verified badge does what it purports to do: It delivers a color picker to users. Unfortunately, it also .. --------------------------------------------- https://www.theregister.com/2025/07/08/browser_hijacking_campaign/ ∗∗∗ Patchday: Microsoft schließt 100.000-$-Lücke in SharePoint aus Hacker-Wettbewerb ∗∗∗ --------------------------------------------- Update-Sammlung veröffentlicht: Um Attacken vorzubeugen, sollten Admins sicherstellen, dass ihre Microsoft-Produkte auf dem aktuellen Stand sind. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-schliesst-100-000-Luecke-in-Sh… ∗∗∗ Patchday: Adobe schützt After Effects & Co. vor möglichen Attacken ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind unter anderem für DoS- und Schadcode-Attacken anfällig. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-schuetzt-After-Effects-Co-vor-moeg… ∗∗∗ Advancing Protection in Chrome on Android ∗∗∗ --------------------------------------------- Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures. Advanced .. --------------------------------------------- http://security.googleblog.com/2025/07/advancing-protection-in-chrome-on.ht… ∗∗∗ Angeblicher Gewinn im Namen von MediaMarkt führt in Abofalle ∗∗∗ --------------------------------------------- Sie haben eine E-Mail im Namen von MediaMarkt mit einer angeblichen Gewinnbenachrichtigung erhalten? Darin sollen Sie auf einen Link klicken und zwei Euro Versandgebühr zahlen, um den Gewinn einzulösen? Dann ist Vorsicht geboten! Dahinter verbirgt sich kein Gewinn, sondern eine teure Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/angeblicher-gewinn-bei-media-markt-f… ∗∗∗ Kritische Sicherheitslücke CVE-2025-47981 in Windows SPNEGO - Update dringend empfohlen ∗∗∗ --------------------------------------------- Microsoft hat eine kritische Sicherheitslücke im Windows SPNEGO Extended Negotiation (NEGOEX) Security Mechanism veröffentlicht. Die Schwachstelle ermöglicht es Angreifern, aus der Ferne und ohne Authentifizierung beliebigen Code auf .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/7/kritische-sicherheitslucke-cve-2025… ∗∗∗ Iranian ransomware group offers bigger payouts for attacks on Israel, US ∗∗∗ --------------------------------------------- The Iran-linked ransoware-as-a-service group Pay2Key.I2P told affiliates that they can keep a larger cut of extortion payments if they attack entities within Irans adversaries. --------------------------------------------- https://therecord.media/iran-ransomware-group-pay2keyi2p-israel-us-targets ∗∗∗ Treasury sanctions key player behind North Korean IT worker scheme ∗∗∗ --------------------------------------------- The United States identified and sanctioned another North Korean involved with the countrys IT worker schemes, this time for illicit operations based in China and Russia. --------------------------------------------- https://therecord.media/north-korea-it-worker-scheme-us-sanctions-song-kum-… ∗∗∗ Fake CNN and BBC sites used to push investment scams ∗∗∗ --------------------------------------------- Thousands of web pages falsely branded as popular news sites are conduits for fake cryptocurrency investment scams, researchers said. --------------------------------------------- https://therecord.media/news-websites-faked-to-spread-investment-scams ∗∗∗ CVE-2025-48384: Breaking git with a carriage return and cloning RCE ∗∗∗ --------------------------------------------- tl;dr: On Unix-like platforms, if you use git clone --recursive on an untrusted repo, it could achieve remote code execution. Update to a fixed version of Git and other software that embeds Git (including GitHub Desktop). --------------------------------------------- https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384 ∗∗∗ Supabase MCP can leak your entire SQL database ∗∗∗ --------------------------------------------- Model Context Protocol (MCP) has emerged as a standard way for LLMs to interact with external tools. While this unlocks new capabilities, it also introduces new risk surfaces. In this post, we show how an attacker can exploit Supabase’s MCP integration to leak a developer’s private SQL tables. --------------------------------------------- https://www.generalanalysis.com/blog/supabase-mcp-blog ===================== = Vulnerabilities = ===================== ∗∗∗ A set of Git security-fix releases ∗∗∗ --------------------------------------------- Versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 andv2.50.1 of the Git source-code management system have been released."This is a set of coordinated security fix releases. Please update at your earliest convenience". See the announcement for details;many of the vulnerabilities have to do with tricks buried in untrusted repositories. --------------------------------------------- https://lwn.net/Articles/1029182/ ∗∗∗ SQL injection in forward module ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability [CWE-89] in FortiManager and FortiAnalyzer may allow an authenticated attacker with high privilege to extract database information via crafted requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-437 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2025
by Daily end-of-shift report 08 Jul '25

08 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 07-07-2025 18:00 − Dienstag 08-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ “No honor among thieves”: M&S hacking group starts turf war ∗∗∗ --------------------------------------------- A clash between criminal ransomware groups could result in victims being extorted twice. --------------------------------------------- https://arstechnica.com/security/2025/07/no-honor-among-thieves-ms-hacking-… ∗∗∗ Qantas is being extorted in recent data-theft cyberattack ∗∗∗ --------------------------------------------- Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qantas-is-being-extorted-in-… ∗∗∗ Atomic macOS infostealer adds backdoor for persistent attacks ∗∗∗ --------------------------------------------- Malware analyst discovered a new version of the Atomic macOS info-stealer (also known as AMOS) that comes with a backdoor, to attackers persistent access to compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-macos-infostealer-add… ∗∗∗ Alleged Chinese hacker tied to Silk Typhoon arrested for cyberespionage ∗∗∗ --------------------------------------------- A Chinese national was arrested in Milan, Italy, last week for allegedly being linked to the state-sponsored Silk Typhoon hacking group, which responsible for cyberattacks against American organizations and government agencies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/alleged-chinese-hacker-tied-… ∗∗∗ Approach to mainframe penetration testing on z/OS. Deep dive into RACF ∗∗∗ --------------------------------------------- We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting-resource-access-control-fac… ∗∗∗ Android Patchday fällt im Juli aus ∗∗∗ --------------------------------------------- Admins können sich zumindest in Bezug auf Android und Pixel-Smartphones zurücklehnen: Im Juli gibt es nichts zu patchen. --------------------------------------------- https://www.heise.de/news/Android-Patchday-faellt-im-Juli-aus-10478020.html ∗∗∗ Patchday SAP: NetWeaver-Produkte sind für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können unter anderem SAP NetWeaver-Produkte und Business Objects attackieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://www.heise.de/news/Patchday-SAP-NetWeaver-Produkte-sind-fuer-Schadco… ∗∗∗ How to conduct a Password Audit in Active Directory (AD) ∗∗∗ --------------------------------------------- Weak or compromised passwords are still one of the most common ways attackers get into an organisation’s network. That’s why running password audits in Active Directory is so important. But smaller companies often don’t have the time, budget, or resources to do them regularly. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-conduct-a-password-aud… ∗∗∗ „Hallo Mama, das ist meine neue Nummer“ – Ein Blick hinter die Kulissen des Evergreens ∗∗∗ --------------------------------------------- Die "Hallo Mama"-Nachricht zählt zu den absoluten Phishing-Klassikern. Trotz der mittlerweile recht großen Bekanntheit versuchen Kriminelle weiterhin beharrlich, damit an Geld zu kommen. Für alle, die schon immer einmal wissen wollten, wie es im Fall einer Antwort eigentlich weitergeht, haben wir uns den Ablauf etwas näher angesehen. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hinter-den-kulissen/ ∗∗∗ GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed ∗∗∗ --------------------------------------------- An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attackers infrastructure, campaign and offer takeaways for blue teams. --------------------------------------------- https://unit42.paloaltonetworks.com/initial-access-broker-exploits-leaked-m… ∗∗∗ Aktiv ausgenutzte Schwachstellen in Citrix NetScaler ADC und NetScaler Gateway ∗∗∗ --------------------------------------------- In den vergangenen Wochen hat Citrix mehrere Sicherheitsaktualisierungen für insgesamt drei Sicherheitslücken in seinen Produkten NetScaler ADC und NetScaler Gateway veröffentlicht: CVE-2025-6543, CVSS-Score 9.2 CVE-2025-5349, CVSS-Score 8.7 CVE-2025-5777, CVSS-Score 9.3, auch bekannt als "CitrixBleed 2" Zum Zeitpunkt der Veröffentlichung der Advisories sowie der dazugehörigen Aktualisierungen gab es laut Citrix keine aktive Ausnutzung der Schwachstellen, .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/7/aktiv-ausgenutzte-schwachstellen-in… ∗∗∗ New spyware strain steals data from Russian industrial companies ∗∗∗ --------------------------------------------- Moscow-based cybersecurity firm Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets. --------------------------------------------- https://therecord.media/spyware-strain-steals-data-russian-industrial-sector ∗∗∗ Detection Engineering: Practicing Detection-as-Code – Introduction – Part 1 ∗∗∗ --------------------------------------------- This is going to be a multipart blog series revolving around Detection Engineering and more specifically practicing Detection-as-Code in Detection Engineering. Throughout this series, we’ll dive deep into concepts, strategies, and practical blueprints that you can adapt to fit your own workflows. From building a detection engineering repository to validating .. --------------------------------------------- https://blog.nviso.eu/2025/07/08/detection-engineering-practicing-detection… ∗∗∗ From cheap IoT toy to your smartphone: Getting RCE by leveraging a companion app ∗∗∗ --------------------------------------------- As IoT adoption continues to grow, we explored the idea that instead of directly compromising IoT devices, an attacker could target the applications controlling them. This approach could potentially allow remote code execution on a user’s smartphone. --------------------------------------------- https://www.synacktiv.com/en/publications/from-cheap-iot-toy-to-your-smartp… ∗∗∗ New CVE Forecasting Tool Predicts 47,000 Disclosures in 2025 ∗∗∗ --------------------------------------------- Security engineer Jerry Gamblin, founder of RogoLabs, has released a new open source forecasting tool that aims to predict the growing volume of software vulnerability disclosures. The tool, CVEForecast.org, uses historical CVE data and machine learning models to generate short-term projections of how many new vulnerabilities are likely to be published. --------------------------------------------- https://socket.dev/blog/new-cve-forecasting-tool-predicts-47-000-disclosure… ===================== = Vulnerabilities = ===================== ∗∗∗ July Security Update ∗∗∗ --------------------------------------------- Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of .. --------------------------------------------- https://www.ivanti.com/blog/july-security-update-2025 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2025
by Daily end-of-shift report 07 Jul '25

07 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-07-2025 18:00 − Montag 07-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers abuse leaked Shellter red team tool to deploy infostealers ∗∗∗ --------------------------------------------- Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-abuse-leaked-shellte… ∗∗∗ Umsetzung von NIS 2 in Europa: Nur vier Länder haben geliefert ∗∗∗ --------------------------------------------- NIS 2 hätte bis zum 17. Oktober 2024 in nationales Recht umgesetzt werden müssen. Das ist nur wenigen Ländern gelungen. Wie haben sie das gemacht? Eine Analyse von Thomas Hafen --------------------------------------------- https://www.golem.de/news/umsetzung-von-nis-2-in-europa-nur-vier-laender-ha… ∗∗∗ Auch Lücken und Bugs beseitigt: Neues 7-Zip komprimiert mit mehr als 64 CPU-Kernen ∗∗∗ --------------------------------------------- Wer 7-Zip im Einsatz hat, sollte das Packprogramm zeitnah aktualisieren. Version 25.00 verspricht mehr Leistung und behebt Bugs und Schwachstellen. --------------------------------------------- https://www.golem.de/news/jetzt-updaten-7-zip-schliesst-sicherheitsluecken-… ∗∗∗ Massive spike in use of .es domains for phishing abuse ∗∗∗ --------------------------------------------- ¡Cuidado! Time to double-check before entering your Microsoft creds Cybersecurity experts are reporting a 19x increase in malicious campaigns being launched from .es domains, making it the third most common, behind only .com and .ru. --------------------------------------------- https://www.theregister.com/2025/07/05/spain_domains_phishing/ ∗∗∗ Ingram Micro confirms ransomware behind multi-day outage ∗∗∗ --------------------------------------------- SafePay crew claims responsibility for intrusion at one of worlds largest tech distributors Ingram Micro, one of the world’s largest distributors, has confirmed it is trying to restore systems following a ransomware attack. --------------------------------------------- https://www.theregister.com/2025/07/06/ingram_micro_confirms_ransomware_beh… ∗∗∗ Antivirus: Comodo Internet Security lässt sich Schadcode unterschieben ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsforscher hat mehrere Sicherheitslücken im Virenschutz Comodo Internet Security entdeckt, wodurch Angreifer Schadcode einschleusen können. --------------------------------------------- https://www.heise.de/news/Antivirus-Comodo-Internet-Security-laesst-sich-Sc… ∗∗∗ SSB-104599 V1.0: Increasing Cyber Threats to Industrial Control Systems ∗∗∗ --------------------------------------------- The current geopolitical situation has created increased cybersecurity risks across all industrial sectors. This challenging environment also impacts the operational technology (OT) landscape, where we observe an intensification of threat activities. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-104599.html ∗∗∗ Fake-Europol-E-Mail mit dem Vorwurf der Verbreitung pornografischer Inhalte von Minderjährigen ∗∗∗ --------------------------------------------- Derzeit wird eine gefälschte E-Mail im Namen von Europol verbreitet. Darin wird den Empfänger:innen unterstellt, verbotene pornografische Darstellungen von Minderjährigen abgerufen oder verbreitet zu haben. Angeblich sei deshalb ein Strafverfahren eingeleitet worden. Die Betroffenen werden aufgefordert, per E-Mail eine Stellungnahme zu übermitteln. Antworten Sie nicht darauf, denn es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/europol-e-mail-mit-vorwurf-der-verbr… ∗∗∗ BERT Ransomware Group Targets Asia and Europe on Multiple Platforms ∗∗∗ --------------------------------------------- BERT is a newly emerged ransomware group that pairs simple code with effective execution—carrying out attacks across Europe and Asia. In this entry, we examine the group’s tactics, how their variants have evolved, and the tools they use to get past defenses and speed up encryption across platforms. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/bert-ransomware-group-target… ∗∗∗ SatanLock Ransomware Ends Operations, Says Stolen Data Will Be Leaked ∗∗∗ --------------------------------------------- SatanLock ransomware gang shuts down after weeks of attacks and plans to leak stolen victim data. Group linked to Babuk-Bjorka and GD Lockersec families. --------------------------------------------- https://hackread.com/satanlock-ransomware-ends-operations-stolen-data-leak/ ∗∗∗ Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience ∗∗∗ --------------------------------------------- As adversaries grow faster, stealthier, and more destructive, traditional recovery strategies are increasingly insufficient. Mandiants M-Trends 2025 report reinforces this shift, highlighting that ransomware operators now routinely target not just production systems but also backups. This evolution demands that organizations re-evaluate their resilience posture. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/isolated-recovery-… ∗∗∗ How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) ∗∗∗ --------------------------------------------- Before you dive into our latest diatribe, indulge us and join us on a journey.Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, .. --------------------------------------------- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-mem… ∗∗∗ Lets Encrypt stellt erstes IP-Zertifikat aus ∗∗∗ --------------------------------------------- Das Lets-Encrypt-Projekt hat in der vergangenen Woche das erste Zertifikat für eine IP-Adresse ausgestellt. --------------------------------------------- https://heise.de/-10476509 ∗∗∗ Sicherheitsupdate: Dell Data Protection Advisor über viele Lücken angreifbar ∗∗∗ --------------------------------------------- Angreifer können an Schwachstellen in Dells Backuplösung Data Protection Advisor ansetzen. Der Computerhersteller stuft das Risiko als kritisch ein. --------------------------------------------- https://heise.de/-10476481 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and xmedcon), Fedora (darktable, mbedtls, sudo, and yarnpkg), Mageia (catdoc and php), Red Hat (java-1.8.0-ibm, kernel, python-setuptools, python3, python3.11, python3.12, python3.9, socat, sudo, tigervnc, webkit2gtk3, webkitgtk4, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (alloy, apache-commons-fileupload, apache2-mod_security2, assimp-devel, chromedriver, clamav, clustershell, corepack22, ctdb, curl, dpkg, --------------------------------------------- https://lwn.net/Articles/1029073/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2025
by Daily end-of-shift report 04 Jul '25

04 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-07-2025 18:00 − Freitag 04-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ingram Micro suffers global outage as internal systems inaccessible ∗∗∗ --------------------------------------------- IT giant Ingram Micro is experiencing a global outage that is impacting its websites and internal systems, with customers concerned that it may be a cyberattack after the company remains silent on the cause of the issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ingram-micro-suffers-global-… ∗∗∗ Hacker leaks Telefónica data allegedly stolen in a new breach ∗∗∗ --------------------------------------------- A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data… ∗∗∗ Rechnungshof warnt: Cybersicherheit der Bundes-IT unzureichend ∗∗∗ --------------------------------------------- Viele Rechenzentren des Bundes verfügen wohl nicht einmal über eine angemessene Notstromversorgung. Und auch an Redundanzen fehlt es häufig. --------------------------------------------- https://www.golem.de/news/rechnungshof-warnt-cybersicherheit-der-bundes-it-… ∗∗∗ The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner ∗∗∗ --------------------------------------------- On July 3, 2025, Qantas confirmed in an update statement that a cyber incident had compromised data from one of its contact centers, following the detection of suspicious activity on June 30. The breach didn’t strike at the heart of .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-breach-… ∗∗∗ Europol Dismantles $540 Million Cryptocurrency Fraud Network, Arrests Five Suspects ∗∗∗ --------------------------------------------- Europol on Monday announced the takedown of a cryptocurrency investment fraud ring that laundered €460 million ($540 million) from more than 5,000 victims across the world.The international effort, codenamed Operation Borrelli, was carried out by the .. --------------------------------------------- https://thehackernews.com/2025/06/europol-dismantles-540-million.html ∗∗∗ "FoxyWallet": Mehr als 40 bösartige Firefox-Add-ons entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine groß angelegte Kampagne mit bösartigen Firefox-Add-ons entdeckt. Die räumen Krypto-Wallets leer. --------------------------------------------- https://www.heise.de/news/FoxyWallet-Mehr-als-40-boesartige-Firefox-Add-ons… ∗∗∗ Pet microchip scams and data leaks in the UK ∗∗∗ --------------------------------------------- TL;DR We were recently on BBC Morning Live talking about issues with pet microchip data, helping some pet owners understand how they were being billed for services which they didn’t recall signing up for. There was so much more to this piece though, so we’ve written up our findings in more detail .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pet-microchip-scams-and-data-… ∗∗∗ Das Facebook-Konto versendet unerwünschte Nachrichten? Phishing-Alarm & Abo-Falle! ∗∗∗ --------------------------------------------- Kriminelle nutzen die Angst vor „Account Hijacking“ – also der Übernahme eines Online-Kontos durch andere – für ihre Zwecke aus. Sie versenden E-Mail-Warnungen, laut denen über den Facebook-Account des Opfers „unerwünschte Nachrichten“ versendet werden. Die Lösung des vermeintlichen Problems führt direkt in eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-nachrichten-phishing-abo/ ∗∗∗ A message from Bruce the mechanical shark ∗∗∗ --------------------------------------------- This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing. --------------------------------------------- https://blog.talosintelligence.com/a-message-from-bruce-the-mechanical-shar… ∗∗∗ AI Dilemma: Emerging Tech as Cyber Risk Escalates ∗∗∗ --------------------------------------------- As AI adoption accelerates, businesses face mounting cyber threats—and urgent choices about secure implementation --------------------------------------------- https://www.trendmicro.com/en_us/research/25/g/ai-cyber-risks.html ∗∗∗ Taking over 60k spyware user accounts with SQL injection ∗∗∗ --------------------------------------------- Recently I was looking through a database of known stalkerware services and found one I wasn’t familiar with: Catwatchful. It seemed to be a full-featured Android spy app, to actually be its own service as opposed to a millionth FlexiSpy reseller, and to offer a 3-day free trial. Aside from a boilerplate disclaimer to only use it with consent .. --------------------------------------------- https://ericdaigle.ca/posts/taking-over-60k-spyware-user-accounts/ ∗∗∗ Identifying Ransomware Final Stage activities with KQL Queries ∗∗∗ --------------------------------------------- When ransomware strikes, it doesn’t just encrypt files — it often wraps up with a series of stealthy moves meant to lock you out, cover tracks, and make recovery a nightmare. That’s why it’s so important to spot these final-stage activities before the damage is permanent. --------------------------------------------- https://detect.fyi/identifying-ransomware-final-stage-activities-with-kql-q… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2025
by Daily end-of-shift report 03 Jul '25

03 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-07-2025 18:00 − Donnerstag 03-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DOJ investigates ex-ransomware negotiator over extortion kickbacks ∗∗∗ --------------------------------------------- An ex-ransomware negotiator is under criminal investigation by the Department of Justice for allegedly working with ransomware gangs to profit from extortion payment deals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/doj-investigates-ex-ransomwa… ∗∗∗ Data Breach Reveals Catwatchful Stalkerware Is Spying On Thousands of Phones ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware apps full database of email addresses and plaintext passwords that .. --------------------------------------------- https://yro.slashdot.org/story/25/07/03/0023253/data-breach-reveals-catwatc… ∗∗∗ Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection ∗∗∗ --------------------------------------------- During our investigation of an SEO spam infection (spam content designed to manipulate search engine results), we discovered a nicely crafted plugin that named itself after the infected domain, helping it evade detection. While this tactic was simple, it easily blended in with other legitimate plugins, making it harder to spot during the troubleshooting .. --------------------------------------------- https://blog.sucuri.net/2025/07/fake-spam-plugin-uses-victims-domain-name-t… ∗∗∗ CISA warns the Signal clone used by natsec staffers is being attacked, so patch now ∗∗∗ --------------------------------------------- Two flaws in TeleMessage are frequent attack vectors for malicious cyber actors The US security watchdog CISA has warned that malicious actors are actively exploiting two flaws in the Signal clone TeleMessage TM SGNL, and has directed federal agencies to patch the flaws or discontinue use of the app by July 22. --------------------------------------------- https://www.theregister.com/2025/07/02/cisa_telemessage_patch/ ∗∗∗ ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies ∗∗∗ --------------------------------------------- Crims have cottoned on to a new way to lead you astray AI-powered chatbots often deliver incorrect information when asked to name the address for major companies’ websites, and threat intelligence business Netcraft thinks that creates an opportunity for criminals. --------------------------------------------- https://www.theregister.com/2025/07/03/ai_phishing_websites/ ∗∗∗ Cisco entfernt SSH-Hintertür in Unified Communications Manager ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitslücken in verschiedenen Produkten geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Cisco-entfernt-SSH-Hintertuer-in-Unified-Communic… ∗∗∗ Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack ∗∗∗ --------------------------------------------- We analyze CVE-2025-24813 (Tomcat Partial PUT RCE), CVE-2025-27636 and CVE-2025-29891 (Camel Header Hijack RCE). --------------------------------------------- https://unit42.paloaltonetworks.com/apache-cve-2025-24813-cve-2025-27636-cv… ∗∗∗ Hunters International ransomware group claims to be shutting down ∗∗∗ --------------------------------------------- “After careful consideration and in light of recent developments, we have decided to close the Hunters International project,” the prolific cybercrime gang wrote on its darknet site. --------------------------------------------- https://therecord.media/hunters-international-ransomware-extortion-group-cl… ∗∗∗ Russia jails man for 16 years over pro-Ukraine cyberattacks on critical infrastructure ∗∗∗ --------------------------------------------- Russian authorities said the man used malware to attack Russian information systems in 2022, blocking access to websites of several local companies and damaging critical infrastructure. --------------------------------------------- https://therecord.media/russia-jails-man-over-pro-ukraine-cyberattacks ===================== = Vulnerabilities = ===================== ∗∗∗ Two-factor Authentication (TFA) - Less critical - Access bypass - SA-CONTRIB-2025-085 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-085 ∗∗∗ Config Pages Viewer - Critical - Access bypass - SA-CONTRIB-2025-086 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-086 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 140 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2025
by Daily end-of-shift report 02 Jul '25

02 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-07-2025 18:00 − Mittwoch 02-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: DNS issue blocks delivery of Exchange Online OTP codes ∗∗∗ --------------------------------------------- Microsoft is working to fix a DNS misconfiguration that is causing one-time passcode (OTP) message delivery failures in Exchange Online for some users. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-links-dns-issue-t… ∗∗∗ Kundenfang am Unfallort: Hacker verkauft Daten aus Notrufsystem an Bestatter ∗∗∗ --------------------------------------------- Die Notrufdaten sind in Echtzeit zur Verfügung gestellt worden. Die Bestatter konnten damit frühzeitig an Einsatzorten auftauchen, um neue Kunden zu gewinnen. --------------------------------------------- https://www.golem.de/news/kundenfang-am-unfallort-hacker-verkauft-daten-aus… ∗∗∗ C2 mit Dinosauriern ∗∗∗ --------------------------------------------- Angreifer nutzen gerne Programme, die als Open Source verfügbar sind und typischerweise als legitim sowie harmlos eingestuft werden (z. B. rclone .. --------------------------------------------- https://sec-consult.com/de/blog/detail/c2-mit-dinosauriern/ ∗∗∗ chwoot: Kritische Linux-Lücke macht Nutzer auf den meisten Systemen zu Root ∗∗∗ --------------------------------------------- Ein Beispielexploit steht im Netz und funktioniert auf vielen Standardystemen. Admins sollten schnell die bereitstehenden Updates einspielen. --------------------------------------------- https://www.heise.de/news/chwoot-Kritische-Linux-Luecke-macht-Nutzer-auf-de… ∗∗∗ Bericht: EU-Grenzsystem SIS II mit zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- Vertrauliche Berichte sollen tausende Schwachstellen im EU-Grenzsystem SIS II monieren. Die Entwickler bessern sie zu langsam aus. --------------------------------------------- https://www.heise.de/news/Bericht-EU-Grenzsystem-SIS-II-mit-zahlreichen-Sic… ∗∗∗ 600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin ∗∗∗ --------------------------------------------- On June 20th, 2025, we received a submission for an Arbitrary File Deletion vulnerability in Forminator, a WordPress plugin with more than 600,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to specify arbitrary file paths in a form submission, and the file will be deleted when the submission is deleted. It can be .. --------------------------------------------- https://www.wordfence.com/blog/2025/07/600000-wordpress-sites-affected-by-a… ∗∗∗ Sinaloa-Kartell hackte das FBI, um geheime Informanten ausfindig zu machen ∗∗∗ --------------------------------------------- Ein Bericht des US-Justizministeriums übt Kritik am Umgang des FBI mit der Gefahr durch Überwachungstechnologien --------------------------------------------- https://www.derstandard.at/story/3000000277554/sinaloa-kartell-hackte-das-f… ∗∗∗ Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work ∗∗∗ --------------------------------------------- Support for ransomware, darknet drug markets and other cybercrime activity landed the Russian company Aeza Group on the U.S. governments sanctions list, the Treasury Department said. --------------------------------------------- https://therecord.media/russia-bulletproof-hosting-aeza-group-us-sanctions ∗∗∗ Ransomware gang attacks German charity that feeds starving children ∗∗∗ --------------------------------------------- Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay. --------------------------------------------- https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransom… ∗∗∗ Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large .. --------------------------------------------- https://asec.ahnlab.com/en/88749/ ∗∗∗ PDFs: Portable documents, or perfect deliveries for phish? ∗∗∗ --------------------------------------------- A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks. --------------------------------------------- https://blog.talosintelligence.com/pdfs-portable-documents-or-perfect-deliv… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2025
by Daily end-of-shift report 01 Jul '25

01 Jul '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-06-2025 18:00 − Dienstag 01-07-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Root-Zugriff für alle: Kritische Sudo-Lücke gefährdet unzählige Linux-Systeme ∗∗∗ --------------------------------------------- Forscher haben eine gefährliche Sicherheitslücke im Kommandozeilentool Sudo entdeckt. Angreifer können mit wenig Aufwand Root-Rechte erlangen. --------------------------------------------- https://www.golem.de/news/root-zugriff-fuer-alle-kritische-sudo-luecke-gefa… ∗∗∗ Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations ∗∗∗ --------------------------------------------- Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the North Korean government. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north… ∗∗∗ Vulnerability & Patch Roundup — June 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website .. --------------------------------------------- https://blog.sucuri.net/2025/06/vulnerability-patch-roundup-june-2025.html ∗∗∗ U.S. Agencies Warn of Rising Iranian Cyberattacks on Defense, OT Networks, and Critical Infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity and intelligence agencies have issued a joint advisory warning of potential cyber attacks from Iranian state-sponsored or affiliated threat actors. "Over the past several months, there has been increasing activity from hacktivists .. --------------------------------------------- https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html ∗∗∗ OneClik Red Team Campaign Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a new campaign dubbed OneClik that leverages Microsofts ClickOnce software deployment technology and bespoke Golang backdoors to compromise organizations within the energy, oil, and gas .. --------------------------------------------- https://thehackernews.com/2025/06/oneclik-malware-targets-energy-sector.html ∗∗∗ Terrible tales of opsec oversights: How cybercrooks get themselves caught ∗∗∗ --------------------------------------------- The silly mistakes to the flagrant failures They say that success breeds complacency, and complacency leads to failure. For cybercriminals, taking too many shortcuts when it comes to opsec delivers a little more than that. --------------------------------------------- https://www.theregister.com/2025/07/01/terrible_tales_of_opsec_oversights/ ∗∗∗ Überwachungskameras aus China: Kanada ordnet Schließung von Hikvision Canada an ∗∗∗ --------------------------------------------- Hikvision kommt aus China und verkauft Überwachungstechnik. Seit Jahren gibt es Kritik an dem Konzern. Nun lässt Kanada den dortigen Ableger schließen. --------------------------------------------- https://www.heise.de/news/Ueberwachungskameras-aus-China-Kanada-ordnet-Schl… ∗∗∗ Webbrowser Chrome: Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- In der Nacht zum Dienstag hat Google den Chrome-Browser ungeplant aktualisiert. Eine Sicherheitslücke wird bereits attackiert. --------------------------------------------- https://www.heise.de/news/Chrome-Google-stopft-attackierte-Sicherheitslueck… ∗∗∗ Viele Sicherheitslücken in Dell OpenManage Network Integration geschlossen ∗∗∗ --------------------------------------------- Angreifer können Dell OpenManage Network Integration über verschiedene Wege attackieren. Sicherheitsupdates stehen zur Verfügung. --------------------------------------------- https://www.heise.de/news/Viele-Sicherheitsluecken-in-Dell-OpenManage-Netwo… ∗∗∗ Britischer IT-Angestellter rächte sich an Ex-Arbeitgeber: Sieben Monate Haft ∗∗∗ --------------------------------------------- Nur wenige Stunden nach seiner Entlassung startete der junge Mann eine Cyberattacke und sorgte für Schäden in Höhe von 200.000 Pfund --------------------------------------------- https://www.derstandard.at/story/3000000277498/britischer-it-angestellter-r… ∗∗∗ 50 customers of French bank hit after insider helped SIM swap scammers ∗∗∗ --------------------------------------------- French police have arrested a business student interning at the bank Société Générale who is accused of helping SIM-swapping scammers to defraud 50 of its clients. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/50-customers-of-frenc… ∗∗∗ Encryption vs. Lawful Interception: EU policy news ∗∗∗ --------------------------------------------- I’ve commented here on this blog (or its German twin) quite a few time already on various legislative proposals on how the law enforcement agencies can keep their traditional access to the communication of suspects. See Ein paar Thesen zu aktuellen Gesetzesentwürfen (2017) Ein paar Gedanken zur „Überwachung verschlüsselter Nachrichten" (2024) Roles in .. --------------------------------------------- https://www.cert.at/en/blog/2025/7/encryption-vs-lawful-interception-eu-pol… ∗∗∗ DOJ raids 29 ‘laptop farms’ in crackdown on N. Korean IT worker scheme ∗∗∗ --------------------------------------------- The Justice Department announced a coordinated action to disrupt a Pyongyang campaign to get North Koreans hired at U.S.-based companies. --------------------------------------------- https://therecord.media/doj-raids-laptop-farms-crackdown ∗∗∗ International Criminal Court targeted by new ‘sophisticated’ attack ∗∗∗ --------------------------------------------- The ICC credited its “alert and response mechanisms” for “swiftly” discovering, confirming and containing a cyberattack. --------------------------------------------- https://therecord.media/international-criminal-court-cyberattack-2025 ∗∗∗ Malware in Apps: Godfather 2.0 für Android; SparkKitty in App-Stores ∗∗∗ --------------------------------------------- Kleiner Sammelbeitrag rund um das Thema Smartphone-Apps mit Malware an Bord. Aktuell feiert die Android-Malware Godfather 2.0 ihr Comeback bzw. Erfolge beim Raubzügen beim Online-Banking. Zudem haben Sicherheitsforscher .. --------------------------------------------- https://www.borncity.com/blog/2025/06/30/malware-in-apps-godfather-2-0-fuer… ∗∗∗ What the NULL?! Wing FTP Server RCE (CVE-2025-47812) ∗∗∗ --------------------------------------------- While performing a penetration test for one of our Continuous Penetration Testing customers, we’ve found a Wing FTP server instance that allowed anonymous connections. It was almost the only interesting thing exposed, but we still wanted to get a foothold into their perimeter and provide the customer with an impactful finding. So we .. --------------------------------------------- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2… ∗∗∗ Django Joins curl in Pushing Back on AI Slop Security Reports ∗∗∗ --------------------------------------------- Django has updated its official security documentation with new guidance for AI-assisted vulnerability reports, responding to a rising number of submissions generated by large language models (LLMs) that cite fabricated code or non-existent features. The change was authored by Django Fellow Natalia Bidart, who helps maintain the project’s .. --------------------------------------------- https://socket.dev/blog/django-joins-curl-in-pushing-back-on-ai-slop-securi… ∗∗∗ How hacktivist cyber operations surged amid Israeli-Iranian conflict ∗∗∗ --------------------------------------------- In June 2025, Israel carried out airstrikes against key Iranian military and nuclear facilities. Iran swiftly retaliated, escalating regional tensions to unprecedented levels. This military confrontation has not only unfolded in conventional warfare but also triggered a massive surge in cyber operations. Almost immediately after the .. --------------------------------------------- https://outpost24.com/blog/hacktivist-cyber-operations-iran-israel/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-470 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-470.html ∗∗∗ [R1] Nessus Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2025
by Daily end-of-shift report 30 Jun '25

30 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-06-2025 18:00 − Montag 30-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Scattered Spider hackers shift focus to aviation, transportation firms ∗∗∗ --------------------------------------------- Hackers associated with Scattered Spider tactics have expanded their targeting to the aviation and transportation industries after previously attacking insurance and retail sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/scattered-spider-hackers-shi… ∗∗∗ Let’s Encrypt ends certificate expiry emails to cut costs, boost privacy ∗∗∗ --------------------------------------------- Lets Encrypt has announced it will no longer notify users about imminent certificate expirations via email due to high costs, privacy concerns, and unnecessary complexities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lets-encrypt-ends-certificat… ∗∗∗ Unveiling RIFT: Enhancing Rust malware analysis through pattern matching ∗∗∗ --------------------------------------------- As threat actors are adopting Rust for malware development, RIFT, an open-source tool, helps reverse engineers analyze Rust malware, solving challenges in the security industry. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/06/27/unveiling-rift-enh… ∗∗∗ Stealthy WordPress Malware Drops Windows Trojan via PHP Backdoor ∗∗∗ --------------------------------------------- Last month, we encountered a particularly interesting and complex malware case that stood out from the usual infections we see in compromised WordPress websites. At first glance, the site looked clean, no visible signs of defacement, no malicious redirects, and nothing suspicious in the plugin list. But beneath the surface, a hidden infection chain was .. --------------------------------------------- https://blog.sucuri.net/2025/06/stealthy-wordpress-malware-drops-windows-tr… ∗∗∗ GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool ∗∗∗ --------------------------------------------- The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool."Recent campaigns in June 2025 demonstrate GIFTEDCROOKs enhanced .. --------------------------------------------- https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html ∗∗∗ IGF25: Diktatoren und Demokraten im globalen Süden als Kunden von Spyware ∗∗∗ --------------------------------------------- Spyware wie Pegasus von der NSO-Group wird zunehmend ein politisches Problem. Das war eine der Erkenntnisse des Internet Governance Forums in Norwegen. --------------------------------------------- https://www.heise.de/news/IGF25-Diktatoren-und-Demokraten-im-globalen-Suede… ∗∗∗ "CitrixBleed 2": Indizien für laufende Angriffe auf Sicherheitsleck ∗∗∗ --------------------------------------------- Eine Citrix-Netscaler-Lücke mit dem Spitznamen "CitrixBleed 2" ist gravierend. Nun wird sie offenbar attackiert. --------------------------------------------- https://www.heise.de/news/CitrixBleed-2-Indizien-fuer-laufende-Angriffe-auf… ∗∗∗ Cybergang erpresst Welthungerhilfe um 1,8 Millionen Euro ∗∗∗ --------------------------------------------- Die Cybergang Rhysida ist bei der Welthungerhilfe eingebrochen und hat Daten kopiert. Nun wollen die Täter 20 Bitcoins dafür. --------------------------------------------- https://www.heise.de/news/Ransomwareattacke-auf-Welthungerhilfe-10464644.ht… ∗∗∗ Dubiose Inkassoforderungen: Was tun bei plötzlichen Mahnschreiben? ∗∗∗ --------------------------------------------- Sie öffnen Ihr E-Mail-Postfach oder Ihren Briefkasten und finden ein Schreiben eines Inkassounternehmens. Angeblich haben Sie eine Rechnung nicht bezahlt, können sich aber nicht daran erinnern, etwas bestellt zu haben. Dieses Szenario ist leider keine Seltenheit. Immer mehr Verbraucher:innen berichten über solche dubiosen Zahlungsaufforderungen. Wir zeigen Ihnen, wie Sie reagieren können. --------------------------------------------- https://www.watchlist-internet.at/news/dubiose-inkassoschreiben-was-tun-bei… ∗∗∗ ESET Threat Report H1 2025 ∗∗∗ --------------------------------------------- A view of the H1 2025 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-threat-report-h1-2025/ ∗∗∗ Hide Your RDP: Password Spray Leads to RansomHub Deployment ∗∗∗ --------------------------------------------- This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor .. --------------------------------------------- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-… ∗∗∗ How 2 Ransomware Attacks on 2 Hospitals Led to 2 Deaths in Europe ∗∗∗ --------------------------------------------- Two deadly Ransomware Attacks on European hospitals show cybercrime now risks lives not just data with patients dying after treatment delays. --------------------------------------------- https://hackread.com/how-ransomware-attacks-hospitals-2-deaths-in-europe/ ∗∗∗ Protecting the Core: Securing Protection Relays in Modern Substations ∗∗∗ --------------------------------------------- Substations are critical nexus points in the power grid, transforming high-voltage electricity to ensure its safe and efficient delivery from power plants to millions of end-users. At the core of a modern substation lies the protection relay: an intelligent electronic device (IED) that plays a critical role in .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/securing-protectio… ∗∗∗ GitHub Advisory Database by the numbers: Known security vulnerabilities and what you can do about them ∗∗∗ --------------------------------------------- Use these insights to automate software security (where possible) to keep your projects safe. --------------------------------------------- https://github.blog/security/github-advisory-database-by-the-numbers-known-… ∗∗∗ Ultimate Guide to API Pentesting: Hacking APIs for better Security ∗∗∗ --------------------------------------------- API Pentesting, or Application Programming Interface Penetration Testing, is the process of simulating real-world attacks against APIs to uncover vulnerabilities, misconfigurations, and flaws that could be exploited by malicious actors. Unlike traditional web applications, APIs are designed to be consumed by machines—often exposing .. --------------------------------------------- https://fortbridge.co.uk/research/ultimate-guide-to-api-pentesting-hacking-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (mod_proxy_cluster), Debian (catdoc, chromium, nagvis, and sudo), Fedora (chromium, gum, kubernetes1.32, moodle, podman, python3-docs, python3.13, salt, and tigervnc), Mageia (x11-server, x11-server-xwayland & tigervnc), Oracle (apache-commons-beanutils, exiv2, expat, firefox, git, git-lfs, gstreamer1-plugins-bad-free, ipa, java-21-openjdk, kea, kernel, libarchive, libblockdev, libsoup3, libvpx, libxslt, mod_auth_openidc, nodejs22, .. --------------------------------------------- https://lwn.net/Articles/1027769/ ∗∗∗ Marvell QConvergeConsole: Multible 0Day Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2025
by Daily end-of-shift report 27 Jun '25

27 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-06-2025 18:00 − Freitag 27-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Open VSX Registry Flaw Exposes Millions of Developers to Supply Chain Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a critical vulnerability in the Open VSX Registry ("open-vsx[.]org") that, if successfully exploited, could have enabled attackers to take control of the entire Visual Studio Code extensions marketplace, posing a severe supply chain risk. [..] Following responsible disclosure on May 4, 2025, multiple rounds of fixes were proposed by the maintainers, before a final patch was deployed on June 25. --------------------------------------------- https://thehackernews.com/2025/06/critical-open-vsx-registry-flaw-exposes.h… ∗∗∗ What if Microsoft just turned you off? Security pro counts the cost of dependency ∗∗∗ --------------------------------------------- Czech developer and pen-tester Miloslav Homer has an interesting take on reducing an organization's exposure to security risks. In an article headlined "Microsoft dependency has risks," he extends the now familiar arguments in favor of improving digital sovereignty, and reducing dependence on American cloud services. The argument is quite long but closely reasoned. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/26/cost_of_micr… ∗∗∗ Act now: Secure Boot certificates expire in June 2026 ∗∗∗ --------------------------------------------- Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. [..] If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. --------------------------------------------- https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-… ∗∗∗ Fake DocuSign email hides tricky phishing attempt ∗∗∗ --------------------------------------------- On my daily rounds, I encountered a phishing attempt that used a not completely unusual, yet clever delivery method. What began as a seemingly routine DocuSign notification turned into a multi-layered deception involving Webflow, a shady redirect, and a legitimate Google login page. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/06/fake-docusign-email-hides-tr… ∗∗∗ Die Miete ist ausständig? Vorsicht: Phishing E-Mail ∗∗∗ --------------------------------------------- Kriminelle fordern über E-Mails angeblich noch ausstehende Mietzahlungen ein. Gleichzeitig wollen sie eine Änderung des Zielkontos für zukünftige Überweisungen erwirken. Wir zeigen, wie man am besten auf eine derartige Phishing-Nachricht reagiert. --------------------------------------------- https://www.watchlist-internet.at/news/miete-ausstaendig-phishing/ ∗∗∗ SafePay ransomware: What you need to know ∗∗∗ --------------------------------------------- SafePay is a relatively new ransomware threat that was first observed around September 2024. [..] A recently published threat report released by security experts at NCC Group revealed that SafePay was currently the most active ransomware group. In the month of May 2025 alone, 70 ransomware attacks were linked to Safepay, accounting for 18% of the total. --------------------------------------------- https://www.fortra.com/blog/safepay-ransomware-what-you-need-know ∗∗∗ Attacken auf Fernwartungslücke in Servern von HPE, Lenovo und Co. ∗∗∗ --------------------------------------------- Angreifer attackieren mehrere Sicherheitslücken in freier Wildbahn, warnt die US-amerikanische IT-Sicherheitsbehörde CISA. Am gefährlichsten sind laufende Angriffe auf die Fernwartungsfirmware in AMI MegaRAC, die etwa in Servern von Asus, Asrock Rack, HPE oder Lenovo steckt. [..] Die bereits attackierte Sicherheitslücke in der Fernwartungsfirmware AMI MegaRAC wurde Mitte März bekannt. --------------------------------------------- https://heise.de/-10461788 ∗∗∗ Phishing-Welle: Betrüger geben sich als Paypal aus ∗∗∗ --------------------------------------------- Kriminelle geben sich am Telefon derzeit wieder als PayPal aus und behaupten, es stünden hohe Überweisungen bevor. --------------------------------------------- https://heise.de/-10462478 ∗∗∗ Microsoft wirft Antivirensoftware aus dem Windows-Kernel ∗∗∗ --------------------------------------------- Ein CrowdStrike-Erlebnis will Microsoft nicht noch einmal haben. Nun fliegt deswegen Antivirensoftware aus dem Windows-Kernel. [..] Im kommenden Monat will Microsoft eine Vorschau der Windows-Endpoint-Security-Plattform an einige MVI-Partner verteilen. Die ermöglicht es ihnen, ihre IT-Sicherheitslösungen so zu bauen, dass sie außerhalb des Windows-Kernels laufen. Software wie Antivirus und Endgeräteschutz befinden sich dann im User Mode, wie normale Apps auch. --------------------------------------------- https://heise.de/-10462538 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeradius and icu), Fedora (clamav, glow, libssh, perl-Crypt-OpenSSL-RSA, perl-CryptX, podman, trafficserver, and xorg-x11-server), Mageia (gdk-pixbuf2.0 and thunderbird), Red Hat (osbuild-composer and weldr-client), SUSE (afterburn, google-osconfig-agent, libblockdev, pam, python-tornado6, screen, and yelp-xsl), and Ubuntu (libxslt and python-pip). --------------------------------------------- https://lwn.net/Articles/1027251/ ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01 ∗∗∗ TrendMakers Sight Bulb Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-02 ∗∗∗ f5: K000152189: Intel BIOS vulnerability CVE-2022-21233 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152189 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2025
by Daily end-of-shift report 26 Jun '25

26 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-06-2025 18:00 − Donnerstag 26-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Ubuntu disables Intel GPU security mitigations, promises 20% performance boost ∗∗∗ --------------------------------------------- Spectre, you may recall, came to public notice in 2018. Spectre attacks are based on the observation that performance enhancements built into modern CPUs open a side channel that can leak secrets a CPU is processing. The performance enhancement, known as speculative execution, predicts future instructions a CPU might receive and then performs the corresponding tasks before they are even called. If the instructions never come, the CPU discards the work it performed. When the prediction is correct, the CPU has already completed the task. --------------------------------------------- https://arstechnica.com/security/2025/06/ubuntu-disables-intel-gpu-security… ∗∗∗ New wave of ‘fake interviews’ use 35 npm packages to spread malware ∗∗∗ --------------------------------------------- A new wave of North Korea's 'Contagious Interview' campaign is targeting job seekers with malicious npm packages that infect dev's devices with infostealers and backdoors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-wave-of-fake-interviews-… ∗∗∗ Hackers abuse Microsoft ClickOnce and AWS services for stealthy attacks ∗∗∗ --------------------------------------------- A sophisticated malicious campaign that researchers call OneClik has been leveraging Microsoft’s ClickOnce software deployment tool and custom Golang backdoors to compromise organizations within the energy, oil, and gas sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/oneclik-attacks-use-microsof… ∗∗∗ Hackers turn ScreenConnect into malware using Authenticode stuffing ∗∗∗ --------------------------------------------- Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client's Authenticode signature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-i… ∗∗∗ CISA is Shrinking: What Does it Mean for Cyber? ∗∗∗ --------------------------------------------- Today we are going to focus on the slimmed down profile of the Cybersecurity and Infrastructure Security Agency (CISA) under the new administration. We want to know what that means practically to cybersecurity teams. We want to explore the cost of having less coming out of CISA, and any opportunities the federal government shakeup might present for business. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/cisa-is-shrinking-what… ∗∗∗ Taming Agentic AI Risks Requires Securing Non-Human Identities ∗∗∗ --------------------------------------------- >From service accounts and Web application programming interfaces (APIs) to serverless applications and now artificial intelligence (AI) agents, the landscape of non-human identities is quickly becoming more complex. Companies are struggling to monitor and manage machine identities with security controls. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risk… ∗∗∗ RedirectionGuard: Mitigating unsafe junction traversal in Windows ∗∗∗ --------------------------------------------- As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we’ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard. This blog outlines how RedirectionGuard proactively closes off a major attack surface by preventing unsafe junction traversal, reinforcing our commitment to secure-by-design-principles and reducing the burden on developers and defenders. --------------------------------------------- https://msrc.microsoft.com/blog/2025/06/redirectionguard-mitigating-unsafe-… ∗∗∗ The Case of Hidden Spam Pages ∗∗∗ --------------------------------------------- Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform. --------------------------------------------- https://blog.sucuri.net/2025/06/the-case-of-hidden-spam-pages.html ∗∗∗ nOAuth Vulnerability Still Affects 9% of Microsoft Entra SaaS Apps Two Years After Discovery ∗∗∗ --------------------------------------------- New research has uncovered continued risk from a known security weakness in Microsoft's Entra ID, potentially enabling malicious actors to achieve account takeovers in susceptible software-as-a-service (SaaS) applications. Identity security company Semperis, in an analysis of 104 SaaS applications, found nine of them to be vulnerable to Entra ID cross-tenant nOAuth abuse. --------------------------------------------- https://thehackernews.com/2025/06/noauth-vulnerability-still-affects-9-of.h… ∗∗∗ Sextortion: Inflationsgebeutelte Betrüger erhöhen Forderungen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher beobachten Preissteigerungen bei aktuellen Betrugsmaschen mit Sextortion-E-Mails. Offenbar sind auch die Betrüger inflationsgebeutelt und brauchen mehr Geld. --------------------------------------------- https://www.heise.de/news/Sextortion-Inflationsgebeutelte-Betrueger-erhoehe… ∗∗∗ Outdated Routers: The Hidden Threat to Network Security, FBI Warns ∗∗∗ --------------------------------------------- The FBI recently warned that malicious actors are targeting end-of-life (EOL) routers (network devices that manufacturers no longer support or update). These outdated routers are being hijacked by bad actors who use them as a stepping stone into networks, turning them into cybercriminal proxies. The threat is real, and it’s growing. --------------------------------------------- https://www.tripwire.com/state-of-security/outdated-routers-hidden-threat-n… ∗∗∗ How we turned a real car into a Mario Kart controller by intercepting CAN data ∗∗∗ --------------------------------------------- The PTP hack car is a second-hand 2016 Renault Clio that was bought because it was relatively cheap, was recent enough to feature an ‘eCall’ telematics module, small enough to fit in the garage attached to our lab and was local. It is used by our team to experiment and mess around with automotive testing on a real vehicle. It also uses a mixture of CAN and LIN for different components. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-we-turned-a-real-car-into… ∗∗∗ Gefälschte Anfragen zur Änderung des Gehaltskontos im Namen von Mitarbeitenden! ∗∗∗ --------------------------------------------- Wer eine unerwartete E-Mail von einem Mitarbeitenden erhält, in der um die Änderung der Bankverbindung für das Gehaltskonto gebeten wird, sollte besonders aufmerksam sein. Denn dahinter können Kriminelle stecken, die sich als echte Mitarbeitende ausgeben, um Gehaltszahlungen auf ihr eigenes Konto umzuleiten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-anfragen-zur-aenderung-d… ∗∗∗ Common SCCM Misconfigurations Leading to Privilege Escalation ∗∗∗ --------------------------------------------- We often find that in environments which has a tiered model, where SCCM is used, there are plenty of misconfigurations which can be exploited. System Center Configuration Manager (SCCM), now known as Microsoft Configuration Manager (ConfigMgr), is a systems management platform used for deploying software, managing updates, and enforcing configuration settings across large numbers of Windows devices. --------------------------------------------- https://www.truesec.com/hub/blog/sccm-tier-killer ∗∗∗ Decrement by one to rule them all: AsIO3.sys driver exploitation ∗∗∗ --------------------------------------------- Armory Crate and AI Suite are applications used to manage and monitor ASUS motherboards and related components such as the processor, RAM or the increasingly popular RGB lighting. These types of applications often install drivers in the system, which are necessary for direct communication with hardware to configure settings or retrieve critical parameters such as CPU temperature, fan speeds and firmware updates. Therefore, it is critical to ensure that drivers are well-written with security in mind and designed such that access to the driver interfaces are limited only to certain services and administrators. --------------------------------------------- https://blog.talosintelligence.com/decrement-by-one-to-rule-them-all/ ===================== = Vulnerabilities = ===================== ∗∗∗ WinRAR patches bug letting malware launch from extracted archives ∗∗∗ --------------------------------------------- WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-patches-bug-letting-m… ∗∗∗ Hunderte Modelle betroffen: Teils unpatchbare Lücken in Brother-Druckern entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher von Rapid7 haben zahlreiche Multifunktionsdrucker auf mögliche Sicherheitslücken untersucht. Dabei fanden sie insgesamt acht Schwachstellen in 748 verschiedenen Scanner- und Druckermodellen. 689 dieser Modelle entfallen allein auf den Hersteller Brother, der im Fokus der Untersuchung stand. Aber auch von Fujifilm (46), Konica Minolta (6), Ricoh (5) und Toshiba (2) sind einige Geräte betroffen. Zumindest eine der acht Lücken kann wohl nicht ohne Weiteres über die Firmware gepatcht werden. --------------------------------------------- https://www.golem.de/news/hunderte-modelle-betroffen-teils-unpatchbare-luec… ∗∗∗ Citrix Releases Emergency Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC ∗∗∗ --------------------------------------------- Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild. The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html ∗∗∗ ZDI-25-424: Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The following CVEs are assigned: CVE-2025-6443. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-424/ ∗∗∗ Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Notepad++ Vulnerability Allows Full System Takeover — PoC Released ∗∗∗ --------------------------------------------- A critical privilege escalation vulnerability (CVE-2025-49144) in Notepad++ v8.8.1 enables attackers to achieve full system control through a supply-chain attack. The flaw exploits the installer’s insecure search path behavior, allowing unprivileged users to escalate privileges to NT AUTHORITY\SYSTEM with minimal user interaction. This marks one of the most severe vulnerabilities discovered in the popular text editor, with proof-of-concept (PoC) exploitation materials now publicly available. --------------------------------------------- https://gbhackers.com/notepad-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and libxml2), Fedora (firefox, libtpms, and tigervnc), Mageia (chromium-browser-stable and nss & firefox), Oracle (emacs, iputils, kernel, krb5, libarchive, mod_proxy_cluster, pam, perl-File-Find-Rule, perl-YAML-LibYAML, and qt5-qtbase), Red Hat (opentelemetry-collector, osbuild-composer, and weldr-client), SUSE (clamav, firefox, go1.24-openssl, and helm), and Ubuntu (libarchive, linux-azure, linux-azure-5.4, linux-azure-fips, linux-fips, linux-azure-nvidia, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-realtime, linux-xilinx-zynqmp, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/1027082/ ∗∗∗ Security Advisory: Airoha-based Bluetooth Headphones and Earbuds ∗∗∗ --------------------------------------------- During our research on Bluetooth headphones and earbuds, we identified several vulnerabilities in devices that incorporate Airoha Systems on a Chip (SoCs). In this blog post, we briefly want to describe the vulnerabilities, point out their impact and provide some context to currently running patch delivery processes as described at this year’s TROOPERS Conference. Airoha is a vendor that, amongst other things, builds Bluetooth SoCs and offers reference designs and implementations incorporating these chips. They have become a large supplier in the Bluetooth audio space, especially in the area of True Wireless Stereo (TWS) earbuds. Several reputable headphone and earbud vendors have built products based on Airoha’s SoCs and reference implementations using Airoha’s Software Development Kit (SDK). --------------------------------------------- https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/ ∗∗∗ Drupal Security Advisories 2025-June-25 ∗∗∗ --------------------------------------------- https://www.drupal.org/security -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2025
by Daily end-of-shift report 25 Jun '25

25 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-06-2025 18:00 − Mittwoch 25-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sonicwall warnt vor mit Schadcode verseuchter Fake-NetExtender-App ∗∗∗ --------------------------------------------- Derzeit ist eine von Cyberkriminellen manipulierte Ausgabe der VPN-Anwendung NetExtender in Umlauf. [..] Um zu erkennen, ob man die Fake-Version installiert hat, muss man die Eigenschaften der ausführbaren NetExtender-Datei öffnen und die "Digitale Signatur" prüfen. Steht dort "CITYLIGHT MEDIA PRIVATE LIMITED", handelt es sich um die verseuchte Version und Admins sollten sie umgehend löschen. --------------------------------------------- https://www.heise.de/news/Sonicwall-warnt-vor-mit-Schadcode-verseuchter-Fak… ∗∗∗ Microsoft: Update-Verlängerung für Windows 10 für Privatkunden konkretisiert ∗∗∗ --------------------------------------------- Microsoft hatte Support-Verlängerung für Windows-10-Privatkunden angekündigt. Jetzt gibt es Infos dazu – es geht sogar kostenlos. [..] Ob die Windows-Backup-Option wirklich als kostenlos gelten kann, hängt stark davon ab, wie viele Daten Microsoft auf den Cloud-Speicher schiebt. [..] Hier zahlen Interessierte mit ihren Daten. --------------------------------------------- https://heise.de/-10458519 ∗∗∗ Citrix Bleed Teil 2: Schwachstelle CVE-2025–5777 weitet sich aus ∗∗∗ --------------------------------------------- Zum 23. Juni 2025 gab es wohl eine Aktualisierung der Beschreibung zu CVE-2025-5777. Hieß es zum 17. Juni 2025 noch, dass man das "Netscaler Management Interface" wegen der Schwachstelle nicht dem Internet aussetzen sollte. Der Verweis auf das Netscaler Management Interface ist zum 23. Juni 2025 entfallen (lässt sich unter CVE-2025-5777 nachschlagen, wenn man am Seitenende unter "Change History" auf den Link "show changes" klickt. --------------------------------------------- https://www.borncity.com/blog/2025/06/25/citrix-bleed-teil-2-schwachstelle-… ∗∗∗ Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity ∗∗∗ --------------------------------------------- GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. --------------------------------------------- https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity ∗∗∗ Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors ∗∗∗ --------------------------------------------- Dire Wolf is a newly emerged ransomware group first observed in May 2025 and Trustwave SpiderLabs recently uncovered a Dire Wolf ransomware sample that revealed for the first time key details about how the ransomware operates. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-s… ∗∗∗ Cybercriminal abuse of large language models ∗∗∗ --------------------------------------------- Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs. [..] As AI technology continues to develop, Cisco Talos expects cybercriminals to continue adopting LLMs to help streamline their processes, write tools/scripts that can be used to compromise users and generate content that can more easily bypass defenses. This new technology doesn’t necessarily arm cybercriminals with completely novel cyber weapons, but it does act as a force multiplier, enhancing and improving familiar attacks. --------------------------------------------- https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-mo… ∗∗∗ What LLMs Know About Their Users ∗∗∗ --------------------------------------------- Simon Willison talks about ChatGPT’s new memory dossier feature. In his explanation, he illustrates how much the LLM—and the company—knows about its users. --------------------------------------------- https://www.schneier.com/blog/archives/2025/06/what-llms-know-about-their-u… ∗∗∗ Kleine Figuren, großer Hype: Kriminelle locken vermehrt in Labubu Fake-Shops ∗∗∗ --------------------------------------------- Ihr weltweiter Siegeszug ruft immer mehr Betrüger:innen auf den Plan. Die Rede ist von Labubu Figuren. Fake-Shops locken mit vermeintlichen Schnäppchen, dienen den Kriminellen in Wahrheit aber nur als Vehikel, um sensible Daten ihrer Opfer abzugreifen und ihnen das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/labubu-fake-shops/ ∗∗∗ Post-Quantum Cryptography Implementation Enterprise-Readiness Analysis ∗∗∗ --------------------------------------------- Explore how enterprises are adopting post-quantum cryptography (PQC) using OpenSSL 3.5, hybrid TLS, and NIST-approved algorithms like Kyber and Dilithium. Learn about PQC implementation strategies, compliance timelines, tooling, and real-world deployments by Microsoft, Meta, Red Hat, and others preparing for quantum-safe encryption. --------------------------------------------- https://www.darknet.org.uk/2025/06/post-quantum-cryptography-implementation… ∗∗∗ The Anatomy of a Business Email Compromise Attack ∗∗∗ --------------------------------------------- BEC attacks almost always start with an Email Account Compromise (EAC) – in other words, an attacker gets control of someone’s email inbox. --------------------------------------------- https://www.truesec.com/hub/blog/the-anatomy-of-a-business-email-compromise… ===================== = Vulnerabilities = ===================== ∗∗∗ Admin-Attacken auf HPE OneView für VMware vCenter möglich ∗∗∗ --------------------------------------------- Die in einer Warnmeldung aufgeführte Schwachstelle (CVE-2025-37101 "hoch") kann Angreifer mit Leserechten dazu befähigen, Befehle als Admins auszuführen. Wie ein solcher Angriff im Detail ablaufen könnte und ob Angreifer die Lücke bereits ausnutzen, ist derzeit nicht bekannt. --------------------------------------------- https://www.heise.de/news/Admin-Attacken-auf-HPE-OneView-fuer-VMware-vCente… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (commons-beanutils, dcmtk, nginx, trafficserver, and xorg-server), Fedora (atuin, awatcher, dotnet8.0, firefox, glibc, gotify-desktop, keylime-agent-rust, libtpms, mirrorlist-server, qt6-qtbase, qt6-qtimageformats, udisks2, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (apache-mod_security, clamav, docker, python-django, tomcat, udisks2, and yarnpkg), Oracle (firefox, libblockdev, mod_auth_openidc, perl-FCGI, perl-YAML-LibYAML, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland), Slackware (libssh and mozilla), SUSE (gimp, gstreamer-plugins-good, icu, ignition, kernel, pam-config, perl-File-Find-Rule, python311, and webkit2gtk3), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-azure, linux-azure, linux-azure-6.8, linux-azure-5.15, linux-azure-fips, and linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026848/ ∗∗∗ TeamViewer: Incorrect Permission Assignment for Critical Resource in TeamViewer Remote Management ∗∗∗ --------------------------------------------- Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 (and additional versions listed below) on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. To exploit this vulnerability, an attacker needs local access to the Windows system. CVE-2025-36537 --------------------------------------------- https://www.teamviewer.com/de/resources/trust-center/security-bulletins/tv-… ∗∗∗ Parsons AccuWeather Widget ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-06 ∗∗∗ Kaleris Navis N4 Terminal Operating System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01 ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-02 ∗∗∗ MICROSENS NMP Web+ ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07 ∗∗∗ ControlID iDSecure On-Premises ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05 ∗∗∗ f5: K000152048: Dnsmasq vulnerability CVE-2019-14834 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000152048 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2025
by Daily end-of-shift report 24 Jun '25

24 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 23-06-2025 18:00 − Dienstag 24-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Auswirkungen des militärischen Konfliktes zwischen Israel und dem Iran auf Österreich ∗∗∗ --------------------------------------------- Vorliegende Analysen internationaler Behörden und Sicherheitsunternehmen verzeichnen seit dem Beginn der aktuellen militärischen Auseinandersetzung zwischen Israel und dem Iran verstärkte Aktivitäten von Bedrohungsakteuren aller Konfliktparteien. [..] Laut unseren bisherigen Beobachtungen gab es bisher noch keine direkten Angriffe oder Auswirkungen auf lokale Unternehmen oder Organisationen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/auswirkungen ∗∗∗ FileFix attack weaponizes Windows File Explorer for stealthy commands ∗∗∗ --------------------------------------------- A cybersecurity researcher has developed FileFix, a variant of the ClickFix social engineering attack that tricks users into executing malicious commands via the File Explorer address bar in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/filefix-attack-weaponizes-wi… ∗∗∗ Polizei-Handys seit Cyberangriff nicht nutzbar ∗∗∗ --------------------------------------------- Ein Angriff auf die Diensthandys der Polizei in Mecklenburg-Vorpommern könnte größere Folgen haben als angenommen. Derzeit sind die Handys nicht im Einsatz. --------------------------------------------- https://heise.de/-10456563 ∗∗∗ BSI warnt: Immer weniger Menschen nutzen 2FA und sichere Passwörter ∗∗∗ --------------------------------------------- Eine neue Untersuchung des BSI zeigt einen bedenklichen Trend. Menschen verhalten sich im Netz trotz hoher Bedrohungslage immer unvorsichtiger. --------------------------------------------- https://www.golem.de/news/bsi-warnt-immer-weniger-menschen-nutzen-2fa-und-s… ∗∗∗ Remote code execution in CentOS Web Panel - CVE-2025-48703 ∗∗∗ --------------------------------------------- This exploitation scenario has been tested on versions 0.9.8.1204 and 0.9.8.1188 on Centos7 and reported to CWP developers the 13th of May 2025 as CVE-2025-48703. It allows a remote attacker who knows a valid username on a CWP instance to execute pre-authenticated arbitrary commands on the server. The vulnerability has been patched on latest version 0.9.8.1205 during June 2025. --------------------------------------------- https://fenrisk.com/rce-centos-webpanel ∗∗∗ The State of Ransomware 2025 ∗∗∗ --------------------------------------------- Explore the causes and consequences of ransomware in 2025 based on findings from a vendor-agnostic survey of 3,400 organizations hit by ransomware in the last year. --------------------------------------------- https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/ ∗∗∗ Echo Chamber Jailbreak Tricks LLMs Like OpenAI and Google into Generating Harmful Content ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place. --------------------------------------------- https://thehackernews.com/2025/06/echo-chamber-jailbreak-tricks-llms-like.h… ∗∗∗ Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network ∗∗∗ --------------------------------------------- Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments. --------------------------------------------- https://thehackernews.com/2025/06/hackers-exploit-misconfigured-docker.html ∗∗∗ A Deep Dive into a Modular Malware Family ∗∗∗ --------------------------------------------- In today’s blog post we highlighted an interesting malware family targeting various systems with diverse capabilities, including stealing credit card information and WordPress credentials. Additionally, we detailed a novel bundle of credit card skimmers and malicious WordPress plugins which combines malicious actions with features developed for the attacker’s convenience. --------------------------------------------- https://www.wordfence.com/blog/2025/06/a-deep-dive-into-a-modular-malware-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2025-06-23 ∗∗∗ --------------------------------------------- Splunk released 4 security advisories (1x critical). --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dns-root-data and xorg-server), Fedora (glibc, mingw-glib2, and optipng), Red Hat (iputils, kernel, kernel-rt, krb5, libarchive, mod_auth_openidc, mod_proxy_cluster, and xorg-x11-server-Xwayland), SUSE (python313), and Ubuntu (fig2dev, gnuplot, gss-ntlmssp, linux, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-aws-5.15, linux-gcp-5.15, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-aws-fips, linux-fips, linux-gcp-fips, linux-hwe-5.15, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1026646/ ∗∗∗ Kanboard: Sicherheitslücke ermöglicht Kontoübernahme ∗∗∗ --------------------------------------------- In dem Open-Source-Kanban Kanboard können Angreifer Links fälschen, die zur Kontoübernahme führen. [..] Die Kanboard-Entwickler stellen aktualisierte Quellen und auch Docker-Container bereit, sie verlinken sie in den Release-Notes und erörtern das Docker-Update. --------------------------------------------- https://heise.de/-10457116 ∗∗∗ Mozilla Firefox June 24, 2025 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ f5: K000151924: runc vulnerability CVE-2024-45310 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151924 ∗∗∗ Case update: DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2025-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2025
by Daily end-of-shift report 23 Jun '25

23 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-06-2025 18:00 − Montag 23-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WordPress Motors theme flaw mass-exploited to hijack admin accounts ∗∗∗ --------------------------------------------- Hackers are exploiting a critical privilege escalation vulnerability in the WordPress theme "Motors" to hijack administrator accounts and gain complete control of a targeted site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-motors-theme-flaw-… ∗∗∗ Canada says Salt Typhoon hacked telecom firm via Cisco flaw ∗∗∗ --------------------------------------------- The Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored Salt Typhoon hacking group is also targeting Canadian telecommunication firms, breaching a telecom provider in February. --------------------------------------------- https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hac… ∗∗∗ ConnectUnwise: Threat actors abuse ConnectWise as builder for signed malware ∗∗∗ --------------------------------------------- Since March 2025 there has been a noticeable increase in infections and fake applications using validly signed ConnectWise samples. We reveal how bad signing practices allow threat actors to abuse this legitimate software to build and distribute their own signed malware and what security vendors can do to detect them. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware ∗∗∗ SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play ∗∗∗ --------------------------------------------- SparkKitty, a new Trojan spy for iOS and Android, spreads through untrusted websites, the App Store, and Google Play, stealing images from users galleries. --------------------------------------------- https://securelist.com/sparkkitty-ios-android-malware/116793/ ∗∗∗ Qilin Ransomware Adds "Call Lawyer" Feature to Pressure Victims for Larger Ransoms ∗∗∗ --------------------------------------------- The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals. The new feature takes the form of a "Call Lawyer" feature on the affiliate panel, per Israeli cybersecurity company Cybereason. --------------------------------------------- https://thehackernews.com/2025/06/qilin-ransomware-adds-call-lawyer.html ∗∗∗ Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks ∗∗∗ --------------------------------------------- Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems. --------------------------------------------- https://thehackernews.com/2025/06/google-adds-multi-layered-defenses-to.html ∗∗∗ XDigo Malware Exploits Windows LNK Flaw in Eastern European Government Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a Go-based malware called XDigo that has been used in attacks targeting Eastern European governmental entities in March 2025. The attack chains are said to have leveraged a collection of Windows shortcut (LNK) files as part of a multi-stage procedure to deploy the malware, French cybersecurity company HarfangLab said. --------------------------------------------- https://thehackernews.com/2025/06/xdigo-malware-exploits-windows-lnk-flaw.h… ∗∗∗ Rekord bei DDoS-Attacke mit 7,3 TBit/s ∗∗∗ --------------------------------------------- Cloudflare hat Mitte Mai den "größten jemals registrierten" Denial-of-Service-Angriff (DDoS) mit bislang kaum für möglich gehaltenen 7,3 Terabit pro Sekunde (TBit/s) blockiert. Dies teilte der US-Anbieter rund um Lösungen für IT-Sicherheit und Internetperformance am Freitag mit. --------------------------------------------- https://www.heise.de/news/Junk-Traffic-Flut-Rekord-DDoS-Angriff-auf-Provide… ∗∗∗ Gefälschte Mahn-SMS im Namen des Finanzministeriums! ∗∗∗ --------------------------------------------- Derzeit gibt es eine Phishing-Welle mit angeblichen SMS des Bundesministeriums für Finanzen (BMF). Darin wird behauptet, dass eine Pfändung bevorsteht, weil angeblich mehrere Mahnungen ignoriert wurden. Achtung: Zahlen Sie diese Forderung nicht! Die Nachricht stammt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mahn-sms-im-namen-des-fi… ∗∗∗ New Detection Method Uses Hackers’ Own Jitter Patterns Against Them ∗∗∗ --------------------------------------------- A new detection method from Varonis Threat Labs turns hackers sneaky random patterns into a way to catch hidden cyberattacks. Learn about Jitter-Trap and how it boosts cybersecurity defenses. --------------------------------------------- https://hackread.com/cyber-detection-hackers-jitter-patterns-against-them/ ∗∗∗ Report Warns of Sophisticated DDoS Campaigns Crippling Global Banks ∗∗∗ --------------------------------------------- A new FS-ISAC and Akamai report warns that sophisticated DDoS attacks are severely impacting the global financial sector, leading to multi-day outages. Learn about these evolving threats and how institutions can strengthen defences. --------------------------------------------- https://hackread.com/sophisticated-ddos-campaigns-crippling-global-banks/ ∗∗∗ Mehr Sicherheit, weniger Handarbeit: AWS bringt die KI-Security ∗∗∗ --------------------------------------------- Security Hub, Shield und GuardDuty XTD erhalten neue Funktionen: Mit einer speziell trainierten KI will AWS wichtige Sicherheitsmaßnahmen beschleunigen. --------------------------------------------- https://heise.de/-10455859 ∗∗∗ Ukrainian Government Systems Targeted With Backdoors Hidden in Cloud APIs and Docs ∗∗∗ --------------------------------------------- Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. --------------------------------------------- https://thecyberexpress.com/ukrainian-government-systems-targeted/ ===================== = Vulnerabilities = ===================== ∗∗∗ Öffnen reicht: Winrar-Lücke lässt Angreifer Schadcode ausführen ∗∗∗ --------------------------------------------- Der Entwickler von Winrar hat in seinem weit verbreiteten Packprogramm eine gefährliche Sicherheitslücke geschlossen, die es Angreifern ermöglicht, auf fremden Systemen eigenen Code zur Ausführung zu bringen. Der Patch scheint bisher nur in der am 10. Juni veröffentlichten Beta-Version Winrar 7.12 Beta 1 enthalten zu sein. --------------------------------------------- https://www.golem.de/news/packprogramm-winrar-schwachstelle-ermoeglicht-aus… ∗∗∗ IBM QRadar SIEM: Autoupdate-Dateien mit Schadcode verseuchbar ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in IBM QRadar SIEM ansetzen und im schlimmsten Fall Schadcode ausführen. Ein Sicherheitspatch schließt mehrere Lücken. --------------------------------------------- https://www.heise.de/news/IBM-QRadar-SIEM-Autoupdate-Dateien-mit-Schadcode-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libblockdev and open-vm-tools), Debian (debian-security-support, gdk-pixbuf, konsole, and node-send), Fedora (apache-commons-beanutils, chromium, clamav, dotnet9.0, libblockdev, mediawiki, mingw-python-setuptools, pam, perl-File-Find-Rule, python-pycares, python-setuptools, spdlog, udisks2, and xorg-x11-server-Xwayland), Mageia (chromium-browser-stable), Oracle (apache-commons-beanutils, container-tools:ol8, gimp:2.8, idm:DL1, perl-FCGI:0.78, and postgresql), Red Hat (container-tools:rhel8, delve, git-lfs, go-toolset:rhel8, grafana, kernel, mod_auth_openidc, and spice-client-win), SUSE (apache-commons-beanutils, apache2-mod_security2, distribution, gstreamer-plugins-good, icu, ignition, perl, python310, python311, python312, and python39), and Ubuntu (apache-log4j1.2 and botan). --------------------------------------------- https://lwn.net/Articles/1026498/ ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ F5: K000151740, Ruby vulnerability CVE-2024-47220 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151740 ∗∗∗ Fortinet: Teleport Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6132 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2025
by Daily end-of-shift report 20 Jun '25

20 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-06-2025 18:00 − Freitag 20-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Telecom giant Viasat breached by Chinas Salt Typhoon hackers ∗∗∗ --------------------------------------------- Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telecom-giant-viasat-breache… ∗∗∗ Grok und Mixtral ohne Grenzen: Neue KI-Tools erzeugen Phishing-Mails und Malware ∗∗∗ --------------------------------------------- WormGPT war eines der ersten großen Sprachmodelle, das speziell für cyberkriminelle Aktivitäten vorgesehen war und äußerst überzeugende Phishing-Mails generieren konnte. Während das Original schon nach wenigen Wochen wieder verschwand, sind neue LLMs unter gleichem Namen an dessen Stelle getreten. --------------------------------------------- https://www.golem.de/news/wormgpt-ist-zurueck-neue-ki-modelle-unterstuetzen… ∗∗∗ Cyberangriffe: Nordkoreanische Hacker faken Vorgesetzte in Videokonferenzen ∗∗∗ --------------------------------------------- Die nordkoreanische Hackergruppe Bluenoroff verwendet Bleeping Computer zufolge seit einiger Zeit eine perfide Methode, um Malware in Unternehmen einzuschleusen. Das Ziel ist offenbar, Kryptogeld abzuzweigen – dafür ist die Bluenoroff-Gruppierung, die eine Untergruppe von Lazarus sein soll, bekannt. --------------------------------------------- https://www.golem.de/news/cyberangriffe-nordkoreanische-hacker-faken-vorges… ∗∗∗ Cybersicherheit: Iran soll israelische Sicherheitskameras gehackt haben ∗∗∗ --------------------------------------------- Iranische Hacker sollen auf private Überwachungskameras in Israel zugegriffen haben, um Informationen zu sammeln. Wie Bloomberg mit Verweis auf einen Beitrag im israelischen Rundfunk berichtet, hat ein ehemaliger israelischer Cybersicherheitsbeamter die Bevölkerung dazu aufgefordert, private Überwachungskameras abzuschalten oder deren Passwörter zu ändern. --------------------------------------------- https://www.golem.de/news/cybersicherheit-iran-soll-israelische-sicherheits… ∗∗∗ Analysis of a Malicious WordPress Plugin: The Covert Redirector ∗∗∗ --------------------------------------------- A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins. --------------------------------------------- https://blog.sucuri.net/2025/06/analysis-of-a-malicious-wordpress-plugin-th… ∗∗∗ New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains ∗∗∗ --------------------------------------------- A new campaign is making use of Cloudflare Tunnel subdomains to host malicious payloads and deliver them via malicious attachments embedded in phishing emails. The ongoing campaign has been codenamed SERPENTINE#CLOUD by Securonix. --------------------------------------------- https://thehackernews.com/2025/06/new-malware-campaign-uses-cloudflare.html ∗∗∗ Proxy: Umgehung von Beschränkungen in Apache Traffic Server möglich ∗∗∗ --------------------------------------------- In Apache Traffic Server (ATS), einem quelloffenen Proxy-Server, wurden zwei Sicherheitslücken entdeckt. Angreifer können sie missbrauchen, um damit Zugriffsbeschränkungen zu umgehen oder Denial-of-Service-Attacken auszuführen. Aktualisierte Quellen stehen bereit, um die Schwachstellen auszubessern. --------------------------------------------- https://www.heise.de/news/Proxy-Umgehung-von-Beschraenkungen-in-Apache-Traf… ∗∗∗ Resurgence of the Prometei Botnet ∗∗∗ --------------------------------------------- In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant. --------------------------------------------- https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- ince November 2024, AhnLab has been working with the NCSC to analyze the malicious IRC server and related malware to classify the unidentified threat actor as Larva-24013 and trace their activities, and has confirmed their association with the Shadow Force group. AhnLab manages malicious activities in four stages through the “Threat Actor Naming and Taxonomy,” classifying threat actors as “Larva” (unidentified threat actors) and “Arthropod” (identified threat actors). Following AhnLab’s threat actor taxonomy and naming convention, the threat actor has been identified and named TA-ShadowCricket. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ Scammers Insert Fake Support Numbers on Real Apple, Netflix, PayPal Pages ∗∗∗ --------------------------------------------- Cybercriminals are finding clever new ways to trick people, even on the official websites of major companies. Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands. --------------------------------------------- https://hackread.com/scammers-fake-support-numbers-real-apple-netflix-paypa… ∗∗∗ Banana Squad Hides Data-Stealing Malware in Fake GitHub Repositories ∗∗∗ --------------------------------------------- ReversingLabs researchers recently uncovered a new and worrying attack method led by a group called Banana Squad. This group, first identified by Checkmarx researchers in October 2023, is known for their sneaky methods, with their name coming from an early harmful internet address, bananasquadru. --------------------------------------------- https://hackread.com/banana-squad-data-stealing-malware-github-repositories/ ∗∗∗ New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack ∗∗∗ --------------------------------------------- A new and concerning cyber threat, dubbed Mocha Manakin, has been identified by cybersecurity research firm Red Canary. First tracked in January 2025, this threat uniquely combines social engineering tricking people with specially built malicious software. --------------------------------------------- https://hackread.com/mocha-manakin-malware-nodeinitrat-via-clickfix-attack/ ∗∗∗ What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia ∗∗∗ --------------------------------------------- In cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June 2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and tailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the ASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are detailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against ASPs, another useful resource for high risk users. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-… ∗∗∗ Same Sea, New Phish: Russian Government-Linked Social Engineering Targets App-Specific Passwords ∗∗∗ --------------------------------------------- In recent years, users’ familiarity with common phishing tactics, increasingly advanced detection and blocking by platforms, and the rise in use of Multi-Factor Authentication (MFA), have all contributed to changes in the ways that attackers phish accounts. The introduction of more secure forms of MFA, such as hardware security keys, has also closed off certain avenues of social engineering. . --------------------------------------------- https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-… ∗∗∗ Betrüger nutzen Briefpost zur Abzocke der Ledger-Wallet ∗∗∗ --------------------------------------------- Wer mit Krypto-Währungen und Assets hantiert, hat sicherlich zumindest mit Hardware-Wallets wie der von Ledger geliebäugelt. Einem Leser trudelte nun ein unzureichend frankierter Brief in die Hände. Damit versuchen Kriminelle, die Ledger-Krypto-Wallet zu übernehmen und leerzuräumen. --------------------------------------------- https://heise.de/-10453136 ∗∗∗ Feeling Blue(Noroff): Inside a Sophisticated DPRK Web3 Intrusion ∗∗∗ --------------------------------------------- On June 11, 2025, Huntress received contact from a partner saying that an end user had downloaded, potentially, a malicious Zoom extension. The depth of the intrusion became immediately apparent upon installing the Huntress EDR agent, and after some analysis, it was discovered that the lure used to gain access was received by the victim several weeks prior. This post aims to provide a detailed analysis from beginning to end of the intrusion, including a full breakdown of several new pieces of malware used by the threat actors. --------------------------------------------- https://www.huntress.com/blog/inside-bluenoroff-web3-intrusion-analysis ∗∗∗ Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware ∗∗∗ --------------------------------------------- The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a wider cyber conflict in the region, including the launch of new malware campaigns. --------------------------------------------- https://thecyberexpress.com/israel-iran-conflict-hacktivism/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock), Debian (activemq and chromium), Fedora (kea, python-django4.2, python-django5, python-setuptools, and rust-git-interactive-rebase-tool), Oracle (ipa and kernel), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, gvisor-tap-vsock, podman, and skopeo), Slackware (libblockdev and xorg), SUSE (gdm, gstreamer-plugins-base, ignition, kernel, pam, redis, s390-tools, screen, systemd, and xorg-x11-server), and Ubuntu (godot, golang-1.22, libblockdev, node-express, pam, samba, and udisks2). --------------------------------------------- https://lwn.net/Articles/1026007/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube). --------------------------------------------- https://lwn.net/Articles/1026281/ ∗∗∗ Kritische Schwachstellen CVE-2025-6018 und CVE-2025-6019 in Linux-Systemen ∗∗∗ --------------------------------------------- Sicherheitsforscher von Qualys TRU haben zwei verknüpfte, kritische Schwachstellen in Linux aufgedeckt. Ausgehend von SUSE 15 führt die LPE-Kette bei Standardkonfigurationen vieler Linux-Distributionen direkt zum Root-Zugriff. --------------------------------------------- https://www.borncity.com/blog/2025/06/19/kritische-schwachstellen-in-linux-… ∗∗∗ Cisco Meraki MX und Z: Angreifer können VPN-Verbindungen unterbrechen ∗∗∗ --------------------------------------------- Der Cisco AnyConnect VPN Server von Cisco Meraki MX und Z ist verwundbar. Außerdem können Angreifer an einer Schwachstelle in ClamAV ansetzen. Sicherheitspatches stehen zum Download bereit. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://heise.de/-10452498 ∗∗∗ ZDI-25-408: PEAK-System Driver PCANFD_ADD_FILTERS Time-Of-Check Time-Of-Use Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-408/ ∗∗∗ ZDI-25-410: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-410/ ∗∗∗ ZDI-25-409: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-409/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 9, 2025 to June 15, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/06/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2025
by Daily end-of-shift report 18 Jun '25

18 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-06-2025 18:00 − Mittwoch 18-06-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Cybersecurity takes a big hit in new Trump executive order ∗∗∗ --------------------------------------------- Cybersecurity practitioners are voicing concerns over a recent executive order issued by the White House that guts requirements for: securing software the government uses, punishing people who compromise sensitive networks, preparing new encryption schemes that will withstand attacks from quantum computers, and other existing controls. --------------------------------------------- https://arstechnica.com/security/2025/06/cybersecurity-take-a-big-hit-in-ne… ∗∗∗ Instagram BMO ads use AI deepfakes to scam banking customers ∗∗∗ --------------------------------------------- Instagram ads impersonating financial institutions like Bank of Montreal (BMO) and EQ Bank (Equitable Bank) are being used to target Canadian consumers with phishing scams and investment fraud. Some ads use AI-powered deepfake videos in an attempt to collect your personal information, while others use official branding to drive traffic outside of the platform to lookalike illicit domains that are not affiliated with banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/instagram-bmo-ads-use-ai-dee… ∗∗∗ Schutz vor Cyberangriffen: Der Iran nimmt sich selbst vom Netz ∗∗∗ --------------------------------------------- Der Iran schränkt seine Verbindung zum weltweiten Internet offenbar gezielt ein, um sich infolge des seit dem 13. Juni andauernden israelisch-iranischen Krieges vor möglichen Cyberattacken aus Israel zu schützen. Zunächst wurde lediglich die Geschwindigkeit gedrosselt. Einem X-Beitrag von Netblocks zufolge ist der Datenverkehr des Iran innerhalb kürzester Zeit um 75 Prozent zurückgegangen. --------------------------------------------- https://www.golem.de/news/schutz-vor-cyberangriffen-der-iran-nimmt-sich-sel… ∗∗∗ LangSmith Bug Could Expose OpenAI Keys and User Data via Malicious Agents ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts. --------------------------------------------- https://thehackernews.com/2025/06/langchain-langsmith-bug-let-hackers.html ∗∗∗ Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor ∗∗∗ --------------------------------------------- A now-patched security flaw in Google Chrome was exploited as a zero-day by a threat actor known as TaxOff to deploy a backdoor codenamed Trinper. The attack, observed in mid-March 2025 by Positive Technologies, involved the use of a sandbox escape vulnerability tracked as CVE-2025-2783 (CVSS score: 8.3). --------------------------------------------- https://thehackernews.com/2025/06/google-chrome-zero-day-cve-2025-2783.html ∗∗∗ Exploring Netstalking – Mapping the Hidden Corners of the Internet ∗∗∗ --------------------------------------------- Netstalking is the art of exploring little-known, rarely visited parts of the internet—ranging from forgotten photo archives and open surveillance cameras to defunct servers and prototype systems—using techniques like IP scanning, deep web search, and network archaeology. The activity originated in 2009 among Russian internet subcultures and draws its name from the “S.T.A.L.K.E.R.” mythos. --------------------------------------------- https://www.darknet.org.uk/2025/06/exploring-netstalking-mapping-the-hidden… ∗∗∗ Minecraft Players Targeted in Sophisticated Malware Campaign ∗∗∗ --------------------------------------------- This campaign reminds us that even the most familiar digital spaces can become a playground for cyber criminals. By disguising malware as Minecraft mods, attackers were able to quietly target an engaged and unsuspecting user base with a multistage, Java-based infection chain. Because these files often appear harmless and can slip past traditional defenses, any Minecraft player is at risk. --------------------------------------------- https://blog.checkpoint.com/research/minecraft-players-targeted-in-sophisti… ∗∗∗ Scattered Spider hackers targeting insurance industry following retail hits, Google warns ∗∗∗ --------------------------------------------- A group of hackers behind a recent string of attacks on retail stores in the U.K. and U.S. has shifted its focus to insurance firms in recent days, according to cybersecurity researchers. --------------------------------------------- https://therecord.media/scattered-spider-targeting-insurance-sector-followi… ∗∗∗ When legitimate tools go rogue ∗∗∗ --------------------------------------------- Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders. --------------------------------------------- https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/ ∗∗∗ CVE Trends to Watch: Real-World Risks to Telecom and Professional Services ∗∗∗ --------------------------------------------- Between 2023-2025, there was a 38% increase in CVEs. Learn which industry sectors have seen the highest levels of CVEs, & which CVEs had the highest impact. --------------------------------------------- https://www.bitsight.com/blog/cve-trends-by-sector ∗∗∗ Achtstellige Passwörter unzureichend: Datenschutzstrafe für Genfirma 23andme ∗∗∗ --------------------------------------------- 2023 wurden fast 7 Millionen Datensätze von Kunden 23andmes im Darknet feilgeboten. Großbritannien verhängt eine Millionenstrafe. --------------------------------------------- https://heise.de/-10450679 ∗∗∗ AMD stopft Sicherheitslecks in Krypto-Coprozessor und TPM ∗∗∗ --------------------------------------------- AMD hat im Juni aktualisierte Firmware veröffentlicht, die teils hochriskante Sicherheitslücken in den Prozessoren schließt. Betroffen sind etwa die Krypto-Coprozessoren sowie das Firmware-TPM moderner Ryzen- und zum Teil auch der abgespeckten Athlon-CPUs. --------------------------------------------- https://heise.de/-10451026 ∗∗∗ Malvertising: Bösartige Werbung schiebt Anbieterseiten falsche Nummern unter ∗∗∗ --------------------------------------------- Betrüger schieben mit Werbelinks in Suchergebnissen echten Anbieterseiten falsche Telefonnummern unter, warnen IT-Sicherheitsforscher. --------------------------------------------- https://heise.de/-10451518 ∗∗∗ 2025 Blockchain and Cryptocurrency Threat Report: Malware in the Open Source Supply Chain ∗∗∗ --------------------------------------------- An in-depth analysis of credential stealers, crypto drainers, cryptojackers, and clipboard hijackers abusing open source package registries to compromise Web3 development environments. --------------------------------------------- https://socket.dev/blog/2025-blockchain-and-cryptocurrency-threat-report?ut… ∗∗∗ libxml2 Maintainer Ends Embargoed Vulnerability Reports, Citing Unsustainable Burden ∗∗∗ --------------------------------------------- Libxml2’s solo maintainer drops embargoed security fixes, highlighting the burden on unpaid volunteers who keep critical open source software secure. --------------------------------------------- https://socket.dev/blog/libxml2-maintainer-ends-embargoed-vulnerability-rep… ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust warns of pre-auth RCE in Remote Support software ∗∗∗ --------------------------------------------- BeyondTrust has released security updates to fix a high-severity flaw in its Remote Support (RS) and Privileged Remote Access (PRA) solutions that can let unauthenticated attackers gain remote code execution on vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-pre-aut… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0, konsole, and libblockdev), Oracle (buildah, containernetworking-plugins, gimp, git-lfs, gvisor-tap-vsock, kernel, libvpx, podman, and skopeo), Red Hat (apache-commons-beanutils and thunderbird), Slackware (xorg), SUSE (gdm, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, kernel, Multi-Linux Manager, Multi-Linux Manager Client Tools, openssl-3, pam, python-cryptography, python-requests, python-setuptools, python3-requests, SUSE Manager Server, systemd, ucode-intel, xorg-x11-server, and xwayland), and Ubuntu (dwarfutils, mujs, node-katex, xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/1025862/ ∗∗∗ Citrix Netscaler ADC: Kritische Sicherheitslücken dringend fixen ∗∗∗ --------------------------------------------- Von den Schwachstellen sind die NetScaler ADC- und Gateway-Versionen 14.1 vor 14.1-43.56, 13.1 vor 13.1-58.32 sowie diverse FIPS-Varianten betroffen. Wichtig: Ältere Versionen (12.1 und 13.0) sind End-of-Life (EOL) und erhalten keine Sicherheitsupdates mehr. Von Citrix ist die empfohlene Maßnahme ein umgehendes Update auf die gepatchten Versionen (z.B. 14.1-43.56, 13.1-58.32). Nach dem Update sollten alle aktiven ICA- und PCoIP-Sitzungen auf allen NetScaler-Appliances beendet werden, um eine vollständige Absicherung zu gewährleisten. --------------------------------------------- https://www.borncity.com/blog/2025/06/18/citrix-netscaler-adc-kritische-sic… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released five Industrial Control Systems (ICS) advisories on June 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-indus… ∗∗∗ CISA Flags CVE-2023-0386 as Actively Exploited Linux Kernel Privilege Escalation Threat ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386. The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel’s OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights. --------------------------------------------- https://thecyberexpress.com/cisa-warns-cve-2023-0386-linux-vulnerability/ ∗∗∗ Windows 11: Out-of-Band-Update KB5063060 mit Error 0x800f0818 / 0x80070306 ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zu den im Juni 2025 veröffentlichten Sicherheitsupdates für Windows 10 und Windows 11. Diese verursachen bei manchen Anwendern diverse Probleme. So wirft das zum 11. Juni 2025 nachgeschobene Out-of-Band-Update KB5063060 bei manchen Nutzern den Installationsfehler 0x800f0818 oder 0x80070306. --------------------------------------------- https://www.borncity.com/blog/2025/06/18/windows-11-out-of-band-update-kb50… ∗∗∗ Chrome for Android Update ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2025/06/chrome-for-android-update_17.h… ∗∗∗ LS Electric GMWin 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-02 ∗∗∗ Dover Fueling Solutions ProGauge MagLink LX Consoles ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-05 ∗∗∗ Fuji Electric Smart Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-168-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2025
by Daily end-of-shift report 17 Jun '25

17 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 16-06-2025 18:00 − Dienstag 17-06-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Apple: Sicherheitslücke in diversen Betriebssystemen wird angegriffen ∗∗∗ --------------------------------------------- Die neu attackierte Schwachstelle betrifft nach Apples Angaben Messages. "Ein Logikfehler kann bei der Verarbeitung von bösartig präparierten Fotos oder Videos auftreten, die mittels eines iCloud-Links geteilt wurden", schreiben die Entwickler dazu (CVE-2025-43200 / EUVD-2025-18428, CVSS steht noch aus, Risikoeinstufung fehlt derzeit). Sie erklären weiter: "Apple weiß von einem Bericht, demzufolge dieses Problem in einem extrem ausgeklügelten Angriff gegen bestimmte Zielpersonen ausgenutzt worden sein könnte." Der Schwachstelleneintrag stammt vom Montag dieser Woche. Sicherheitsmitteilungen zu den diversen Betriebssystemen und -versionen hat Apple hingegen bereits am Donnerstag vergangener Woche aktualisiert oder neu veröffentlicht. --------------------------------------------- https://heise.de/-10449241 ∗∗∗ Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 in Grafana ∗∗∗ --------------------------------------------- In der Open-Source-Software Grafana wurde die Tage eine Cross-Site Scripting (XSS) Schwachstelle CVE-2025-4123 öffentlich. Es ist ein kritischer offener Redirect-Fehler in Grafana, der zur Übernahme von Konten führen könnte. [..] Sonic Wall hat dies bereits zum 5. Juni 2025 im Beitrag High-Severity Open Redirect Vulnerability in Grafana Leads to Account Takeover: CVE-2025-4123 öffentlich gemacht. Die Schwachstelle CVE-2025-4123 ist laut dem Grafana Sicherheitshinweis Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin vom 21. Mai 2025 in den Versionen v10.4.18+security-01, v11.2.9+security-01, v11.3.6+security-01, v11.4.4+security-01, v11.5.4+security-01, v11.6.1+security-01 und v12.0.0+security-01 behoben. --------------------------------------------- https://www.borncity.com/blog/2025/06/17/cross-site-scripting-xss-schwachst… ∗∗∗ Water Curse Targets Infosec Pros via Poisoned GitHub Repositories ∗∗∗ --------------------------------------------- The emerging threat group attacks the supply chain via weaponized repositories posing as legitimate pen-testing suites and other tools that are poisoned with malware. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/water-curse-targets-… ∗∗∗ How Long Until the Phishing Starts? About Two Weeks, (Tue, Jun 17th) ∗∗∗ --------------------------------------------- I recently added an account to my Google Workspace domain (montance[dot]com). Friday, May 16th, 10:10 am, to be exact. Something interesting to note about the domain configuration is there’s a catchall account in place, so all email addresses are valid. Starting May 28th the new account started receiving targeted phishing email messages. [..] Nothing especially surprising, but a reminder that they’re watching for opportunities. Someone new at the company and eager to appear responsive seems like a good phishing target! --------------------------------------------- https://isc.sans.edu/diary/rss/32052 ∗∗∗ TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request. --------------------------------------------- https://thehackernews.com/2025/06/tp-link-router-flaw-cve-2023-33538.html ∗∗∗ New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have called attention to a new campaign thats actively exploiting a recently disclosed critical security flaw in Langflow to deliver the Flodrix botnet malware. --------------------------------------------- https://thehackernews.com/2025/06/new-flodrix-botnet-variant-exploits.html ∗∗∗ Eine Kühlbox voll Stiegl Bier? Vorsicht vor Fake-Gewinnspiel! ∗∗∗ --------------------------------------------- Aktuell schwappt eine Phishing-Welle durch österreichische WhatsApp-Konten. Angeblich verlost die Stiegl Brauerei eine Kühlbox voll Bier. Dahinter versteckt sich aber nichts anderes als eine altbekannte Kombination aus Abo-Falle und Phishing-Attacke – mit einer raffinierten Neuerung. --------------------------------------------- https://www.watchlist-internet.at/news/stiegl-bier-fake-phishing/ ∗∗∗ Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation ∗∗∗ --------------------------------------------- We analyze two new KimJongRAT stealer variants, combining new research with existing knowledge. One uses a Portable Executable (PE) file and the other PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/kimjongrat-stealer-variant-powershell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Hard-Coded b Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. [..] This also means that the exploit chain only works if users have installed Sitecore using installers for versions ≥ 10.1. Users are likely not impacted if they were previously running a version prior to 10.1 and then upgraded to a newer vulnerable version, assuming the old database is being migrated, and not the database embedded within the installation package. WT-2025-0024 (CVE-2025-XXXXX), WT-2025-0032 (CVE-2025-XXXXX), WT-2025-0025 (CVE-2025-XXXXX) --------------------------------------------- https://thehackernews.com/2025/06/hard-coded-b-password-in-sitecore-xp.html ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3.2 ∗∗∗ --------------------------------------------- CVE-2025-23121: A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. Severity: Critical --------------------------------------------- https://www.veeam.com/kb4743 ∗∗∗ ASUS Armoury Crate bug lets attackers get Windows admin privileges ∗∗∗ --------------------------------------------- Armoury Crate is the official system control software for Windows from ASUS, providing a centralized interface to control RGB lighting (Aura Sync), adjust fan curves, manage performance profiles and ASUS peripherals, as well as download drivers and firmware updates. [..] Cisco Talos validated that CVE-2025-3464 impacts Armoury Crate version 5.9.13.0, but ASUS' bulletin notes that the flaw impacts all versions between 5.9.9.0 and 6.1.18.0. [..] A high-severity vulnerability in ASUS Armoury Crate software could allow threat actors to escalate their privileges to SYSTEM level on Windows machines. The security issue is tracked as CVE-2025-3464 and received a severity score of 8.8 out of 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-armoury-crate-bug-lets-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, buildah, containernetworking-plugins, firefox, gstreamer1-plugins-bad-free, libsoup3, podman, skopeo, sqlite, thunderbird, unbound, valkey, varnish, and xz), Debian (webkit2gtk), Fedora (fido-device-onboard, python-django4.2, rust-git-interactive-rebase-tool, and thunderbird), Red Hat (libsoup), Slackware (libxml2), SUSE (java-11-openjdk, kernel, and wireshark), and Ubuntu (c3p0, dojo, python-django, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, and requests). --------------------------------------------- https://lwn.net/Articles/1025734/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2025
by Daily end-of-shift report 16 Jun '25

16 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-06-2025 18:00 − Montag 16-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Washington Posts email system hacked, journalists accounts compromised ∗∗∗ --------------------------------------------- Email accounts of several Washington Post journalists were compromised in a cyberattack believed to have been carried out by a foreign government. --------------------------------------------- https://www.bleepingcomputer.com/news/security/washington-posts-email-syste… ∗∗∗ Kali Linux 2025.2 released with 13 new tools, car hacking updates ∗∗∗ --------------------------------------------- Kali Linux 2025.2, the second release of the year, is now available for download with 13 new tools and an expanded car hacking toolkit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kali-linux-20252-released-wi… ∗∗∗ BKA schaltet Darknet-Marktplatz "Archetyp Market" ab ∗∗∗ --------------------------------------------- Das BKA hat den mutmaßlichen Betreiber des Online-Drogenmarktplatzes "Archetyp Market" am Mittwoch vergangener Woche in Barcelona festgenommen. --------------------------------------------- https://www.heise.de/news/BKA-schaltet-Darknet-Marktplatz-Archetyp-Market-a… ∗∗∗ Die Hersteller von Staatstrojanern sind Gegner – keine Verbündeten ∗∗∗ --------------------------------------------- Die Leiterin von Googles Threat-Intelligence-Abteilung macht klar, warum sie solche Firmen als Gegner betrachtet. Zudem erläutert sie im Gespräch die wachsende Relevanz von KI für Angreifer und die Gefahr aus Nordkorea. --------------------------------------------- https://www.derstandard.at/story/3000000273949/die-hersteller-von-staatstro… ∗∗∗ Hackers Leak Data of 10,000 VirtualMacOSX Customers in Alleged Breach ∗∗∗ --------------------------------------------- Hackers leak data of 10,000 VirtualMacOSX customers in alleged breach, exposing names, emails, passwords, and financial details on a hacking forum. --------------------------------------------- https://hackread.com/hackers-leak-virtualmacosx-customers-data-breach/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM AIX/VIOS und DataPower Gateway für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Wenn Angreifer erfolgreich an Sicherheitslücken in IBM AIX/VIOS und DataPower Gateway ansetzen, kann Schadcode auf Systeme gelangen und diese kompromittieren. Updates schließen die Schwachstellen. --------------------------------------------- https://www.heise.de/news/IBM-AIX-VIOS-und-DataPower-Gateway-fuer-Schadcode… ∗∗∗ Angreifer können Server über Schwachstelle in Dell iDRAC Tools attackieren ∗∗∗ --------------------------------------------- Angreifer können an einer Sicherheitslücke in Dell iDRAC Tools ansetzen, um Server zu attackieren. Mittlerweile haben die Entwickler die Schwachstelle geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecke-in-Dell-iDRAC-Tools-gefaehrdet-… ∗∗∗ Dell ControlVault: Angreifer können Systeme vollständig kompromittieren ∗∗∗ --------------------------------------------- In Dells ControlVault klaffen Sicherheitslücken in den Treibern und der Firmware, die Angreifern das Einschleusen und Ausführen von Schadcode und damit die Übernahme von Systemen ermöglichen. Dell bietet aktualisierte Software an, um die Sicherheitslecks zu schließen. --------------------------------------------- https://www.heise.de/news/Dell-ControlVault-Angreifer-koennen-Systeme-volls… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0 and .NET 9.0), Arch Linux (curl, ghostscript, go, konsole, python-django, roundcubemail, and samba), Fedora (aerc, chromium, golang-x-perf, libkrun, python3.11, python3.12, rust-kbs-types, rust-sev, rust-sevctl, valkey, and wireshark), Gentoo (Konsole and sysstat), Oracle (.NET 9.0), Red Hat (bootc, grub2, keylime-agent-rust, python3.12-cryptography, rpm-ostree, rust-bootupd, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (apache2-mod_auth_openidc, docker, grub2, java-1_8_0-openj9, kernel, less, python-Django, screen, and sqlite3), and Ubuntu (cifs-utils and modsecurity-apache). --------------------------------------------- https://lwn.net/Articles/1025618/ ∗∗∗ Tenable: Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 ∗∗∗ Chromium: CVE-2025-5959 Type Confusion in V8 ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5959 ∗∗∗ Chromium: CVE-2025-5958 Use after free in Media ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-5958 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2025
by Daily end-of-shift report 13 Jun '25

13 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-06-2025 18:00 − Freitag 13-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Trend Micro fixes critical vulnerabilities in multiple products ∗∗∗ --------------------------------------------- Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trend-micro-fixes-six-critic… ∗∗∗ Nach über 100 Jahren: Cyberangriff drängt deutsche Firma in die Insolvenz ∗∗∗ --------------------------------------------- Der in Euskirchen ansässige Serviettenhersteller Fasana hat nach einem Cyberangriff Zahlungsprobleme. Hacker haben den Betrieb vollständig lahmgelegt. --------------------------------------------- https://www.golem.de/news/nach-ueber-100-jahren-cyberangriff-draengt-deutsc… ∗∗∗ [Guest Diary] Anatomy of a Linux SSH Honeypot Attack: Detailed Analysis of Captured Malware, (Fri, Jun 13th) ∗∗∗ --------------------------------------------- This is a Guest Diary by Michal Ambrozkiewicz, an ISC intern as part of the SANS.edu Bachelor .. --------------------------------------------- https://isc.sans.edu/diary/Guest+Diary+Anatomy+of+a+Linux+SSH+Honeypot+Atta… ∗∗∗ WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a Global Scam Network ∗∗∗ --------------------------------------------- The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own .. --------------------------------------------- https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html ∗∗∗ "Anmeldung mit nicht erkanntem Gerät": Phishing-Attacke im Namen von PayPal ∗∗∗ --------------------------------------------- Ein angeblicher Login in ein bestehendes PayPal-Profil ruft die ebenso angebliche Sicherheitsabteilung des Unternehmens auf den Plan. Hinter den alarmierenden E-Mails und SMS-Nachrichten steckt aber nichts weiter als eine klassische Phishing-Masche. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-attacke-paypal/ ∗∗∗ Bert ransomware: what you need to know ∗∗∗ --------------------------------------------- Bert is a recently-discovered strain of ransomware that encrypts victims files and demands a payment for the decryption key. Read more in my article on the Fortra blog. --------------------------------------------- https://www.fortra.com/blog/bert-ransomware-what-you-need-know ∗∗∗ Serverless Tokens in the Cloud: Exploitation and Detections ∗∗∗ --------------------------------------------- Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. --------------------------------------------- https://unit42.paloaltonetworks.com/serverless-authentication-cloud/ ∗∗∗ Ransomware Actors Exploit Unpatched SimpleHelp Remote Monitoring and Management to Compromise Utility Billing Software Provider ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a ∗∗∗ E-Mail-Sicherheit: Verstärkte Angriffe mit SVG ∗∗∗ --------------------------------------------- Immer mehr Phishing-Kampagnen nutzen das wenig bekannte Vektorgrafik-Format SVG. Das kann nämlich Skripte enthalten, die dann beim Öffnen ausgeführt werden. --------------------------------------------- https://heise.de/-10444330 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, glibc, kernel, and mod_security), Fedora (chromium, gh, mingw-icu, nginx-mod-modsecurity, python3.10, python3.9, thunderbird, valkey, and yarnpkg), Oracle (.NET 8.0, .NET 9.0, glibc, grafana-pcp, kernel, libxml2, mod_security, nodejs:20, and thunderbird), SUSE (audiofile, helm, kubernetes-old, kubernetes1.23, kubernetes1.24, libcryptopp, postgresql15, thunderbird, and valkey), and Ubuntu (linux-nvidia-tegra-igx). --------------------------------------------- https://lwn.net/Articles/1025354/ ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released ten Industrial Control Systems (ICS) advisories on June 12, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-162-01 Siemens Tecnomatix Plant SimulationICSA-25-162-02 Siemens RUGGEDCOM APE1808ICSA-25-162-03 Siemens SCALANCE and RUGGEDCOMICSA-25-162-04 .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-ten-indust… ∗∗∗ [R1] Nessus Agent Version 10.8.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2025
by Daily end-of-shift report 12 Jun '25

12 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-06-2025 18:00 − Donnerstag 12-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CRA Vulnerability Reports: why would we not share them with other CSIRTs? ∗∗∗ --------------------------------------------- The Cyber Resilience Act (Regulation (EU) 2024/2847) defines security requirements for products with digital elements and requires vendors to report to national CSIRTs if a vulnerability in one of their products is actively exploited. --------------------------------------------- https://www.cert.at/en/blog/2025/6/cra-vulnerability-reports-why-would-we-n… ∗∗∗ Fog ransomware attack uses unusual mix of legitimate and open-source tools ∗∗∗ --------------------------------------------- Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-u… ∗∗∗ Password-spraying attacks target 80,000 Microsoft Entra ID accounts ∗∗∗ --------------------------------------------- Hackers have been using the TeamFiltration pentesting framework to target more than 80,000 Microsoft Entra ID accounts at hundreds of organizations worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/password-spraying-attacks-ta… ∗∗∗ Google Bug Allowed Brute-Forcing of Any User Phone Number ∗∗∗ --------------------------------------------- Google has fixed a security vulnerability in its page for recovering account details that allowed anyone to access the page and brute-force the private phone number of any user. The flaw posed a significant risk to Google users by exposing them to risk of phishing and other attacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/google-bug-brute-forcin… ∗∗∗ Air-Gapped-Systeme: Malware leitet Daten über hochfrequenten Schall aus ∗∗∗ --------------------------------------------- Der bekannte Sicherheitsforscher Mordechai Guri hat eine neue Angriffstechnik vorgestellt, mit der sich Daten von Air-Gapped-Systemen ohne eigene Netzwerkanbindung über eine Smartwatch exfiltrieren lassen. Der Smartattack genannte Angriff basiert auf einer Datenübertragung mittels Schallwellen in einem derart hohen Frequenzbereich, dass sie für Menschen je nach Hörvermögen kaum bis gar nicht wahrnehmbar sind. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-leitet-daten-ueber-hoc… ∗∗∗ Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks ∗∗∗ --------------------------------------------- Former members tied to the Black Basta ransomware operation have been observed sticking to their tried-and-tested approach of email bombing and Microsoft Teams phishing to establish persistent access to target networks. --------------------------------------------- https://thehackernews.com/2025/06/former-black-basta-members-use.html ∗∗∗ Kritische Sicherheitslücke in Microsoft 365 Copilot zeigt Risiko von KI-Agenten ∗∗∗ --------------------------------------------- Der KI-Agent von M365 konnte per E-Mail und ohne Mausklick zur Freigabe sensibler Informationen verführt werden. Microsoft hat die Lücke jetzt geschlossen. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-in-Microsoft-365-Copi… ∗∗∗ Markenfälschungen im Netz: Eine wachsende Gefahr für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Kaum eine Marke ist im Internet noch vor Fälschungen sicher: Kriminelle verwenden gestohlene Logos und Produktbilder beliebter Händler, um täuschend echte Fake-Shops zu erstellen. Neben bekannten Marken sind auch kleine und mittlere Unternehmen (KMU) zunehmend betroffen. Im Rahmen einer Studie des Österreichischen Instituts für angewandte Telekommunikation (ÖIAT) wurde das Ausmaß der Markenfälschungen im Internet untersucht und konkrete Handlungsempfehlungen fürs KMU erarbeitet. --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-netz-eine-wach… ∗∗∗ JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique ∗∗∗ --------------------------------------------- We recently discovered a large-scale campaign that has been compromising legitimate websites with injected, obfuscated JavaScript code. Threat actors commonly use this type of campaign to invisibly redirect victims from legitimate websites to malicious pages that serve malware, exploits and spam. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-… ∗∗∗ Fortinet: Angreifer können VPN-Verbindungen umleiten ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind verwundbar. Angreifer können an Sicherheitslücken in FortiADC, FortiAnalyzer, FortiClientEMS, FortiClientWindows, FortiManager, FortiManager Cloud, FortiOS, FortiPAM, FortiProxy, FortiSASE und FortiWeb ansetzen. Im schlimmsten Fall kann es zur Ausführung von Schadcode kommen. --------------------------------------------- https://heise.de/-10441108 ===================== = Vulnerabilities = ===================== ∗∗∗ Phishing-Angriffe mit manipulierten SVG-Dateien - Vorsicht geboten ∗∗∗ --------------------------------------------- CERT.at warnt vor stark zunehmenden Phishing-Kampagnen, bei denen manipulierte SVG-Dateien (Scalable Vector Graphics) als E-Mail-Anhänge verwendet werden. Diese Angriffsmethode wird seit mehreren Monaten verstärkt beobachtet und stellt eine ernsthafte Bedrohung dar, da SVG-Dateien von vielen Sicherheitslösungen nicht ausreichend geprüft werden. --------------------------------------------- https://www.cert.at/de/warnungen/2025/6/phishing-angriffe-mit-manipulierten… ∗∗∗ GitLab patches high severity account takeover, missing auth issues ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple vulnerabilities in the company's DevSecOps platform, including ones enabling attackers to take over accounts and inject malicious jobs in future pipelines. The company released GitLab Community and Enterprise versions 18.0.2, 17.11.4, and 17.10.8 to address these security flaws and urged all admins to upgrade immediately. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity… ∗∗∗ Thunderbird: HTML-Mails können Zugangsdaten verraten, Update verfügbar ∗∗∗ --------------------------------------------- Mozilla hat Updates für Thunderbird veröffentlicht. Sie stopfen ein Sicherheitsleck bei der Anzeige von HTML-E-Mails. --------------------------------------------- https://www.heise.de/news/Thunderbird-HTML-Mails-koennen-Zugangsdaten-verra… ∗∗∗ Palo Alto stopft hochriskante Lücken in PAN-OS und GlobalProtect ∗∗∗ --------------------------------------------- Palo Alto Networks hat Sicherheitsmitteilungen zu Schwachstellen in mehreren Produkten wie dem PAN-OS-Betriebssystem oder der GlobalProtect-App herausgegeben. Angreifer können die Sicherheitslücken missbrauchen, um Befehle einzuschleusen und mit erhöhten Rechten auszuführen, Schadcode einzuschleusen und auszuführen oder unbefugt Traffic einzusehen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-stopft-hochriskante-Luecken-in-PAN-OS-u… ∗∗∗ Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) ∗∗∗ --------------------------------------------- ONLYOFFICE Docs was affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which were reflected in the server's HTML response. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel), Debian (chromium, gst-plugins-bad1.0, node-tar-fs, and ublock-origin), Gentoo (Emacs, File-Find-Rule, GStreamer, GStreamer Plugins, GTK+ 3, LibreOffice, Node.js, OpenImageIO, Python, PyPy, Qt, X.Org X server, XWayland, and YAML-LibYAML), Mageia (mariadb and roundcubemail), Red Hat (go-toolset:rhel8, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, libxml2, libxslt, mod_security, nodejs:20, and perl-FCGI:0.78), Slackware (mozilla), SUSE (docker, docker-compose, iputils, kernel, libsoup, open-vm-tools, rabbitmq-server, rabbitmq-server313, wget, and yelp), and Ubuntu (libsoup2.4 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1025208/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2025
by Daily end-of-shift report 11 Jun '25

11 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-06-2025 18:00 − Mittwoch 11-06-2025 18:00 Handler: Alexander Riepl Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Microsoft Outlook to block more risky attachments used in attacks ∗∗∗ --------------------------------------------- Microsoft announced it will expand the list of blocked attachments in Outlook Web and the new Outlook for Windows starting next month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-m… ∗∗∗ ConnectWise rotating code signing certificates over security concerns ∗∗∗ --------------------------------------------- ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-rotating-code-si… ∗∗∗ Zehntausende Überwachungskameras streamen ungeschützt ins Netz ∗∗∗ --------------------------------------------- Überwachungskameras sind überall – in U-Bahnen, an Türklingeln und in Fahrstühlen. Oft bemerkt man sie gar nicht, weil es mittlerweile so kleine und unscheinbare Modelle gibt. Amerikanische Sicherheitsforscher warnen nun aber davor, wie einfach es für Dritte ist, sich Zugriff auf die Feeds solcher Überwachungskameras zu verschaffen. Bei einem Test konnten die Experten von Bitsight Live-Feeds von insgesamt 40.000 Kameras abrufen, die mit dem Internet verbunden waren. --------------------------------------------- https://futurezone.at/digital-life/zehntausende-ueberwachungskameras-stream… ∗∗∗ Quasar RAT Delivered Through Bat Files, (Wed, Jun 11th) ∗∗∗ --------------------------------------------- RAT's are popular malware. They are many of them in the wild, Quasar[1] being one of them. The malware has been active for a long time and new campaigns come regularly back on stage. I spotted an interesting .bat file (Windows script) that attracted my attention because it is very well obfuscated. --------------------------------------------- https://isc.sans.edu/diary/rss/32036 ∗∗∗ Trump Quietly Throws Out Bidens Cyber Policies ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administrations cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Bidens cyber policy legacy - while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber --------------------------------------------- https://it.slashdot.org/story/25/06/10/2044217/trump-quietly-throws-out-bid… ∗∗∗ Ungeklärte Phishing-Vorfälle rund um Booking.com ∗∗∗ --------------------------------------------- Hotels in Südtirol haben vermehrt mit kompromittierten Extranet-Zugängen von Booking.com zu tun, über die sie mit Gästen kommunizieren. Noch ist unklar, warum. --------------------------------------------- https://www.heise.de/news/Ungeklaerte-Phishing-Vorfaelle-rund-um-Booking-co… ∗∗∗ UEFI-BIOS-Lücken: SecureBoot-Umgehung und Firmware-Austausch möglich ∗∗∗ --------------------------------------------- Zwei unterschiedliche Sicherheitslücken in diversen UEFI-BIOS-Versionen mehrerer Anbieter ermöglichen die Umgehung des SecureBoot-Mechanismus. In UEFI-BIOSen von Insyde können Angreifer sogar die Firmware austauschen. Verwundbare Systeme lassen sich damit vollständig kompromittieren. Proof-of-Concept-Code dafür ist öffentlich verfügbar. Systemhersteller arbeiten an BIOS-Updates zum Schließen der Lücken. --------------------------------------------- https://www.heise.de/news/UEFI-BIOS-Luecken-SecureBoot-Umgehung-und-Firmwar… ∗∗∗ Reflective Kerberos Relay Attack Against Domain-Joined Windows Clients and Servers ∗∗∗ --------------------------------------------- RedTeam Pentesting has developed the Reflective Kerberos Relay Attack which remotely allows low-privileged Active Directory domain users to obtain NT AUTHORITY\SYSTEM privileges on domain-joined Windows computers. This vulnerability affects all domain-joined Windows hosts that do not require SMB signing of incoming connections. In their default configurations, this includes all Windows 10 and 11 versions up to 23H2 and all Windows Server versions including 2025 24H2 and excluding domain controllers. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2025-002/ ∗∗∗ Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day ∗∗∗ --------------------------------------------- Inside Stealth Falcon’s Espionage Campaign Using a Microsoft Zero-Day --------------------------------------------- https://blog.checkpoint.com/research/inside-stealth-falcons-espionage-campa… ∗∗∗ UK cyber agency pushes for strategic policy agenda as government efforts stall ∗∗∗ --------------------------------------------- Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks. --------------------------------------------- https://therecord.media/ncsc-pushes-uk-government-create-strategic-cyber-po… ∗∗∗ Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested ∗∗∗ --------------------------------------------- An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region. --------------------------------------------- https://hackread.com/operation-secure-interpol-disrupts-infostealer-domains/ ∗∗∗ Hydroph0bia (CVE-2025-4275) - a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O, part 1 ∗∗∗ --------------------------------------------- This post will be about a vulnerability I dubbed Hydroph0bia (as a pun on Insyde H2O) aka CVE-2025-4275 or INSYDE-SA-2025002. --------------------------------------------- https://coderush.me/hydroph0bia-part1/ ∗∗∗ NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 ∗∗∗ --------------------------------------------- For nearly two decades, Windows has been plagued with NTLM reflection vulnerabilities. In this article, we present CVE-2025-33073, a logical vulnerability which bypasses NTLM reflection mitigations and allows an authenticated remote attacker to execute arbitrary commands as SYSTEM on any machine which does not enforce SMB signing. The vulnerability discovery, the complete analysis of the root cause as well as the patch by Microsoft will be detailed in this blogpost. --------------------------------------------- https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live… ∗∗∗ Infuencing LLM Output using logprobs and Token Distribution ∗∗∗ --------------------------------------------- What if you could influence an LLM's output not by breaking its rules, but by bending its probabilities? In this deep-dive, we explore how small changes in user input (down to a single token) can shift the balance between “true” and “false”, triggering radically different completions. --------------------------------------------- https://blog.sicuranext.com/infuencing-llm-output-using-logprobs-and-token-… ∗∗∗ Software Supply Chain Attacks Have Surged in Recent Months ∗∗∗ --------------------------------------------- IT and software supply chain attacks have surged in recent months, as threat actors have gotten better at exploiting supply chain vulnerabilities, Cyble threat intelligence researchers reported this week. In a June 9 blog post, Cyble researchers said software supply chain attacks have grown from just under 13 a month during February-September 2024 to just over 16 a month from October 2024 to May 2025, an increase of 25%. However, the last two months have seen an average of nearly 25 cyberattacks with supply chain impact, a near-doubling of supply chain attacks from the year-ago period. --------------------------------------------- https://thecyberexpress.com/software-supply-chain-attacks-have-surged/ ∗∗∗ Undocumented Root Shell Access bei SIMCom Modem ∗∗∗ --------------------------------------------- Das SIMCom SIM7600G Modem unterstützt einen undokumentierten AT Befehl, welcher es einem lokalen/physischen Angreifer ermöglicht, Systembefehle mit root-Berechtigungen auf dem Modem auszuführen. Der Stand der Entfernung des Backdoor-Kommandos ist unklar, da sich der Hersteller nach zahlreichen Kontaktversuchen nicht mehr gemeldet hat. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/undocumented-root-she… ===================== = Vulnerabilities = ===================== ∗∗∗ New Secure Boot flaw lets attackers install bootkit malware, patch now ∗∗∗ --------------------------------------------- Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-secure-boot-flaw-lets-at… ∗∗∗ Patch Tuesday, June 2025 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public. --------------------------------------------- https://krebsonsecurity.com/2025/06/patch-tuesday-june-2025-edition/ ∗∗∗ Microsoft Patch Tuesday for June 2025 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for June 2025, which includes 66 vulnerabilities affecting a range of products, including 10 that Microsoft marked as “critical.” --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-june-2025/ ∗∗∗ Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw ∗∗∗ --------------------------------------------- Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware. This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely. --------------------------------------------- https://hackread.com/two-mirai-botnets-lzrd-resgod-exploiting-wazuh-flaw/ ∗∗∗ TBK DVRs Botnet Attack ∗∗∗ --------------------------------------------- Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are being conscripted into a botnet capable of conducting DDoS attacks. If successfully exploited, there is a potential for significant disruption from DDoS attacks, lateral movement, or further malware delivery. --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/6127 ∗∗∗ Patchday: Schadcode-Lücken in Adobe Acrobat, InDesign & Co. geschlossen ∗∗∗ --------------------------------------------- Angreifer können an Sicherheitslücken (CVE-2025-43573 / EUVD-2025-17828) in Adobe Acrobat, Commerce, Experince Manager, InCopy, InDesign, Substance 3D Painter und Substance 3D Sampler ansetzen. Im Rahmen des Juni-Patchdays stellt Adobe Updates zum Download bereit. --------------------------------------------- https://heise.de/-10439601 ∗∗∗ The June 2025 Security Update Review ∗∗∗ --------------------------------------------- https://www.thezdi.com/blog/2025/6/10/the-june-2025-security-update-review ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-50/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2025
by Daily end-of-shift report 10 Jun '25

10 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-06-2025 18:00 − Dienstag 10-06-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 84,000 Roundcube instances vulnerable to actively exploited flaw ∗∗∗ --------------------------------------------- Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-84-000-roundcube-instan… ∗∗∗ FIN6 hackers pose as job seekers to backdoor recruiters’ devices ∗∗∗ --------------------------------------------- In a twist on typical hiring-related social engineering attacks, the FIN6 hacking group impersonates job seekers to target recruiters, using convincing resumes and phishing sites to deliver malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin6-hackers-pose-as-job-see… ∗∗∗ Windows: Designproblem erlaubt Aushebeln von Gruppenrichtlinien ∗∗∗ --------------------------------------------- In Windows schlummert ein Designproblem, das es normalen Nutzern und Malware erlaubt, von Admins gesetzte Gruppenrichtlinien außer Kraft zu setzen. Ein Bericht von .. --------------------------------------------- https://www.golem.de/news/windows-designproblem-erlaubt-aushebeln-von-grupp… ∗∗∗ Chinese spy crew appears to be preparing for conflict by backdooring 75+ critical orgs ∗∗∗ --------------------------------------------- SentinelOne discovered the campaign when they tried to hit the security vendors own servers An IT services company, a European media group, and a South Asian government entity are among the more than 75 companies where China-linked groups have planted malware to access strategic networks should a conflict break out. --------------------------------------------- https://www.theregister.com/2025/06/09/china_malware_flip_switch_sentinelon… ∗∗∗ DanaBleed: DanaBot C2 Server Memory Leak Bug ∗∗∗ --------------------------------------------- DanaBot is a Malware-as-a-Service (MaaS) platform that has been active since 2018. DanaBot operates on an affiliate model, where the malware developer sells access to customers who then distribute and use the malware for activities like credential theft and banking fraud. The developer is responsible for creating the malware, maintaining the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/danableed-danabot-c2-server… ∗∗∗ Microsoft: Abhilfe für Sicherheitslücke durch gelöschte "inetpub"-Ordner ∗∗∗ --------------------------------------------- Windows-Update hat einen "inetpub"-Ordner angelegt. Wird er gelöscht, blockiert das womöglich weitere Updates. Ein Script hilft. --------------------------------------------- https://www.heise.de/news/Microsoft-Abhilfe-fuer-Sicherheitsluecke-durch-ge… ∗∗∗ SAP-Patchday: Erneut kritische Sicherheitslücke in Netweaver ∗∗∗ --------------------------------------------- SAP kümmert sich am Juni-Patchday in 14 neuen Sicherheitsnotizen um teils kritische Sicherheitslücken in den Produkten aus Walldorf. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Erneut-kritische-Sicherheitsluecke-i… ∗∗∗ Malvertising: Suche nach Standardbefehlen für Macs liefert Infostealer ∗∗∗ --------------------------------------------- Perfide Masche: Bei der Suche nach Standardbefehlen für macOS erscheinen Seiten, die Befehle zur Malware-Installation anzeigen. --------------------------------------------- https://www.heise.de/news/Malvertising-Suche-nach-Standardbefehlen-fuer-Mac… ∗∗∗ Phishing-Alarm: Ex-Mitarbeiterin verschenkt keine Rabattcodes! ∗∗∗ --------------------------------------------- Videos und Postings auf Social-Media-Plattformen erwecken den Anschein, als würde eine gekündigte Angestellte eines großen Einzelhandelsunternehmens Rabattcodes verschenken. Als Rache am Ex-Arbeitgeber. Tatsächlich versteckt sich dahinter nichts anderes als eine simple Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-rabattcodes/ ∗∗∗ Falsche E-Mails im Namen der WKO im Umlauf! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die vorgeben, von der Wirtschaftskammer Österreich (WKO) zu stammen. In diesen gefälschten Nachrichten werden Unternehmer:innen zur Zahlung der Kammerumlage 2025 aufgefordert und gleichzeitig dazu verleitet, ihre WKO-Zugangsdaten preiszugeben. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-e-mails-im-namen-der-wko-im-… ∗∗∗ The Evolution of Linux Binaries in Targeted Cloud Operations ∗∗∗ --------------------------------------------- Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. --------------------------------------------- https://unit42.paloaltonetworks.com/elf-based-malware-targets-cloud/ ∗∗∗ New hacker group uses LockBit ransomware variant to target Russian companies ∗∗∗ --------------------------------------------- In its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims in Russia, Positive Technologies said in a report last week. --------------------------------------------- https://therecord.media/new-hacker-group-lockbit-target-russia ∗∗∗ Spyware maker cuts ties with Italy after government refused audit into hack of journalist’s phone ∗∗∗ --------------------------------------------- Israel-based spyware maker Paragon and Italys government had a falling out over the companys offer to help investigate what happened on journalist Francesco Cancellatos phone. --------------------------------------------- https://therecord.media/paragon-spyware-maker-cuts-ties-italy-government ∗∗∗ Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. --------------------------------------------- https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-ap… ∗∗∗ Bitsight Identifies Thousands of Security Cameras Openly Accessible on the Internet ∗∗∗ --------------------------------------------- In our latest research at Bitsight TRACE, we found over 40,000 exposed cameras streaming live on the internet. No passwords. No protections. Just out there. We first raised the alarm in 2023, and based on this latest study, the situation hasn’t gotten any better. --------------------------------------------- https://www.bitsight.com/blog/bitsight-identifies-thousands-of-compromised-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (golang, nodejs22, thunderbird, and varnish), Debian (gimp, modsecurity-apache, python-tornado, and roundcube), Fedora (chromium, coreutils, fcgi, ghostscript, krb5, libvpx, mingw-gstreamer1-plugins-bad-free, mingw-libsoup, mod_security, and samba), Mageia (php-adodb, systemd, and tomcat), Red Hat (buildah, firefox, glibc, grafana, kernel, libsoup, libxslt, mod_security, perl-FCGI, podman, python-tornado, and skopeo), Slackware (libvpx), and SUSE .. --------------------------------------------- https://lwn.net/Articles/1024625/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139.0.4 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-47/ ∗∗∗ June Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/june-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2025
by Daily end-of-shift report 06 Jun '25

06 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-06-2025 18:00 − Freitag 06-06-2025 18:00 Handler: Guenes Holler Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Hacker selling critical Roundcube webmail exploit as tech info disclosed ∗∗∗ --------------------------------------------- Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-selling-critical-roun… ∗∗∗ FBI: BADBOX 2.0 Android malware infects millions of consumer devices ∗∗∗ --------------------------------------------- The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies that are used for malicious activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-badbox-20-android-malwar… ∗∗∗ Critical Fortinet flaws now exploited in Qilin ransomware attacks ∗∗∗ --------------------------------------------- The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-… ∗∗∗ Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721 ∗∗∗ --------------------------------------------- Kaspersky GReAT experts describe the new features of a Mirai variant: the latest botnet infections target TBK DVR devices with CVE-2024-3721. --------------------------------------------- https://securelist.com/mirai-botnet-variant-targets-dvr-devices-with-cve-20… ∗∗∗ Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged several popular Google Chrome extensions that have been found to transmit data in HTTP and hard-code secrets in their code, exposing users to privacy and security risks."Several widely used extensions [...] unintentionally transmit sensitive data over simple HTTP," Yuanjing Guo, a security researcher in the Symantecs Security Technology and .. --------------------------------------------- https://thehackernews.com/2025/06/popular-chrome-extensions-leak-api-keys.h… ∗∗∗ AT&T not sure if new customer data dump is déjà vu ∗∗∗ --------------------------------------------- Re-selling info from an earlier breach? Probably. But which one? AT&T is investigating claims that millions of its customers data are listed for sale on a cybercrime forum in what appears to be a re-release from an earlier hack. --------------------------------------------- https://www.theregister.com/2025/06/05/att_investigates_data_dump/ ∗∗∗ Turning Off the (Information) Flow: Working With the EPA to Secure Hundreds of Exposed Water HMIs ∗∗∗ --------------------------------------------- In October 2024, Censys researchers discovered nearly 400 web-based HMIs for U.S. water facilities exposed online. These were identified via TLS certificate analysis and confirmed through screenshot .. --------------------------------------------- https://censys.com/blog/turning-off-the-information-flow-working-with-the-e… ∗∗∗ Blitz Malware: A Tale of Game Cheats and Code Repositories ∗∗∗ --------------------------------------------- Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. --------------------------------------------- https://unit42.paloaltonetworks.com/blitz-malware-2025/ ∗∗∗ DDoS-Angriffe auf österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Uns erreichen aktuell vermehrt Berichte von österreichischen Unternehmen und Organisationen über DDoS-Angriffe gegen ihre Systeme und Netzwerke. Betroffen sind Ziele in den verschiedensten Bereichen und Sektoren, ein besonderer Schwerpunkt der Kriminellen lässt sich bisher nicht festmachen. Bei manchen Angriffen liegen deutliche Hinweise .. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/6/ddos-angriffe-auf-osterreichische-u… ∗∗∗ Nigeria jails 9 Chinese nationals for being part of international cyberfraud syndicate ∗∗∗ --------------------------------------------- The group was arrested in December as part of a raid that included 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes. --------------------------------------------- https://therecord.media/nigeria-jails-9-chinese-nationals-cyber-fraud ∗∗∗ Unsecured Database Exposes Data of 3.6 Million Passion.io Creators ∗∗∗ --------------------------------------------- A massive data leak has put the personal information of over 3.6 million app creators, influencers, and .. --------------------------------------------- https://hackread.com/unsecured-database-exposes-passion-io-creators-data/ ∗∗∗ NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU ∗∗∗ --------------------------------------------- iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU .. --------------------------------------------- https://hackread.com/nickname-zero-click-imessage-exploit-figures-us-eu/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8, golang, nodejs:20, nodejs:22, openssh, and python36:3.6), Debian (edk2, libfile-find-rule-perl, and webkit2gtk), Fedora (emacs, libvpx, perl-FCGI, and seamonkey), Mageia (cifs-utils), Red Hat (containernetworking-plugins, go-toolset:rhel8, golang, gvisor-tap-vsock, krb5, mod_auth_openidc:2.3, protobuf, and thunderbird), Slackware (seamonkey), SUSE (gimp, gnutls, haproxy, opensaml, openssh, openvpn, python-cryptography, .. --------------------------------------------- https://lwn.net/Articles/1024317/ ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released seven Industrial Control Systems (ICS) advisories on June 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-155-01 CyberData 011209 SIP Emergency IntercomICSA-25-155-02 Hitachi Energy Relion 670, 650 series and SAM600-IO Product ICSA-21-049-02 Mitsubishi Electric FA .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/05/cisa-releases-seven-indu… ∗∗∗ ZDI-25-325: Hewlett Packard Enterprise Insight Remote Support processAttachmentDataStream Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2025
by Daily end-of-shift report 05 Jun '25

05 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-06-2025 18:00 − Donnerstag 05-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ BidenCash carding market domains seized in international operation ∗∗∗ --------------------------------------------- Earlier today, law enforcement seized multiple domains of BidenCash, the infamous dark web market for stolen credit cards, personal information, and SSH access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bidencash-carding-market-dom… ∗∗∗ Cisco warns of ISE and CCP flaws with public exploit code ∗∗∗ --------------------------------------------- Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-ise-and-ccp-f… ∗∗∗ Researchers Bypass Deepfake Detection With Replay Attacks ∗∗∗ --------------------------------------------- An international group of researchers found that simply rerecording deepfake audio with natural acoustics in the background allows it to bypass detection models at a higher-than-expected rate. --------------------------------------------- https://www.darkreading.com/cybersecurity-analytics/researchers-bypass-deep… ∗∗∗ Für Datenklau: Hacker kapern reihenweise Salesforce-Zugänge ∗∗∗ --------------------------------------------- Sicherheitsforscher der Google Threat Intelligence Group (GTIG) warnen vor laufenden Vishing-Angriffen (Voice Phishing), die darauf abzielen, Zugang zu Salesforce-Instanzen zu erlangen und daraus massenhaft vertrauliche Unternehmensdaten abzugreifen. --------------------------------------------- https://www.golem.de/news/fuer-datenklau-hacker-kapern-reihenweise-salesfor… ∗∗∗ Be Careful With Fake Zoom Client Downloads ∗∗∗ --------------------------------------------- Collaborative tools are really popular these days. Since the COVID-19 pandemic, many people switched to remote work positions and we need to collaborate with our colleagues or customers every day. Tools like Microsoft Teams, Zoom, WebEx, (name your best solution), became popular and must be regularly updated. Yesterday, I received an interesting email with a fake Zoom meeting invitation. --------------------------------------------- https://isc.sans.edu/diary/rss/32014 ∗∗∗ AI kept 15-year-old zombie vuln alive, but its time is drawing near ∗∗∗ --------------------------------------------- Despite multiple developer warnings about the 2010 GitHub Gist containing the path traversal vulnerability in 2012, 2014, and 2018, the flaw appeared in MDN Web Docs documentation and a Stack Overflow snippet. From there, it took up residence in large language models (LLMs) trained on the flawed examples. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/06/05/llm_kept_per… ∗∗∗ Musikhaus Thomann: Kriminelle locken in Fake-Shops ∗∗∗ --------------------------------------------- Der Erfolg des Musik-Versandhändlers ruft zunehmend Betrüger:innen auf den Plan. Diese bauen den Original-Onlineshop detailgetreu nach und bieten Produkte zu unrealistischen Schleuderpreisen. Wer dort bestellt, bekommt allerdings nichts, sondern verliert Geld. Wir verraten, wie Sie die Fakes am einfachsten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/musikhaus-thomann-fake-shops/ ∗∗∗ Newly identified wiper malware "PathWiper" targets critical infrastructure in Ukraine ∗∗∗ --------------------------------------------- Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper we are calling "PathWiper". --------------------------------------------- https://blog.talosintelligence.com/pathwiper-targets-ukraine/ ∗∗∗ Updated Guidance on Play Ransomware ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection. Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/06/04/updated-guidance-play-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Integrated Management Controller Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH connection handling of Cisco Integrated Management Controller (IMC) for Cisco UCS B-Series, UCS C-Series, UCS S-Series, and UCS X-Series Servers could allow an authenticated, remote attacker to access internal services with elevated privileges. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Fabric Controller SSH Host Key Validation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the SSH implementation of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an unauthenticated, remote attacker to impersonate Cisco NDFC-managed devices. This vulnerability is due to insufficient SSH host key validation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Sicherheitsupdates: Dell repariert PowerScale OneFS und Bluetooth-Treiber ∗∗∗ --------------------------------------------- Angreifer können an einer Schwachstelle in Dells NAS-Betriebssystem PowerScale OneFS ansetzen und Dateien löschen. Außerdem macht eine Lücke im Bluetooth-Treiber unzählige Dell-PCs angreifbar. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Dell-repariert-PowerScale-OneF… ∗∗∗ VMware NSX: Hochriskante Sicherheitslücke gestopft ∗∗∗ --------------------------------------------- Broadcom warnt vor teils hochriskanten Sicherheitslücken in der Netzwerkvirtualisierungs- und Sicherheitsplattform VMware NSX. Angreifer können unter anderem Schadcode einschleusen und ausführen. IT-Verantwortliche sollten zügig auf die fehlerbereinigten Versionen aktualisieren. --------------------------------------------- https://www.heise.de/news/VMware-NSX-Hochriskante-Sicherheitsluecke-gestopf… ∗∗∗ Acronis Cyber Protect: Mehrere teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- In der umfangreichen Virenschutz- und Backup-Software Acronis Cyber Protect hat der Hersteller mehrere, teils höchst kritische Sicherheitslücken entdeckt. Diese stopfen die Entwickler mit aktualisierter Software. --------------------------------------------- https://www.heise.de/news/Acronis-Cyber-Protect-Mehrere-teils-kritische-Sic… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and mariadb-10.5), Oracle (firefox, ghostscript, git, go-toolset:ol8, golang, kernel, krb5, mingw-freetype and spice-client-win, nodejs:20, nodejs:22, perl-CPAN, python36:3.6, rsync, varnish, and varnish:6), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (curl and python3), SUSE (apache-commons-beanutils, apache2-mod_security2, avahi, buildkit, ca-certificates-mozilla, cloud-regionsrv-client, cloud-regionsrv-client, python-toml, containerd, containerized-data-importer, cups, curl, dnsmasq, docker, elemental-operator, elemental-toolkit, expat, firefox, freetype2, gdk-pixbuf, git, glib2, glibc, gnuplot, gnutls, gpg2, gstreamer, gstreamer-plugins-base, gtk3, haproxy, helm, java-17-openjdk, java-1_8_0-openjdk, keepalived, kernel, kernel-firmware, krb5, kubevirt, less, libarchive, libcryptopp, libdb-4_8, libndp, libpcap, libsoup, libtasn1, libvirt, libX11, libxml2, libxslt, Mesa, mozilla-nss, nghttp2, nvidia-open-driver-G06-signed, opensc, openssh, openssl-3, openssl-3, libpulp, ulp-macros, orc, pam, pam_pkcs11, pam_u2f, patch, pcp, pcr-oracle, shim, perl-Crypt-OpenSSL-RSA, podman, postgresql16, procps, protobuf, python-dnspython, python-Jinja2, python-requests, python-setuptools, python-tornado6, python-urllib3, python311, python311, python-rpm-macros, qemu, rsync, runc, rust-keylime, selinux-policy, sevctl, skopeo, sssd, SUSE Manager Client Tools, systemd, thunderbird, tiff, tpm2.0-tools, tpm2-0-tss, u-boot, ucode-intel, unbound, util-linux, vim, wget, and wpa_supplicant), and Ubuntu (linux-nvidia, python-django, twitter-bootstrap3, twitter-bootstrap4, and wireshark). --------------------------------------------- https://lwn.net/Articles/1024158/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2025
by Daily end-of-shift report 04 Jun '25

04 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-06-2025 18:00 − Mittwoch 04-06-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase breach tied to bribed TaskUs support agents in India ∗∗∗ --------------------------------------------- A recently disclosed data breach at Coinbase has been linked to India-based customer support representatives from outsourcing firm TaskUs, who threat actors bribed to steal data from the crypto exchange. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-breach-tied-to-brib… ∗∗∗ Umgehung des Sandboxings: Meta und Yandex de-anonymisieren Android-Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher decken eine Methode auf, mit der Meta und Yandex flüchtige Web-Identifikatoren in dauerhafte Nutzeridentitäten umgewandelt haben. --------------------------------------------- https://www.golem.de/news/umgehung-des-sandboxings-meta-und-yandex-de-anony… ∗∗∗ The strange tale of ischhfd83: When cybercriminals eat their own ∗∗∗ --------------------------------------------- This investigation is a good example of how threats can be much more complex than they first appear. From an initial customer query about a new RAT, we uncovered a significant amount of backdoored GitHub repositories, containing multiple kinds of backdoors. --------------------------------------------- https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when… ∗∗∗ Acreed infostealer poised to replace Lumma after global crackdown ∗∗∗ --------------------------------------------- The Acreed malware, which emerged earlier this year, is gaining ground with cybercriminals who otherwise might have used the Lumma infostealer, researchers said. --------------------------------------------- https://therecord.media/acreed-infostealer-arises-after-lumma-takedown ∗∗∗ Angriffe laufen: Connectwise, Craft CMS und Asus-Router im Visier ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf Sicherheitslecks in Connectwise ScreenConnect, Craft CMS und Asus-Router. Updates stehen bereit. --------------------------------------------- https://heise.de/-10424978 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Android 13, 14 und 15. Angreifer attackieren Geräte mit Qualcomm-Prozessor. --------------------------------------------- https://www.heise.de/news/Patchday-Android-Angreifer-koennen-sich-hoehere-R… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, krb5, perl-CPAN, and rsync), Debian (tcpdf), Fedora (libmodsecurity, lua-http, microcode_ctl, and nextcloud), Red Hat (osbuild-composer), SUSE (389-ds, avahi, ca-certificates-mozilla, docker, expat, freetype2, glib2, gnuplot, gnutls, golang-github-teddysun-v2ray-plugin, golang-github-v2fly-v2ray-core, govulncheck-vulndb, helm, iperf, kernel, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, krb5, libarchive, libsoup, libsoup2, libtasn1, libX11, libxml2, libxslt, orc, podman, python-Jinja2, python-requests, python3-setuptools, python310, python311, python39, rubygem-rack, sslh, SUSE Manager Client Tools, SUSE Manager Client Tools and Salt Bundle, ucode-intel, util-linux, and wget), and Ubuntu (libvpx, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia-tegra, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-aws-fips, linux-gcp-fips, linux-azure-fde, linux-fips, and linux-intel-iot-realtime, linux-realtime). --------------------------------------------- https://lwn.net/Articles/1023793/ ∗∗∗ ZDI-25-324: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-324/ ∗∗∗ ZDI-25-323: Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-323/ ∗∗∗ ZDI-25-321: GIMP ICO File Parsing Integer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-321/ ∗∗∗ Critical Vulnerability in multiple Mitsubishi Electric MELSEC iQ-F Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-03 ∗∗∗ Critical Vulnerability in Schneider Electric Wiser Home Automation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-153-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2025
by Daily end-of-shift report 03 Jun '25

03 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Montag 02-06-2025 18:00 − Dienstag 03-06-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Malicious RubyGems pose as Fastlane to steal Telegram API data ∗∗∗ --------------------------------------------- Two malicious RubyGems packages posing as popular Fastlane CI/CD plugins redirect Telegram API requests to attacker-controlled servers to intercept and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-rubygems-pose-as-f… ∗∗∗ Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets ∗∗∗ --------------------------------------------- A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victims contacts list. --------------------------------------------- https://thehackernews.com/2025/06/android-trojan-crocodilus-now-active-in.h… ∗∗∗ How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms ∗∗∗ --------------------------------------------- We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. [..] A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/comparing-llm-guardrails-across-genai-p… ∗∗∗ Cyberattacks Hit Top Retailers: Cartier, North Face Among Latest Victims ∗∗∗ --------------------------------------------- North Face, Cartier, and Next Step Healthcare are the latest victims in a string of cyberattacks compromising customer data. Explore the methods used by attackers and the wider impact on retail security. --------------------------------------------- https://hackread.com/cyberattacks-retailers-cartier-north-face-victims/ ∗∗∗ Inside RansomHub: Tactics, Targets, and What It Means for You ∗∗∗ --------------------------------------------- What is RansomHub ransomware? We dive into the groups TTPs, latest attacks and news, & mitigation strategies you should know in 2025. --------------------------------------------- https://www.bitsight.com/blog/guide-to-ransomhub-ransomware-2025 ===================== = Vulnerabilities = ===================== ∗∗∗ Google stopft attackierte Lücke in Chrome ∗∗∗ --------------------------------------------- In der Javascript-Engine V8 von Google Chrome ermöglicht eine Schwachstelle Angreifern, außerhalb vorgesehener Speichergrenzen zu lesen und zu schreiben. Für diese Schwachstelle ist ein Exploit in freier Wildbahn aufgetaucht, sie wird daher offenbar bereits attackiert. --------------------------------------------- https://www.heise.de/news/Google-stopft-attackierte-Luecke-in-Chrome-104232… ∗∗∗ Sicherheitsupdate: Vielfältige Attacken auf HPE StoreOnce möglich ∗∗∗ --------------------------------------------- Acht Softwareschwachstellen in der Backuplösung StoreOnce von HPE machen Systeme attackierbar. Darunter findet sich eine "kritische" Lücke. Über weitere Angriffe kann Schadcode auf PCs gelangen. Eine gegen mögliche Attacken geschützte Version steht ab sofort zum Download bereit. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-Vielfaeltige-Attacken-auf-HPE-S… ∗∗∗ Angreifer können Roundcube Webmail mit Schadcode attackieren ∗∗∗ --------------------------------------------- Webadmins sollten ihre Roundcube-Webmail-Instanzen zeitnah auf den aktuellen Stand bringen. In aktuellen Ausgaben haben die Entwickler eine Sicherheitslücke geschlossen, über die Schadcode auf Systeme gelangen kann. --------------------------------------------- https://www.heise.de/news/Kritische-Schadcode-Luecke-bedroht-Roundcube-Webm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado). --------------------------------------------- https://lwn.net/Articles/1023625/ ∗∗∗ SVD-2025-0604: Third-Party Package Updates in Splunk Universal Forwarder - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0604 ∗∗∗ SVD-2025-0603: Third-Party Package Updates in Splunk Enterprise - June 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0603 ∗∗∗ SVD-2025-0602: Incorrect permission assignment on Universal Forwarder for Windows during new installation or upgrade ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0602 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2025
by Daily end-of-shift report 02 Jun '25

02 Jun '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-05-2025 18:00 − Montag 02-06-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Exploit details for max severity Cisco IOS XE flaw now public ∗∗∗ --------------------------------------------- Technical details about a maximum-severity Cisco IOS XE WLC arbitrary file upload flaw tracked as CVE-2025-20188 have been made publicly available, bringing us closer to a working exploit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-details-for-max-seve… ∗∗∗ Deutscher Rüstungskonzern: Cybergang leakt interne Daten von Rheinmetall ∗∗∗ --------------------------------------------- Der deutsche Rüstungskonzern Rheinmetall ist offenbar Ziel einer Cyberattacke geworden, bei der vertrauliche Daten in die Hände der Angreifer gelangt sind. Die Hackergruppe Babuk2 hatte Rheinmetall schon am 4. April auf ihre Datenleckseite aufgenommen. Jetzt berichtete Tagesschau.de, dass auch die Datenschutzbehörde NRW sowie das Bundesamt für Sicherheit in der Informationstechnik über den Vorfall informiert worden seien. --------------------------------------------- https://www.golem.de/news/deutscher-ruestungskonzern-cybergang-leakt-intern… ∗∗∗ Fake Recruiter Emails Target CFOs Using Legit NetBird Tool Across 6 Global Regions ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a new spear-phishing campaign that uses a legitimate remote access tool called Netbird to target Chief Financial Officers (CFOs) and financial executives at banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. --------------------------------------------- https://thehackernews.com/2025/06/fake-recruiter-emails-target-cfos-using.h… ∗∗∗ Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump ∗∗∗ --------------------------------------------- A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names. The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs — believed to have raked in billions from companies, hospitals, and individuals worldwide. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/31/gangexposed_… ∗∗∗ RCEs and more in the KUNBUS GmbH Revolution Pi PLC ∗∗∗ --------------------------------------------- We found four vulnerabilities by downloading and extracting Revolution Pi’s latest firmware version (01/2025). We didn’t even need to buy the device, although one would look great on our ICS demo rig! All were found with static code analysis but demonstrated by installing the firmware to a standard Raspberry Pi. --------------------------------------------- https://www.pentestpartners.com/security-blog/rces-and-more-in-the-kunbus-g… ∗∗∗ The remote desktop puzzle. DFIR techniques for dealing with RDP Bitmap Cache ∗∗∗ --------------------------------------------- A lot of people are aware of RDP and what its functions are. It’s known for providing remote access and making life easier for administrators and users. With that comes insight for forensic investigators, regarding the ‘bitmap cache’. This is often overlooked, but when analysed correctly can provide some great understanding about what’s happened on a system. --------------------------------------------- https://www.pentestpartners.com/security-blog/the-remote-desktop-puzzle-dfi… ∗∗∗ LOLCLOUD - Azure Arc - C2aaS ∗∗∗ --------------------------------------------- Exploring Azure Arc’s overlooked C2aaS potential. Attacking and Defending against its usage and exploring usecases. --------------------------------------------- https://blog.zsec.uk/azure-arc-c2aas/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora ∗∗∗ --------------------------------------------- Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems. --------------------------------------------- https://thehackernews.com/2025/05/new-linux-flaws-allow-password-hash.html ∗∗∗ 2025-06-02: Cyber Security Advisory - ELSB/Home Solutions Outdated SW Components in ABB Welcome IP-Gateway ∗∗∗ --------------------------------------------- An attacker who successfully exploits these vulnerabilities could potentially gain unauthorized access and potentially compromise the system's - and log-file - confidentiality, integrity and availability. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A8948&Lan… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb). --------------------------------------------- https://lwn.net/Articles/1023501/ ∗∗∗ Multiple vulnerabilities in wivia 5 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN51394666/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2025
by Daily end-of-shift report 30 May '25

30 May '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-05-2025 18:00 − Freitag 30-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interlock ransomware gang deploys new NodeSnake RAT on universities ∗∗∗ --------------------------------------------- The Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutes for persistent access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-de… ∗∗∗ APT41 malware abuses Google Calendar for stealthy C2 communication ∗∗∗ --------------------------------------------- The Chinese APT41 hacking group uses a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-… ∗∗∗ Threat actors abuse Google Apps Script in evasive phishing attacks ∗∗∗ --------------------------------------------- Threat actors are abusing the ‘Google Apps Script’ development platform to host phishing pages that appear legitimate and steal login credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ ConnectWise breached in cyberattack linked to nation-state hackers ∗∗∗ --------------------------------------------- IT management software firm ConnectWise says a suspected state-sponsored cyberattack breached its environment and impacted a limited number of ScreenConnect customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/connectwise-breached-in-cybe… ∗∗∗ Everest Group Extorts Global Orgs via SAPs HR Tool ∗∗∗ --------------------------------------------- Extortionist-cum-information broker "Everest Group" has pulled off a swath of attacks against large organizations in the Middle East, Africa, Europe, and North America, and is now extorting victims over records stolen from their human resources departments. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/everest-group-extort… ∗∗∗ Sicherheitslücke: Warum ChatGPT oft den gesamten Onedrive-Ordner lesen kann ∗∗∗ --------------------------------------------- Forscher warnen vor einer Sicherheitslücke in Microsofts File Picker für Onedrive. Apps wie ChatGPT können weitaus mehr lesen, als Anwender erwarten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-warum-chatgpt-oft-den-gesamten-… ∗∗∗ Exploits and vulnerabilities in Q1 2025 ∗∗∗ --------------------------------------------- This report contains statistics on vulnerabilities and published exploits, along with an analysis of the most noteworthy vulnerabilities we observed in the first quarter of 2025. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q1-2025/116624/ ∗∗∗ New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers ∗∗∗ --------------------------------------------- Cybersecurity researchers have taken the wraps off an unusual cyber attack that leveraged malware with corrupted DOS and PE headers, according to new findings from Fortinet. --------------------------------------------- https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html ∗∗∗ Attack on LexisNexis Risk Solutions exposes data on 300k + ∗∗∗ --------------------------------------------- LexisNexis Risk Solutions (LNRS) is the latest big-name organization to disclose a serious cyberattack leading to data theft, with the number of affected individuals pegged at 364,333. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/28/attack_on_le… ∗∗∗ Billions of cookies up for grabs as experts warn over session security ∗∗∗ --------------------------------------------- A VPN vendor says billions of stolen cookies currently on sale either on dark web or Telegram-based marketplaces remain active and exploitable. More than 93.7 billion of them are currently available for criminals to buy online and of those, between 7-9 percent are active, on average, according to NordVPN's breakdown of stolen cookies by country. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/05/29/billions_of_… ∗∗∗ U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams ∗∗∗ --------------------------------------------- The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers. --------------------------------------------- https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as… ∗∗∗ Fake Bitdefender website used to spread infostealer malware ∗∗∗ --------------------------------------------- The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration. --------------------------------------------- https://therecord.media/fake-bitdefender-website-venomrat-infostealer ∗∗∗ Microsoft Entra Design Lets Guest Users Gain Azure Control, Researchers Say ∗∗∗ --------------------------------------------- Cybersecurity researchers at BeyondTrust are warning about a little-known but dangerous issue within Microsoft’s Entra identity platform. The issue isn’t some hidden bug or overlooked vulnerability; it’s a feature, built into the system by design, that attackers can exploit. --------------------------------------------- https://hackread.com/microsoft-entra-design-guest-users-gain-azure-control/ ∗∗∗ Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale ∗∗∗ --------------------------------------------- A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.” --------------------------------------------- https://hackread.com/threat-actor-tiktok-breach-428-million-records-sale/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (firefox-esr, libvpx, net-tools, php-twig, python-tornado, setuptools, varnish, webpy, yelp, and yelp-xsl), Fedora (xen), Mageia (cimg and ghostscript), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, thunderbird, and unbound), Red Hat (firefox, mingw-freetype and spice-client-win, pcs, and varnish:6), Slackware (curl and mozilla), SUSE (apparmor, containerd, dnsdist, go1.23-openssl, go1.24, gstreamer-plugins-bad, ImageMagick, jetty-minimal, python-tornado, python313-setuptools, s390-tools, thunderbird, tomcat10, ucode-intel, and wxWidgets-3_2), and Ubuntu (ffmpeg, krb5, libsoup3, libsoup2.4, linux-aws-5.4, linux-aws-fips, linux-fips, linux-oracle-6.8, net-tools, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/1023072/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/1023259/ ∗∗∗ On Demand JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP11 IF03 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2025
by Daily end-of-shift report 28 May '25

28 May '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-05-2025 18:00 − Mittwoch 28-05-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ GreyNoise Discovers Stealthy Backdoor Campaign Affecting Thousands of ASUS Routers ∗∗∗ --------------------------------------------- GreyNoise uncovers a stealth campaign exploiting ASUS routers, enabling persistent backdoor access via CVE-2023-39780 and unpatched techniques. Learn how attackers evade detection, how GreyNoise discovered it with AI-powered tooling, and what defenders need to know. --------------------------------------------- https://www.greynoise.io/blog/stealthy-backdoor-campaign-affecting-asus-rou… ∗∗∗ DragonForce Ransomware Strikes MSP in Supply Chain Attack ∗∗∗ --------------------------------------------- DragonForce, a ransomware "cartel" that has gained significant popularity since its debut in 2023, attacked an MSP as part of a recent supply chain attack, via known SimpleHelp bugs. --------------------------------------------- https://www.darkreading.com/application-security/dragonforce-ransomware-msp… ∗∗∗ Zanubis in motion: Tracing the active evolution of the Android banking malware ∗∗∗ --------------------------------------------- A comprehensive historical breakdown of Zanubis changes, including RC4 and AES encryption, credentials stealing and new targets in Peru, provided by Kaspersky GReAT experts. --------------------------------------------- https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/1165… ∗∗∗ Fake Java Update Popup Found in Malicious WordPress Plugin ∗∗∗ --------------------------------------------- We recently assisted a customer who reported a persistent and concerning "Java Update" pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-java-update-popup-found-in-malicious-w… ∗∗∗ OneDrive File Picker Flaw Provides ChatGPT and Other Web Apps Full Read Access to Users’ Entire OneDrive ∗∗∗ --------------------------------------------- Oasis Securitys research team uncovered a flaw in Microsofts OneDrive File Picker that allows websites to access a user’s entire OneDrive content, rather than just the specific files selected for upload via OneDrive File Picker. Researchers estimate that hundreds of apps are affected, including ChatGPT, Slack, Trello, and ClickUp – meaning millions of users may have already granted these apps access to their OneDrive. --------------------------------------------- https://www.oasis.security/resources/blog/onedrive-file-picker-security-fla… ∗∗∗ Chinese spies blamed for attempted hack on Czech government network ∗∗∗ --------------------------------------------- Czech authorities said they assessed with “a high degree of certainty” that a Chinese cyber-espionage group known as APT31, Judgment Panda, Bronze Vinewood or RedBravo tried to hack into a government network. --------------------------------------------- https://therecord.media/czechia-accuses-china-cyber-espionage-apt31 ∗∗∗ New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know ∗∗∗ --------------------------------------------- ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods. --------------------------------------------- https://hackread.com/new-phishing-campaign-dbatloader-drop-remcos-rat/ ∗∗∗ Malware Hidden in AI Models on PyPI Targets Alibaba AI Labs Users ∗∗∗ --------------------------------------------- ReversingLabs discovers new malware hidden inside AI/ML models on PyPI, targeting Alibaba AI Labs users. --------------------------------------------- https://hackread.com/malware-ai-models-pypi-targets-alibaba-ai-labs-users/ ∗∗∗ Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day ∗∗∗ --------------------------------------------- On May 8, GreyNoise observed a highly coordinated reconnaissance campaign launched by 251 malicious IP addresses, all geolocated to Japan and hosted by Amazon AWS. The infrastructure and execution suggest centralized planning. --------------------------------------------- https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken: IBM Guardium Data Protection als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen kann es zu Datenlecks im Kontext von IBM Guardium Data Protection kommen. Updates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-IBM-Guardium-Data-Protection-a… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools). --------------------------------------------- https://lwn.net/Articles/1022853/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-45/ ∗∗∗ F5: K000151516, Python urllib vulnerability CVE-2019-9947 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151516 ∗∗∗ F5: K000151520, Python vulnerabilities CVE-2018-20852, CVE-2014-4616, and CVE-2013-7040 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000151520 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2025
by Daily end-of-shift report 27 May '25

27 May '25

===================== = End-of-Day report = ===================== Timeframe: Montag 26-05-2025 18:00 − Dienstag 27-05-2025 18:00 Handler: Felician Fuchs Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MATLAB dev confirms ransomware attack behind service outage ∗∗∗ --------------------------------------------- MathWorks, a leading developer of mathematical computing and simulation software, has revealed that a recent ransomware attack is behind an ongoing service outage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mathworks-blames-ransomware-… ∗∗∗ Not Every CVE Deserves a Fire Drill: Focus on What’s Exploitable ∗∗∗ --------------------------------------------- Not every "critical" vulnerability is a critical risk. Picus Exposure Validation cuts through the noise by testing whats actually exploitable in your environment — so you can patch what matters. --------------------------------------------- https://www.bleepingcomputer.com/news/security/not-every-cve-deserves-a-fir… ∗∗∗ Chinese-Owned VPNs ∗∗∗ --------------------------------------------- One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. --------------------------------------------- https://www.schneier.com/blog/archives/2025/05/chinese-owned-vpns.html ∗∗∗ Cyber Security Operations Center: ESA will mehr IT-Sicherheit ∗∗∗ --------------------------------------------- Die Raumfahrtagentur ESA verstärkt ihre IT-Sicherheitsbemühungen. Dazu eröffnete sie nun das Cyber Security Operations Center. --------------------------------------------- https://www.heise.de/news/Cyber-Security-Operations-Center-ESA-will-mehr-IT… ∗∗∗ Dutch intelligence unmasks previously unknown Russian hacking group Laundry Bear ∗∗∗ --------------------------------------------- Recent attacks on institutions in the Netherlands were the work of a previously unknown Russian hacking group that Dutch intelligence agencies are labeling Laundry Bear. Microsoft also reported on the group, naming it Void Blizzard. --------------------------------------------- https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlan… ∗∗∗ Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites ∗∗∗ --------------------------------------------- Mandiant Threat Defense has been investigating an UNC6032 campaign that weaponizes the interest around AI tools, in particular those tools which can be used to generate videos based on user prompts. UNC6032 utilizes fake “AI video generator” websites to distribute malware leading to the deployment of payloads such as Python-based infostealers and several backdoors. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-wea… ===================== = Vulnerabilities = ===================== ∗∗∗ GitHub MCP Exploited: Accessing private repositories via MCP ∗∗∗ --------------------------------------------- We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariants security analyzer for detecting toxic agent flows. --------------------------------------------- https://invariantlabs.ai/blog/mcp-github-vulnerability ∗∗∗ Update für ManageEngine ADAudit Plus stopft hochriskante Sicherheitslücken ∗∗∗ --------------------------------------------- In ManageEngine ADAudit Plus hat Hersteller Zoho zwei als hohes Risiko eingestufte Schwachstellen ausgebessert. --------------------------------------------- https://www.heise.de/news/Update-fuer-ManageEngine-ADAudit-Plus-stopft-hoch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat). --------------------------------------------- https://lwn.net/Articles/1022703/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-44/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.24 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-43/ ∗∗∗ Security Vulnerabilities fixed in Firefox 139 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-42/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2025
by Daily end-of-shift report 26 May '25

26 May '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-05-2025 18:00 − Montag 26-05-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying ∗∗∗ --------------------------------------------- An example of how a single malware operation can enable both criminal and state-sponsored hacking. --------------------------------------------- https://arstechnica.com/security/2025/05/feds-charge-16-russians-allegedly-… ∗∗∗ Gitlab Duo: Versteckter Kommentar lässt KI-Tool privaten Code leaken ∗∗∗ --------------------------------------------- Gitlab Duo hatte zuletzt ernste Sicherheitsprobleme. Angreifer konnten privaten Quellcode abgreifen oder Schadcode in fremde Softwareprojekte einschleusen. --------------------------------------------- https://www.golem.de/news/gitlab-duo-versteckter-kommentar-laesst-ki-tool-p… ∗∗∗ Fake Google Meet Page Tricks Users into Running PowerShell Malware ∗∗∗ --------------------------------------------- Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions.We began our investigation, scanning the site for common .. --------------------------------------------- https://blog.sucuri.net/2025/05/fake-google-meet-page-tricks-users-into-run… ∗∗∗ Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique ∗∗∗ --------------------------------------------- The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector."The ClickFix technique is particularly risky because it allows the malware to execute in memory .. --------------------------------------------- https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.h… ∗∗∗ Operation Endgame 2: 15 Millionen E-Mail-Adressen und 43 Millionen Passwörter ∗∗∗ --------------------------------------------- Bei "Operation Endgame 2.0" kamen viele Millionen Adressen und Passwörter von Opfern ans Licht. Have I Been Pwned hat sie aufgenommen. --------------------------------------------- https://www.heise.de/news/Operation-Endgame-2-15-Millionen-E-Mail-Adressen-… ∗∗∗ Neuer Lieferkettenangriff mit bösartigen Skripten in npm-Paketen ∗∗∗ --------------------------------------------- Ein neuer Angriff auf die Lieferkette bedroht Workstations und CI-Umgebungen. Das bösartige Skript spioniert interne Daten für weitere Attacken aus. --------------------------------------------- https://www.heise.de/news/Neuer-Lieferkettenangriff-mit-boesartigen-Skripte… ∗∗∗ Kriminelle Gruppe "Careto" angeblich von spanischer Regierung gelenkt ∗∗∗ --------------------------------------------- Nicht nur China und Russland steuern Cybergangs. Ehemalige Kaspersky-Mitarbeiter behaupten, die Bande "Careto" werde von Spanien gelenkt. --------------------------------------------- https://www.heise.de/news/Kriminelle-Gruppe-Careto-angeblich-von-spanischer… ∗∗∗ Hacker bietet 1,2 Milliarden Facebook-Nutzerdaten im Darknet – ist es ein Fake? ∗∗∗ --------------------------------------------- Gab es ein neues Datenleck bei Meta-Tochter Facebook? Ein Hacker behauptet 1,2 Milliarden Facebook-Nutzerdaten über eine API abgezogen zu haben und bietet diese im Darknet zum Kauf an. Es gibt aber Zweifel, ob diese Daten neu sind. --------------------------------------------- https://www.borncity.com/blog/2025/05/23/hacker-bietet-12-milliarden-facebo… ∗∗∗ Offensive Threat Intelligence ∗∗∗ --------------------------------------------- CTI isn’t just for blue teams. Used properly, it sharpens red team tradecraft, aligns ops to real-world threats, and exposes blind spots defenders often miss. It’s not about knowing threats, it’s about becoming them long enough to help others beat them. --------------------------------------------- https://blog.zsec.uk/offensive-cti/ ∗∗∗ Joint Analysis by AhnLab and NCSC on TA-ShadowCricket: Emerging Malware Trends and IRC Server Tracking ∗∗∗ --------------------------------------------- AhnLab and the National Cyber Security Center (NCSC) have released a report that details the activities of the TA-ShadowCricket group from 2023 to the present. --------------------------------------------- https://asec.ahnlab.com/en/88137/ ∗∗∗ ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks ∗∗∗ --------------------------------------------- Cofense Intelligences May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. --------------------------------------------- https://hackread.com/connectwise-screenconnect-tops-abused-rats-2025/ ∗∗∗ BadSuccessor Exploits Windows Server 2025 Flaw for Full AD Takeover ∗∗∗ --------------------------------------------- Akamai researchers reveal a critical flaw in Windows Server 2025 dMSA feature that allows attackers to compromise any… --------------------------------------------- https://hackread.com/badsuccessor-exploits-windows-server-2025-takeover/ ∗∗∗ How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation ∗∗∗ --------------------------------------------- In this post I’ll show you how I found a zeroday vulnerability in the Linux kernel using OpenAI’s o3 model. I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use. --------------------------------------------- https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-re… ∗∗∗ Bypassing MTE with CVE-2025-0072 ∗∗∗ --------------------------------------------- In this post, I’ll look at CVE-2025-0072, a vulnerability in the Arm Mali GPU, and show how it can be exploited to gain kernel code execution even when Memory Tagging Extension (MTE) is enabled. --------------------------------------------- https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In the first three blog posts of this series, I sought to outline what the Windows Registry actually is, its role, history, and where to find further information about it. In the subsequent three posts, my goal was to describe in detail how this mechanism works internally .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5924-1 intel-microcode - security update ∗∗∗ --------------------------------------------- This update ships updated CPU microcode for some types of Intel CPUs. Inparticular it provides mitigations for the Indirect Target Selection(ITS) vulnerability (CVE-2024-28956) and the Branch Privilege Injectionvulnerability (CVE-2024-45332).For CPUs affected to ITS (Indirect Target Selection), to fully mitigatethe vulnerability it is also necessary to .. --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00087.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2025
by Daily end-of-shift report 23 May '25

23 May '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-05-2025 18:00 − Freitag 23-05-2025 18:00 Handler: Guenes Holler Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TikTok videos now push infostealer malware in ClickFix attacks ∗∗∗ --------------------------------------------- As Trend Micro recently discovered, the threat actors behind this TikTok social engineering campaign are using videos likely generated using AI that ask viewers to run commands claiming to activate Windows and Microsoft Office, as well as premium features in various legitimate software like CapCut and Spotify. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tiktok-videos-now-push-infos… ∗∗∗ FBI warns of Luna Moth extortion attacks targeting law firms ∗∗∗ --------------------------------------------- The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. Also known as Luna Moth, Chatty Spider, and UNC3753, this threat group has been active since 2022 and was also behind BazarCall campaigns that provided initial access to corporate networks for Ryuk and Conti ransomware attacks --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extor… ∗∗∗ The Windows Registry Adventure #7: Attack surface analysis ∗∗∗ --------------------------------------------- In this blog post, we get to the heart of the matter, the actual security of the Windows Registry. I'd like to talk about what made a feature that was initially meant to be just a quick test of my fuzzing infrastructure draw me into manual research for the next 1.5 ~ 2 years, and result in Microsoft fixing (so far) 53 CVEs. I will describe the various areas that are important in the context of low-level security research, from very general ones, such as the characteristics of the codebase that allow security bugs to exist in the first place, to more specific ones, like all possible entry points to attack the registry, the impact of vulnerabilities and the primitives they generate, and some considerations on effective fuzzing and where more bugs might still be lurking. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/05/the-windows-registry-adventu… ∗∗∗ GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites. --------------------------------------------- https://thehackernews.com/2025/05/gitlab-duo-vulnerability-enabled.html ∗∗∗ ViciousTrap Uses Cisco Flaw to Build Global Honeypot from 5,300 Compromised Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that a threat actor codenamed ViciousTrap has compromised nearly 5,300 unique network edge devices across 84 countries and turned them into a honeypot-like network. --------------------------------------------- https://thehackernews.com/2025/05/vicioustrap-uses-cisco-flaw-to-build.html ∗∗∗ Oops: DanaBot Malware Devs Infected Their Own PCs ∗∗∗ --------------------------------------------- The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware. --------------------------------------------- https://krebsonsecurity.com/2025/05/oops-danabot-malware-devs-infected-thei… ∗∗∗ Fake-Geburtstagsgeschenk: Abofalle im Namen von Rituals im Umlauf ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die angeblich von Rituals stammen. Sie versprechen eine luxuriöse Geburtstags-Geschenkbox zum Sonderpreis von nur zwei Euro. Doch Vorsicht: Hinter dem scheinbar großzügigen Angebot verbirgt sich keine echte Überraschung, sondern eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/fake-geburtstagsgeschenk-abofalle-im… ∗∗∗ Sicherheitsrisiko AD-Verwaltung und Gruppe Authenticated Users ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich die Tage auf ein möglicherweise bei einigen Active Directory-Systemen bestehende Sicherheitsrisiko hingewiesen. Sind in der Active-Directory-Gruppe Authenticated Users externe Konten enthalten, könnten Freigaben interner Dienste (Drucker etc.) ungewollt externen Nutzern offen stehen. --------------------------------------------- https://www.borncity.com/blog/2025/05/22/sicherheitsrisiko-ad-verwaltung-un… ∗∗∗ Information Leakage Caused by DB Client Tool ∗∗∗ --------------------------------------------- In recent breach incidents, threat actors have been observed not only accessing systems, but also directly querying internal databases and stealing sensitive information. Particularly, more threat actors are installing DB client tools directly on targeted systems to exfiltrate data, and legitimate tools such as DBeaver, Navicat, and sqlcmd are being used in this process. --------------------------------------------- https://asec.ahnlab.com/en/88134/ ∗∗∗ Scarcity signals: Are rare activities red flags? ∗∗∗ --------------------------------------------- Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. --------------------------------------------- https://blog.talosintelligence.com/scarcity-signals-are-rare-activities-red… ∗∗∗ Operation Endgame 2.0: 20 Haftbefehle, Hunderte Server außer Gefecht gesetzt ∗∗∗ --------------------------------------------- Internationale Strafverfolger gehen weiter gegen Malware-Autoren vor. Im Rahmen der "Operation Endgame 2.0" haben die Sicherheitsbehörden aus Deutschland – das BKA und die Generalstaatsanwaltschaft Frankfurt am Main – die Cyberkriminellen nun empfindlich getroffen. Allein in Deutschland nahmen die Behörden 50 Server vom Netz, 650 Domains sind nicht mehr unter der Kontrolle der Cybergangster. --------------------------------------------- https://heise.de/-10394215 ∗∗∗ Fault Injection-Angriffe auf die Mikrocontroller nRF54L15 und STM32L051 (SYSS-2025-022/-033) ∗∗∗ --------------------------------------------- Der Begriff "Fault Injection" bezeichnet eine Klasse von Schwachstellen, bei denen Angreifende gezielt versuchen, Fehlerzustände in Systemen zu erzeugen. Diese Fehlerzustände führen dabei zu abnormalem Verhalten der Systeme und können ausgenutzt werden, um Sicherheitsbeschränkungen zu umgehen. So ist es beispielsweise möglich, kryptografische Schlüssel zu extrahieren oder Lesebeschränkungen von internen Datenspeichern zu umgehen. --------------------------------------------- https://www.syss.de/pentest-blog/fault-injection-angriffe-auf-die-mikrocont… ===================== = Vulnerabilities = ===================== ∗∗∗ 2025-05-22: Cyber Security Advisory - ASPECT advisory several CVEs ∗∗∗ --------------------------------------------- Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A0021&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3). --------------------------------------------- https://lwn.net/Articles/1022352/ ∗∗∗ Infoblox NetMRI is vulnerable to CVE-2024-54188 ∗∗∗ --------------------------------------------- https://support.infoblox.com/s/article/Infoblox-NetMRI-is-vulnerable-to-CVE… ∗∗∗ [R1] Tenable Network Monitor Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-10 ∗∗∗ Lantronix Device Installer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01 ∗∗∗ Rockwell Automation FactoryTalk Historian ThingWorx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0